Seusb2: Unterschied zwischen den Versionen

Aus codecivil
Zur Navigation springen Zur Suche springen
(Added a section "Why...")
Zeile 6: Zeile 6:
  
 
This shell script package using udev is for authorizing USB input devices. Newly connected devices are disabled until a user (of the group seusb2) authorizes its use in a pop-up dialogue. In order to avoid lockouts authorization can also be done by pressing the power button. This feature requires acpid.
 
This shell script package using udev is for authorizing USB input devices. Newly connected devices are disabled until a user (of the group seusb2) authorizes its use in a pop-up dialogue. In order to avoid lockouts authorization can also be done by pressing the power button. This feature requires acpid.
 +
 +
== Why should I authorize new devices? ==
 +
 +
USB devices can declare themselves as keyboards or other input devices and mimic keystrokes. In this way,
 +
arbitrary code can be executed with the privileges of the user. The declaration of capabilites can even be changed by the device, allowing for more stealth of the attack. For example, a mouse equipped with a light detector might declare itself a keyboard and execute code only after being unmoved for 30 minutes in darkness. If the user is forced to confirm that change, such an attack is neutralized.
  
 
WARNING: Most USB input devices, like keyboards or mouses, come without a distinguished serial number. So, authorization is based on vendor and product id, allowing attackers to spoof these data to match already authorized devices.
 
WARNING: Most USB input devices, like keyboards or mouses, come without a distinguished serial number. So, authorization is based on vendor and product id, allowing attackers to spoof these data to match already authorized devices.
 +
 +
== How to get ==
  
 
The source code is under LGPL3 and available on Github: [https://github.com/codecivil/seusb2 https://github.com/codecivil/seusb2]
 
The source code is under LGPL3 and available on Github: [https://github.com/codecivil/seusb2 https://github.com/codecivil/seusb2]

Version vom 21. April 2017, 12:22 Uhr

Authorizing USB input devices

About

Security Enhanced USB 2 is the second approach to securing USB devices. (The first approach is based on usbmon and tries to detect changes in the firmware. It is not yet on this wiki.)

This shell script package using udev is for authorizing USB input devices. Newly connected devices are disabled until a user (of the group seusb2) authorizes its use in a pop-up dialogue. In order to avoid lockouts authorization can also be done by pressing the power button. This feature requires acpid.

Why should I authorize new devices?

USB devices can declare themselves as keyboards or other input devices and mimic keystrokes. In this way, arbitrary code can be executed with the privileges of the user. The declaration of capabilites can even be changed by the device, allowing for more stealth of the attack. For example, a mouse equipped with a light detector might declare itself a keyboard and execute code only after being unmoved for 30 minutes in darkness. If the user is forced to confirm that change, such an attack is neutralized.

WARNING: Most USB input devices, like keyboards or mouses, come without a distinguished serial number. So, authorization is based on vendor and product id, allowing attackers to spoof these data to match already authorized devices.

How to get

The source code is under LGPL3 and available on Github: https://github.com/codecivil/seusb2

The tarball and the binary Debian package are available here: Datei:Seusb2 1.0.orig.tar.xz Datei:Seusb2 1.0-1 all.deb

Dependencies

   udev
   inotify-tools
   zenity
   bash (>= 3.2)
   adduser
   acpid

Installation

1. Download the Debian package above.

2. Install the dependencies

   sudo apt-get install udev inotify-tools zenity bash adduser acpid

3. Install the package

   sudo dpkg -i seusb2_1.0-1_all.deb

(alternatively, download the tarball and build the package for yourself)

4. Add seusb2 users For every USERNAME you want to allow authorizing new USB input devices, do

   sudo usermod -aG seusb2 USERNAME

5. Login as a seusb2 user. If you are already logged in, logout first. This will display the dialogues for existing USB input devices. If you do not authorize them now, they will be unavailable after next boot.