Authorizing USB input devices
Security Enhanced USB 2 is the second approach to securing USB devices. (The first approach is based on usbmon and tries to detect changes in the firmware. It is not yet on this wiki.)
This shell script package using udev is for authorizing USB input devices. Newly connected devices are disabled until a user (of the group seusb2) authorizes its use in a pop-up dialogue. In order to avoid lockouts authorization can also be done by pressing the power button. This feature requires acpid.
USB devices can declare themselves as keyboards or other input devices and mimic keystrokes. In this way, arbitrary code can be executed with the privileges of the user. The declaration of capabilites can even be changed by the device, allowing for more stealth of the attack. For example, a mouse equipped with a light detector might declare itself a keyboard and execute code only after being unmoved for 30 minutes in darkness. If the user is forced to confirm that change, such an attack is neutralized.
WARNING: Most USB input devices, like keyboards or mouses, come without a distinguished serial number. So, authorization is based on vendor and product id, allowing attackers to spoof these data to match already authorized devices.
How to get
The source code is under LGPL3 and available on Github: https://github.com/codecivil/seusb2
udev inotify-tools zenity bash (>= 3.2) adduser acpid
1. Download the Debian package above.
2. Install the dependencies
sudo apt-get install udev inotify-tools zenity bash adduser acpid
3. Install the package
sudo dpkg -i seusb2_1.0-1_all.deb
(alternatively, download the tarball and build the package for yourself)
4. Add seusb2 users For every USERNAME you want to allow authorizing new USB input devices, do
sudo usermod -aG seusb2 USERNAME
5. Login as a seusb2 user. If you are already logged in, logout first. This will display the dialogues for existing USB input devices. If you do not authorize them now, they will be unavailable after next boot.