Protect against rogue USB devices with the GNOME USB protection feature
Originally created by @intrigeri on #9569 (Redmine)
By “rogue USB” here we refer, for example, to the BadUSB attack described by SRLabs in https://srlabs.de/badusb and that can spread malicious firmware across USB peripherals.
Current plan: GNOME integration for USBGuard
How to test:
- Download, install, and start a nightly build from
feature/bookworm
: https://nightly.tails.boum.org/build_Tails_ISO_feature-bookworm/lastSuccessful/archive/build-artifacts/ - Plug USB devices while the screen is locked: you should see a notification on the lock screen and after unlocking the screen; that notification instructs you to unplug + plug back that USB device after unlocking the screen if you want it to work.
- Plug USB devices while the screen is unlocked: they should become available just like in Tails 5.x.
Context:
- Announcement
- Earlier posts https://ryuzakikk.github.io/gnome/internship-preparation/, https://ryuzakikk.github.io/gnome/internship-update-1/, https://ryuzakikk.github.io/gnome/internship-update-2/, https://ryuzakikk.github.io/gnome/internship-update-3/, https://ryuzakikk.github.io/gnome/internship-update-4/
Other options
-
USBGuard
- source code
- Rule language for writting USB device authorization policies, supporting whitelisting and blacklisting based on device attributes
- daemon + IPC + a Qt applet
- in Debian Stretch
- needs some UX improvements before we ship it: https://github.com/dkopecek/usbguard/issues/157
- Linux kernel’s “authorized_default” option for the
usbcore
module- could be set to 0 when the system is locked (logind may help); note that this breaks things if the system’s USB keyboard was unplugged while being locked
- setting this parameter on-the-fly isn’t enough, one also needs
to
for bus in /sys/bus/usb/devices/usb*; do echo 0 > ${bus}/authorized_default ; done
Parent Task: #5451
Related issues
- Related to #5684 (closed)
- Related to #15767 (closed)
- Related to #15900 (closed)
- Has duplicate #8989 (closed)