
Blocking Untrusted USB Devices - comzeradd
https://roussos.cc/2019/08/19/usbguard/
======
rkagerer
How immune is this solution to VID / PID spoofing?

I've thought about this topic before and arrived at the idea that USB devices
ought to be treated kind of like user accounts, where I can control what
drivers / data / devices they have access to.

~~~
Zenst
Would it also not be possible to measure power draw upon the device and with
that, add another metric to device profiling. So if you have say a keyboard
that uses 200ma power and then suddenly a device that has the same ID's is
plugged in and uses 500ma of power, that would trigger a flag.

~~~
rasz
Currently deployed hardware has no ability to measure that.

~~~
Zenst
Yes it does: lsusb -v upon linux shows exactly that information. Not sure upon
windows flavours of doing that beyond gui digging some properties, but the
values are in there.

~~~
rasz
Sadly the number you are thinking about is self reported by the device - it is
required by the spec to report its bMaxPower in USB Configuration Descriptor.
This field is merely a convenience and a promise.
[http://dangerousprototypes.com/docs/Designing_USB_Devices_fo...](http://dangerousprototypes.com/docs/Designing_USB_Devices_for_proper_current_and_MaxPower)

~~~
Zenst
Aha, my humble apologies for my confusions, appreciate being educated. I
learned something today, thank you.

------
acd
What a nice security improvement, many thanks for developing this! It should
be default in all operating systems to only accept known USB devices and in
the case of new USB devices prompt the user with a clear warning message.

~~~
WengerPen
It is a tricky area to add layers of security to. In theory, you would want a
device to refuse any connections unless it is explicitly agreed upon. At the
same time, you average user will start calling Tech support everytime they hit
the road block of "not being able to use the USB". In orgs with sensitive
info, it should be mandatory, but others may be better off without it.

~~~
SomeOldThrow
This is exactly why businesses make software that ends up sucking.

------
oakslab
From the manpage[1], you could also permanently allow a device by passing the
"-p" option.

    
    
      usbguard allow-device -p <id>
    

[1]:
[https://github.com/USBGuard/usbguard/blob/master/doc/man/usb...](https://github.com/USBGuard/usbguard/blob/master/doc/man/usbguard.1.adoc)

~~~
regecks
There is also usbguard-applet-qt, which I have found very helpful to navigate
around the options. It also pops up a permission screen as soon as a device is
plugged in.

------
raverbashing
> But that didn't stop the Debian developers, who maintain that package, to
> allow USBGuard daemon to start with zero configuration

Ok so you might install it then lose HID access?

Sounds like a bad default config.

~~~
yrro
I I stalled it on my Debian machine this morning. The daemon was not started
by default.

------
mindfulhack
This sort of thing should be default in all operating systems, as a basic
security feature. Sometimes, innovation comes from the Linux world...

~~~
tooop
How is this innovation? Imo Windows have this in Group Policy since Vista as
well as specific DLP software.

------
cerberusss
Pretty awesome. I wonder is there's something open source like this for macOS?

~~~
isostatic
Why would you want something open source? You’re running a closed source OS
that prevents you from making things like this.

~~~
SomeOldThrow
I don’t follow.

------
voiper1
Does this keep you safe from USB killers?

~~~
steve19
No. They just need 5v and increase it until it is high enough to blow
something.

