Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> There are devices that can exfiltrate information from what I understand almost every operating system through USB.

If that is true, then it is a vulnerability. You should file bug reports.



How will you prevent a USB device to present itself as both a keyboard and mass storage and then type commands that copy data?


With QubesOS. I just tried adding a keyboard and it simply showed me a pop up saying a USB keyboard has been attached. It won’t work until I attach it to a qube.


usbguard does that without the need for Qubes.


Keyboard and mouse plugged in after the system boots should only become effective after user permission is given using previously available devices.

For more safety: any plugged usb device should lock your screen so that a password is required before it can be used.


If the computer is locked, typing commands will not do nothing. If computer is unlocked a person could do it manually without USB by just sending them over internet or storage device of choice, no fancy keyboard+mass storage device required.


An OS doesn't even need to implement USB support. Of course it can offer access controls to enable the USB devices.


Of course not, but then you're saying USB is a security flaw.

My point is that given how universal USB as long as a device can do both input and output it's going to be very hard to stop some exfiltration from being possible.

Do you really think a bug report should be filed on all OS's for allowing USB drives and keyboards to be plugged on a running system?


> you're saying USB is a security flaw

It is.

> Do you really think a bug report should be filed on all OS's for allowing USB drives and keyboards to be plugged on a running system?

Automatically trusting input devices is as bad as trusting user input. It's trivial to pass off a programmable USB keyboard as a mass storage device.


I was saying that the existence of the non-implementation of USB proves the possibility of access controls on USB.

Convoluted way to put it I guess. For some reason was intuitive to me (proof of existence by example, more trivial example better).

Having access controls on USB-HID is just a local policy choice where most people would choose convenience over security.


I agree, and it makes sense for some security oriented OS.

But the comment I replied to seemed to suggest that the possibility of data exfiltration via USB is a bug in any OS.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: