27

When inserting a USB stick or device to computer, there is always the risk that the device is malicious, will act as an HID and potentially do some damage on the computer. How can I prevent this problem? Is disabling HID on specific USB port sufficient? How do I do that?

Improve this question
10
  • 2
    Write custom udev rules. Commented Dec 20, 2017 at 9:50
  • 3
    (sidenote: it can also present as a network device with DHCP on the other end; it can also try to generate a surge to fry the mainboard) Commented Dec 20, 2017 at 9:57
  • 2
    I would probably ask this on the security.stackexchange.com site ... Commented Dec 20, 2017 at 10:04
  • 1
    Any kind of supported device is enabled by default. This is not inherently a problem, as both hids and network devices can be just what you want to use. Defining maliciousness from the kernel is much more complicated. Commented Dec 20, 2017 at 10:36
  • 4
    How do I safely investigate a USB stick found in the parking lot at work? Commented Dec 20, 2017 at 17:28

3 Answers 3

Reset to default
37

Install USBGuard — it provides a framework for authorising USB devices before activating them. With the help of a tool such as USBGuard Notifier or the USBGuard Qt applet, it can pop up a notification when you connect a new device, asking you what to do; and it can store permanent rules for known devices so you don’t have to confirm over and over. Rules are defined using a comprehensive language with support for any USB attribute (including serial number, insertion port...), so you can write rules that are as specific as you want — whitelist this keyboard if it has this identifier, this serial number, is connected to this port, etc.

Improve this answer
4
  • 1
    What makes known devices "known"? It stores their ID or something? Can't that be faked too? Commented Dec 20, 2017 at 11:01
  • 5
    Known devices are matched using a rich condition language, you can be as specific as you want (including USB serial number, insertion port...). Anything can be faked, but if you’re up against an adversary that’s figuring out what you’ve whitelisted, you’ve probably lost anyway. (You can of course never whitelist anything apart from your keyboard if you really want to play it safe.) Commented Dec 20, 2017 at 12:03
  • 1
    Emphasis on your keyboard, not "any USB keyboard". Commented Dec 21, 2017 at 9:03
  • @StephenKitt, Would PS/2 keyboard be even more safe to whitelist than USB one t? ;-) Commented Dec 29, 2021 at 2:50
12

To complete the other answer, it should be known that you can never completely protect a computer from malicious USB devices. There have been several proof-of-concept and commercially available devices such as the USB Killer which can literally fry the port or the motherboard.

Software will never be able to protect from this, and there's always a chance it can be vulnerable. If you really need strong protection, make the ports physically inaccessible (think ATMs, for example).

Improve this answer
5
  • 8
    I suppose the OP had in mind the devices that don't attempt to physically destroy your computer or his owner. Otherwise a bit of anthrax would be enough to make a glass wiper a security issue. Commented Dec 20, 2017 at 12:31
  • 1
    I think it's still relevant though --- sure, it's not going to be a problem in all (most) situations, but it's still good to keep in mind if you don't trust your user, which the question implies. Commented Dec 20, 2017 at 12:40
  • 1
    Yes, I was asking mainly about the software security. Protecting against USB stick frying my motherboard is of course a different thing. But thank you for mentioning it anyway. Commented Dec 20, 2017 at 23:58
  • 1
    The OP specifically mentions HID devices, which your answer completely fails to address. Commented Dec 21, 2017 at 11:58
  • @DmitryGrigoryev, it is "To complete the other answer" Commented Dec 29, 2021 at 2:52
0

A list of known Vid:ProductId could be added as 'authorised' Authorised USB But you should know about USB zappers USB port zapper

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.