Oddbean

The current project I'm working on is a hat for a #RaspberryPi Pico that will let you plug in your USB keyboards and mice to your computer's PS/2 port. Why? #Security. Everything connected to your USB controller can see every keystroke you type. So if you ever have a malicious USB thumb drive, camera, microphone or anything else, it can sniff your Full Disk Encryption (#FDE) #password, for example. By only having your keyboard and mouse plugged into the hat, and that connected to your computer via PS/2, it's isolated from all the other devices. For more information on the risk, I'd suggest reading the security warnings from the #Qubes documentation. https://www.qubes-os.org/doc/device-handling-security/#security-warning-on-usb-input-devices nostr:nevent1qqs2phnnyvcnmgldv40maphwrfs7hlashn6ys7ehzv5dhp808r9fuqcpzpmhxue69uhkummnw3ezumt0d5hsygxnp65cafj7j5ler2un76esafg7kv79qmu86j0kqzsnnthsp254zypsgqqqqqqsguf2rl #QubesOS #infosec #GrowNostr #cybersecurity #hacking #electronics

2 questions, Is this per controller? Meaning can I mitigate by using a dedicated "secure" USB controller for those devices. Would you also try to isolate your signet, onlykey, yubikey and similar devices in this way?

I believe it is per controller, but I haven't personally verified that. For Qubes in particular, I already have USB isolation from dom0, which can control anything, but without a PS/2 keyboard, an exception needs to be made to give the USB device access to dom0. Having a USB -> pS/2 adapter solves that. This provides some protection against a compromised sys-usb VM. The risk of sniffing a FIDO2 device which is unlocked by entering a pin directly to the device (e.g. Trezor) is pretty minimal. The challenge is sent to the FIDO2 device, it gets back a signed transaction. At most, a malicious USB device that nabbed that could use the one session to each system that you log into. The risk for a Yubikey, Nitrokey or Signet is a little higher. The attacker could get your device unlock password, but unless they have physical access, they won't be able to use the device or dump the entire database. If an onlykey requires a physical button press to get each password, the same would be true there. For the password managers, the attacker would also be able to get each password that you actually use, and if you used the device to also provide the URL and username, they'd have everything they need to get persistent access to that account (assuming you don't have any 2FA set up). In contrast the FIDO2 devices only leak tokens that can be used to get a single session, so they're safer than password managers. Back to the question at hand: should you isolate these devices to their own controller (assuming that works as expected)? That depends on your threat model and risk tolerance. If you're trying to protect against someone with physical access to all your stuff, then yes. If not, then it depends on how much effort you want to put into it. A $40 USB card for a desktop is pretty reasonable. Trying to do this on a laptop would probably be a huge amount of trouble. For example, many models of the Microsoft Surface only have one USB port and no real room for expansion. So good luck with that one. Only plug one USB device in at a time, I guess? In any case, you now have the information you need to make an informed decision. 🤓

Yubikey biometric models mitigate sniffing the unlock PIN from the computer since it is fingerprint unlock. Current yubikey biometric models are FIDO2 only, multi-protocol (FIDO2, PKCS#12, etc) biometric models are “coming soon”

Yup, agreed, they should be safe from sniffing. Might have a problem with being compelled to use it, depending on your country & threat model. I like the randomized pin pad on the Trezor. That's ideal in my book.

I misunderstood the documentation here. I also think it may have been different in the past because I see other people on the forum making the same "devices can sniff passwords" claim that I was. E.g. in https://forum.qubes-os.org/t/understanding-security-implications-of-usb-keyboard-usage-key-logging/2817 Anyway, I wanted to explain why I now believe this claim is incorrect, and why I still believe my USB to PS/2 adapter is useful in terms of security. According to this, traffic from devices is only sent to the controller. https://web.archive.org/web/20190708035849/https://www.totalphase.com/support/articles/200349256 They mention that the host has the choice to either send each packet to a specific device or broadcast it. The security benefit my device will provide is not connecting the keyboard to any VM, which means we can limit the control a compromised USB Qube would have on your system. The Qubes documentation is pretty unambiguous here: "If you connect USB input devices (keyboard and mouse) to a VM, that VM will effectively have control over your system." https://www.qubes-os.org/doc/device-handling-security/#security-warning-on-usb-input-devices By avoiding using a USB keyboard or mouse, the UAB qube can be fully untrusted. nostr:nevent1qqs2yz6h2375n0h7rsvdmgu9r3kwfamyct0du8mykpqmg5xr0gx6glcpr4mhxue69uhkummnw3ezucnfw33k76twv4ezuum0vd5kzmp0qgsdxr4f36n9a9fljx4e8a4np6j3aveu2phc04ylvq9p8xh0qz4f2ygrqsqqqqqpekze9y