0

Afaik usb rubber ducky acts as a keyboard and not a regular usb, which allows it to type in hundreds of commands on any computer that it is plugged into in a matter of seconds. What are the measures we can take to prevent such type attacks from happening on the linux platform?

user20731
  • 21
  • 1
  • 4

4 Answers4

3

This would mean you do not have sufficient physical security to protect your assets. If an attacker gets access to your physical device, it's not your device anymore.

There are several things to be considered, including for instance DLP solutions to report on hardware connections. Aside from that restrictions on what type of devices can be imported into the DC as well as ensuring a 4 eye principle can help to prevent unwanted devices to be attached to your machine.

There is also another option which I have seen used before for servers holding sensitive data, which used epoxy resin in the USB ports to prevent them from being used.

Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196
  • What physical security measures should be taken to mitigate this threat if you allow a vendor, contractor, or even your own staff, to access one open rack in a datacenter? – techraf Aug 19 '16 at 06:00
  • I agree with @techraf, trust is an inherent weakness in humans that can be exploited by means of social engineering, etc. Just stating that physical security is insufficient doesn't solve the problem but taking steps to mitigate such attacks goes a long way. – user20731 Aug 20 '16 at 23:21
  • I've added some extra lines you can refer to. – Lucas Kauffman Aug 22 '16 at 05:40
3

I was initially going to comment under John Deters answer and say that his is the correct post, at least it offers the OP some advice on how to protect against the attack rather than just stating that if the attacker can physically access your device it's game over. For starters Linux with an encrypted boot loader, disabled USBs, and FDE invalidates that claim immediately. Second, not every computer can be restricted from public access. Library terminals, store kiosks, bank lobby computers, the list goes on...

So to that end, I found a few other ways (in addition to John's answer) that may be useful. Borrowed from this forum post:

  • User typing will cause any command to fail.

  • Another window becoming active and stealing keyboard focus will cause the entire process to fail.

  • HID or USB devices in general can be programmatically blocked, disabled, ejected, etc causing the process to fail.

  • Linux can white/blacklist USB devices which will cause the process to fail.

  • Any applications which repurpose key combinations will cause the process to fail.

  • The device receives no feedback from the host machine and thus is unaware of timing, delays, active windows, etc which will cause the process to fail.

HashHazard
  • 5,105
  • 1
  • 17
  • 29
  • Hi, sorry to disappoint but most of these will have no effect. The ducky has no process on the victim host. It's just a keyboard. It types stuff, and the victim host just accepts the input. You can't even block the VID/PID because the ducky can be set with a randomizer. (Thanks for the upvote, though.) – John Deters Aug 19 '16 at 21:00
  • @JohnDeters If it's truly just functioning as a HID and just sending keystrokes, a lot of these may actually interrupt that stream, though I haven't used a rubber ducky specifically, I have tested some of these methods against the HID attack from NetHunter and found them to be effective at interrupting the "flow". – HashHazard Aug 19 '16 at 21:49
2

A Linux system is no more or less susceptible than any other system to a rogue keyboard attack. You'll need the same protections you'd apply to any computer.

Physically secure the computer when you're not present. Don't leave yourself logged in when you step away. Don't plug in any USB devices that you don't personally know.

John Deters
  • 33,650
  • 3
  • 57
  • 110
  • For the record, I did upvote your answer :) – HashHazard Aug 19 '16 at 04:43
  • But you can do better. We all make mistakes, there are (should be) systems, that help us. e.g. lock screen, when HID device attached. Show dialog box, click to enable, or type random pin, that is displayed on screen. – ctrl-alt-delor Feb 17 '20 at 18:26
2

There's a few answers about blacklist/whitelist, but they're mostly referring to udev configuration. But in new kernels there's an official USB authorization framework available.

https://www.kernel.org/doc/Documentation/usb/authorization.txt

This allows you to lock down all usb controllers first and then enable only the devices you want.

viraptor
  • 215
  • 1
  • 7
  • Thanks that was exactly what I was looking for, there were a lot of other great answers too but this one was totally on point. – user20731 Aug 20 '16 at 23:16