Allow only specific devices to be connected to USB

Question

Suppose I have a Windows PC in a safe room, disconnected from the internet, with only 3 cables connecting to another room, to a mouse, monitor and keyboard.

The computer contains highly sensitive data. The HDMI monitor cable is no problem, but the mouse and keyboard cables are USB cables, and could be connected to some USB drive. I am specifically interested here in securing the USB cables. Please disregard other ways of stealing information, like taking photos of the screen etc.

My question is: How can I make sure only some specific mouse and keyboard are allowed to be connected to the USB cables?

For example, is there some kind of hardware I can put between the USB cable and the computer to make sure only some allowed device is connected to it? Security KVM Switches (Keyboard-Video-Monitor switches) are not good because in practice all of them seem to introduce some small delay (lag, or latency) when moving the mouse or typing. It really must feel as if you are directly connected (no lag whatsoever). Maybe there are some Arduino, BasicX, Parallax, Pololu, or Raspberry Pi projects out there to filter USB communication and let through only allowed devices, with no lag?
I know there is software to do that (e.g.: https://support.symantec.com/en_US/article.TECH175220.html) but since the user is using the computer he could disable it.

Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/56351/discussion-on-question-by-marcg-allow-only-specific-devices-to-be-connected-to-u). — Rory Alsop, Mar 31 '17 at 10:58

dandavis · Accepted Answer · 2017-03-30T16:41:30.300

Buy a PS2 to USB adapter for keyboards+mice (important: both need to be in one usb port to make sure it's not a naive straight-through connector). example

They have logic and cost about $10 USD at time of writing.

Then buy USB to PS2 adapters for both mice and keyboard (separate adapters). example

They have no logic, just internal wiring to each connection and they cost less than $5 USD at time of writing.

Put them altogether. Yes, it looks funky, but the devices will still work as-expected. Now, even if one of the user-reachable cables is spliced, they can't add new hardware other than generic mice and keyboards.

Nice things about this:

cheap
simple
hardware-implemented
protects against unknown devices
OS-independent

UPDATE: I manually verified, twice, that there is no continuity between USB's data-/data+ pins and the PS2 data/clk pins (or any other ps2 pins) on a two-in-one adapter. There is continuity on single-port adapters though, but that's not important as long as one of the adapters implements some kind of logic like the two-in-one does. Plugging in the empty adapter to a windows box should cause the "USB insertion ding"; otherwise it's a naive physical adapter.

The dual PS2-USB adapter I specifically tested was an "ez-pu21", available still on amazon.

UPDATE #2, 2 things:

there are usb keyboard attacks, so you need to lock down the OS properly to maintain security.
one can get inside bios with a keyboard, and i'm not sure how risky that is to exfiltration, or if all they can do is "break" the computer.

UPDATE#3: After using the double-inline adapters for about 24 hours, I can say they work, but not quite 100%, maybe 99%. When I was doing serious programming (typing) I noticed that keys held down for about 1/3rd of a second repeat. This is before my typematic repeat about 2/3rds a second after press, and it only repeats once; leading to stuff like "biig" instead of "big". I only noticed it a few times, late at night, but I wanted to mention it. I didn't even notice it until after hours of use, but if you were writing a novel, it might be frustrating. It could just be the cheap adapter i used, the really long cables i'm using or something else nobody will experience.

BONUS: (related but OT): I just realized these cheap usb switches don't connect the data pins, they are too cheap to switch all 4 wires, thus making a cheap "USB condom" for those who desire such a thing, thought i'd share. cheap condoms, how can you go wrong?

Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/56352/discussion-on-answer-by-dandavis-allow-only-specific-devices-to-be-connected-to). — Rory Alsop, Mar 31 '17 at 10:59
You could also drop the second set of converters and just use PS/2 all the way, with a PS/2 keyboard an mouse. — Jason C, Apr 01 '17 at 15:08
Only in technology will being cheap be not only helpful for cheap condoms, but the reason for them being so effective... — Nic, Apr 03 '17 at 03:39

Serge Ballesta · Answer 2 · 2017-03-28T15:38:35.067

60

You are taking the wrong side of the problem. If someone you do not trust can access to a machine, the machine has been compromised. Full stop.

That's the reason why access to server rooms is highly controlled, and why admin normally do not care for the physical security of the connectors: the defense line is not at the connector level but at the room containing the machine.

That being said, you can imagine special USB drivers that only allow specific hardware ids. You simply cannot install them by default when installing a kernel on a new machine because of a chicken and egg problem, but after an initial installation, you can build a custom kernel with those special USB drivers. But as there are plenty other possibilities to compromise a machine when you have physical access to it, it is simply IMHO a waste of time and energy...

And anyway, nothing prevent an evil powerful organization to build a specific USB keyboard that presents itself with the ID and the apparence of a innocent keyboard from a well known hardware manufacturer but that contains a keylogger. If you do not trust your admin, he could replace the keyboard at a system reboot. As I have already said, if an evil guy could touch the machine it is compromised, and if he could not you should not worry about the USB connectors.

edited Mar 28 '17 at 15:38

answered Mar 28 '17 at 15:22

Serge Ballesta

25,636
4
42
84

3

Thanks for your info, Serge. But as I said, there is absolutely no physical access to it. The PC is in a safe room, disconnected from the internet, with only 3 cables connecting to another room, to a mouse, monitor and keyboard. Ideally I would like a hardware approach that would dispense with any software configuration. – MarcG Mar 28 '17 at 15:29
We don't mind about keylogging. We just don't want files (big files) to be downloaded. The concept of "touching the machine" here is the problem. USB's are powerful, so having access to an USB cable does count as touching the machine. The old PS/2 cables for mouse and keyboard where too simple to present much of a threat. I would like to drastically reduce the power of the USB cable. That's what this question is all about. – MarcG Mar 28 '17 at 15:46
1

You can use any smart thing that checks the USB device for its VID/PID as those can be faked. You'd want some low tech cable hack to limit the keyboard to being just a keyboard. – daniel Mar 28 '17 at 16:11
5

@marcG If you don't trust the software on the machine then any setup which uses a keyboard is going to be able to download large files. A keyboard is a two way device and if cutting cables is in your risk assessment then you can use the fact that a keyboard is also an output device to download files of arbitrary size. I don't know what the bitrate is but I'm pretty sure megabytes per minutes will be possible. – DRF Mar 29 '17 at 13:33
@DRF Iirc a PS/2 keyboard is one-way. The Lock keys are toggle-switches, and the only thing the computer gives the keyboard is power. – wizzwizz4 Mar 29 '17 at 17:07
@wizzwizz4 Based on http://www.computer-engineering.org/ps2mouse/, however, mice are two-way. – JAB Mar 29 '17 at 17:21
2

@wizzwizz4 as far back as 1995 you could togggle keyboard lights programmatically i will try and find a reference but im sure i did this during high school. – DRF Mar 29 '17 at 17:38
1

@wizzwizz4 it was possible to toggle the lock LEDs programmatically even before PS/2. It could be done on the old XT & AT keyboards with the large DIN connectors - so PS/2 is certainly 2-way too. – brhans Mar 29 '17 at 17:50
@wizzwizz4 "The PS/2 keyboard was originally an extension of the AT device. It supported a few additional host-to-keyboard commands and featured a smaller connector. These were the only differences between the two devices. However, computer hardware has never been about standards as much as compatibility. For this reason, any keyboard you buy today will be compatible with PS/2 and AT systems, but it may not fully support all the features of the original devices." quoted from http://www.computer-engineering.org/ps2keyboard/ – DRF Mar 29 '17 at 18:19
1

@wizzwizz4 actually it turns out the command set for the keyboard is much more complex than just turning lights on and off. It's a full on serial protocol unfortunately I can't figure out the bit rate. – DRF Mar 29 '17 at 18:25
@DRF https://retrocomputing.stackexchange.com/a/1133/357 has some relevant information there. – user Apr 03 '17 at 09:34

score 24 · Answer 3 · answered Mar 28 '17 at 17:18

24

On Windows systems, you've been able to block or restrict USB devices through Local or Group Policy since at least Windows Vista. By setting the "Removable Storage Access" policies, you can disable the attachment of USB storage devices (that category includes a lot of nefarious USB devices). These settings block Windows from interacting with the devices because it prevents loading the services.

https://community.spiceworks.com/how_to/25619-blocking-usb-devices-and-removable-media https://technet.microsoft.com/en-us/library/2007.06.grouppolicy.aspx

answered Mar 28 '17 at 17:18

claidheamh

432
2
6

I like this idea, but would it still be possible to boot off of a USB drive in this setup? – dandavis Mar 28 '17 at 19:42
6

@dandavis - probably, but the hard drive should be encrypted anyways. You'd also need to secure the bios... – Clockwork-Muse Mar 28 '17 at 23:36
1

touche, and an upvote for offering no-cost solutions, i'm a big fan of free. – dandavis Mar 28 '17 at 23:46
3

Restricting "Removable Storage Access" devices won't prevent the user from connecting a USB Ethernet adapter or an UART. – Dmitry Grigoryev Mar 29 '17 at 13:27

score 5 · Answer 4 · answered Mar 29 '17 at 09:03

5

Just use a PS/2 keyboard and mouse.

Don't bother with adapters and other sorts of hardware condoms. There are still lots of mainboards available that have PS/2 mouse and keyboard connectors.

answered Mar 29 '17 at 09:03

raznagul

167
2

As said above PS/2 is still a bi directional communication protocol so with some tampering you could slowly download a file. – daniel Mar 30 '17 at 10:07
4

@daniel at some point videotaping the screen will become a better strategy anyway. – Dmitry Grigoryev Mar 30 '17 at 11:08
@DmitryGrigoryev: Exactly. I'd be quite interested in an attack vector where the attacker can cut the cables to add some device, but can't just take pictures of the screen. – raznagul Mar 30 '17 at 11:18
Well in my answer below i show an example. There might even be cases where you have no screen and just the HID, an arcade machine, gambling system, voting machine, jukebox. – daniel Mar 30 '17 at 11:44
@daniel Well, OP also specified HDMI, which is bidirectional and *much* faster, especially in the downstream direction. – derobert Mar 31 '17 at 17:59

robbat2 · Answer 5 · 2017-03-30T03:58:12.857

Clarification request: what attacks are you concerned about? By your remark about not worrying about photos of the screen, I take it you don't want data injected into the system, and don't care about ANY exfiltration of data.

So, how can we attack your system, and what can be done about it?

USB attacks & mitigation

As noted by others, stay FAR away from USB. The operating system CANNOT protect from all attacks. Nohl et al demonstrated in 2014 how to attack the USB host microcontroller firmware, and their attack, named BadUSB was shown to be usable even while the system was sitting in the BIOS after rebooting.

After the USB host microcontrollers are compromised, a malicious payload could conceivably muck on the PCI bus to modify or snoop memory.

Can these attacks be avoided or mitigated? YES! There is at least one USB hardware firewall device on the market, the USG, that was explicitly designed to combat the BadUSB attack. It still won't deal with untrusted keyboard input.

Untrusted keyboard inputs, USB & PS/2:

The PS/2 cabling suggested by others is also a strong contender, but there's no reason a device couldn't be added to inject all the needed keystrokes & mouse movements to attack your system (eg: open notepad or anything that lets me enter characters, inject needed binary characters to form a program, save as .exe, run!). Even BadUSB can't combat that.

HDMI attacks & mitigation

You're allowing an HDMI cable to be connected? There's been at least one remark by a security research (Dragos Ruiu) that this can allow Ethernet-over-HDMI to be used to infect the restricted system.

The mitigation here is simple: make sure you use a HDMI cable without the ethernet bits, but watch out for DDC...

DDC video attacks:

To be fair, even VGA allowed digital transfer via bidirectional DDC communication (as did DVI), so that has a potential for exploitation; but it's much less likely to be used. It's not uncommon to upgrade firmware in monitors via the DDC over VGA/DVI/etc.

Work like HDMI – Hacking Displays Made Interesting by Andy Davis, Blackhat-EU-2012 is about using DDC to hack monitors, but the I2C bus that forms the DDC link is bidirectional, and could be creatively utilized poke the host's video card.

You can't avoid the DDC link because it's needed for setting the video mode correctly.

Thanks for your info on HDMI attacks, I find it useful. In this question I tried to concentrate on USB attacks. This is not to say that I'll not be concerned with other types of attack as soon as I solve this. Also, it's obvious that any HDMI attack is much more sophisticated and difficult for the attacker than using USB, so naturally USB concerns come first. — MarcG, Mar 30 '17 at 17:40
Please see the answer I just posted, that starts with "What if". Please tell me what you think. Maybe that is a more realistic data diode for USB keyboards and mouses, and the USG you mentioned could be modified to that end? — MarcG, Mar 30 '17 at 18:44
If the HDMI cable was ethernet-capable, it seems there was at least one monitor with dual HDMI inputs that literally bridged the ethernet lines together. The other user suggestion to use fibre-optics as optics to convey the display was a good creative way of mitigating DDC issue. — robbat2, Mar 30 '17 at 21:00

daniel · Answer 6 · 2017-03-31T07:26:37.783

You would want a data diode in line next to the PC for both your keyboard and mouse, so then no data could be sent from the PC to the room no matter what (since you said cable number 3 is no problem). You might find using a serial mouse and keyboard better too.

This is all tin foil hattery by the way. here is a communication protocol named tin foil chat that shows data diodes for serial devices, that are wrapped in tin foil. https://www.cs.helsinki.fi/u/oottela/tfc.pdf

Adding a diode alone is not creating a data diode, as with a diode you could send against the arrow with a reverse voltage, the data diodes used in the project have an optocoupler to make it impossible for information to travel against the arrow (without having access to the hardware).

After trying too show why the HDMI cable may not be an issue I came up with this layout of the room, the idea is you put your head to the microscope looking viewing device and it allows you to see the screen through a optical fiber cable that passes through the wall. The keyboard and mouse you bring with you can only send data, not receive, as there is the data diode on the other side of the wall. Bob the security guy is there to keep you company in this windowless hellhole of a work place, and to kick you out if you start talking to your recording device, put something other than your eye to the view finder, or try to smash through the wall. Notice he can't shoulder surf any information. You would be logged out if you moved your head off the view finder, to log in you would need to type a password as usual but then also quickly type characters that appear in alternating left and right screens (there are now two monitors that lead to each eye separately). This is to prevent you boring out one eyeball and replacing it with a camera (one eyed pirates need not apply). Now you are not able to copy any files from the PC, Bob doesn't have to strip search you for spy equipment, and everyone is happy.

Anything you could memorize from the system and take home with you looses some credibility, you could have just made it up instead of memorizing it.

The very nature of USB protocol is that the PC sends data packets to USB devices, and those devices reply. No USB device would work through a data diode. — Dmitry Grigoryev, Mar 29 '17 at 12:28
It might goof up the USB protocol and make a keyboard stop working, I'm not sure. But it secures the USB cable and you can be 100% sure that no data is sent from the PC through the cable. Then you could just use some other type of signal that is one way on that cable such as serial like i mentioned (or PS2 as above). — daniel, Mar 29 '17 at 12:51
It's a funny solution, germanium diodes only drop 0.3V. Would work with PS/2. Why has OP not accepted this solution to his problem?!? — user400344, Mar 29 '17 at 16:53
Assuming the PS/2 keyboard, the diode would break num-lock/caps-lock/scroll-lock signalling, as the remote side CAN tell the keyboard to flip that state. You can see it trivially by using the Windows onscreen keyboard, just toggle the locks with your mouse, and watch your keyboard lights. — robbat2, Mar 30 '17 at 03:30
About caps lock not showing on the keyboard I am OK with this, in my drawing now you couldn't look at your hands without logging off. I'm simplifying this a bit by saying 'throw a data diode in it' because that would break everything, even if you were using an old Model F XT. I'd be better off following the other answer and just gluing the keyboard and mouse to the desk and then ban eating at the terminal. — daniel, Mar 31 '17 at 11:57

Dmitry Grigoryev · Answer 7 · 2017-03-29T13:18:00.070

2

One solution which is universal for any OS is to remove all USB drivers except the ones you need (HID). Make sure to prevent the user from installing new drivers though.

edited Mar 29 '17 at 13:18

answered Mar 29 '17 at 12:26

Dmitry Grigoryev

10,072
1
26
56

4

Someone could copy paste the driver code using a keyboard with memory, something like a macro keyboard. So you could transfer the drives across at something like 64KB/s. – daniel Mar 29 '17 at 12:58
1

@daniel that is true. The OP will have to prevent the user from installing drivers after all. – Dmitry Grigoryev Mar 29 '17 at 13:14
If attacker managed to reboot the machine (eg by shorting out the power pylon outside), he could try boot it from USB stick and removing OS drivers won't help. – Agent_L Mar 30 '17 at 10:33
@Agent_L But that would the the least of the OP's problems then, since the attacker would simply copy the whole HDD image to his stick if need be. I assumed that the OP would password-protect their BIOS and encrypt the disk. – Dmitry Grigoryev Mar 30 '17 at 11:07
Well, I thought that your idea was to remove mass storage driver so the legit OS would not recognize a USB drive. My idea is how to circumvent that. Good point with the hdd encryption, though. – Agent_L Mar 30 '17 at 12:31

Andrew Morton · Answer 8 · 2017-04-02T18:37:28.417

You can attach the keyboard to a desk (e.g. with vandal-proof screws through the base of the keyboard) so that the USB lead is not accessible, e.g. in a channel cut into the desk and covered with a metal plate.

You do not need a wired or wireless mouse: you can use a wired tablet (e.g. a Wacom one) with the USB cable similarly rendered inaccessible. You can get a mouse for the tablet if users cannot cope with using a pen.

Of course, a particularly malicious user might try to rip the keyboard apart to access the USB connection inside, so choose one of vandal-proof construction, possibly with an alarm so that if they still manage to get inside someone is alerted.

Also, stainless steel panel-mount keyboards with a trackball are available.

Essentially you're making a strong ATM-style enclosure with all physical access restricted. — Criggie, Apr 01 '17 at 20:57

score 2 · Answer 9 · answered Mar 30 '17 at 20:11

As others have already said, specially robbat2 and Serge Ballesta... Once people have physical access to the machine, you are for all purposes compromised.

You can make your setup more electronically secure in a number of ways. Many of them will probably cover practically all your use cases. Unless you are working with top secret government or corporate stuff and the attacker is bringing in special technology with them, you should be practically safe.

But the only way to be 100% safe in academical terms here is to go physical too. You need a person you can trust guarding the machine.

If you are really paranoid about cable splicing and that is really your only concern, you could cover the length of the mouse and keyboard cables in a mesh of copper that is connected to a sensor. Run a current through it, and have a relay that can measure voltage checking it 24/7. Have the relay connected to another machine, maybe a Raspberry Pi or an Arduino, so that it can trigger an alarm in case the mesh gets depowered.

Now you just have to set the voltage on the mesh. Use some small potential - say, 3 to 12 volts - if you just want to know whether the cables have been cut or not. Or go all the way to 220V or more if you want it to serve as a booby trap (some people would say that is an unethical thing to do).

Good idea. After the first one is killed it's a warn to potential attackers not to mess with us ever again. — MarcG, Mar 30 '17 at 20:29
mesh wouldn't likely change much electrically from drilling. for FIPS3+ level physical security, a "serpentine trace" is typically used; a long thin wire/pcb track snaking around and around the case's interior. a break or track narrowing from a drill is then easily detectable. — dandavis, Mar 31 '17 at 04:24
An midpoint between the serpentine & mesh is to use a braided fiber optic sheath weave around the secure cable, and detect breaks in any of the sheath fibers (time domain reflectometry on the sheath fibers will pinpoint the break location). — robbat2, Apr 02 '17 at 04:58

MarcG · Answer 10 · 2017-04-05T01:13:38.887

1

What if...

...we connected the keyboard into a Raspberry Pi or Teensy (https://www.pjrc.com/teensy), programmed to read the keys and "type" them again into the computer? I guess it would be fast enough to avoid any perceived latency. This would act as an "USB Firewall for Keyboard", and another one similarly as "USB Firewall for Mouse".

The computer would identify the Teensy as "FirewalledKeyboard" or "FirewalledMoused". There is no need for the computer to see the original keyboard or mouse.

Interestingly, user @robbat2 pointed to an USB firewall that prevents some low level USB attacks:

It seems to me this could also be modified to allow for only keyboards and mouses to be connected.

We may also still add PS/2 cables solution (see user @dandavis answer) between the keyboard and the "USB Firewall".

Update:

I sent an email to Robert Fisk, creator of the (open source) USG, and asked him (condensed):

Hello Mr. Robert Fisk,

Can your USG be modified so that it only allows keyboards and mouses to be connected, and also prevent information to be sent from the computer to the keyboard? If I buy your ready USG hardware (instead of building my own), is it possible to change its firmware? How much is each USG?

He replied:

Hi Marcelo. The firmware can easily be turned into a 'keyboard-only' or 'mouse-only' device. You can also disable the computer-to-keyboard communication that updates the caps, scroll, and num lock lights. However you will still be vulnerable to a malicious user typing in an evil VBScript, Powershell script, or even binary using ALT ascii codes that will perform malicious actions. Yes you can certainly program in your own firmware, see this page: https://github.com/robertfisk/USG/wiki/DFU-Firmware-Upgrade

I hope that helps!

Please note I had never talked to Mr. Fisk before this email, and never heard of USG before I asked this question. I am not connected to USG or its creator in any way, and I have never used one, tested it, or studied it. I don't personally know if it's fit for the job. I am just posting this info because I think it's interesting and possibly useful.

If in the end I decide to buy some USG and alter its firmware, I'll probably open-source the new firmware in GitHub and link it here.

edited Apr 05 '17 at 01:13

answered Mar 30 '17 at 18:28

MarcG

805
1
7
11

Yes, USG or any similar device could in theory be programmed to only allow USB HID devices and resend the HID packets. Even the USG wiki suggests that it would be possible to write USG firmware that detects & blocks superhuman input speeds. However, even these will still fall prey to a "fake" USB keyboard that opens notepad, types in a program, and runs it, as long as it does it as a believable speed. USB Rubber Ducky can certainly do this. – robbat2 Mar 30 '17 at 19:09
@robbat2 Yes, of course. But I am specifically concerned about preventing the LED light attack vector, or other bidirectional data exchange. So, for example, the computer would lose its ability of changing the keyboard LED because the USB firewall would not send this info from the computer to the keyboard. – MarcG Mar 30 '17 at 20:25
1

What if... ...a vulnerability is discovered in the "firewall" code, Raspbian OS, or any other layer of code between the keyboard/mouse and the protected system? Your "firewall" is kaput. If you are indirectly trying to point out the deficiencies in the USB protocol, then you have succeeded in covering previously covered ground. If you want to make and sell a USB Firewall device, feel free and good luck. You aren't trying to realistically solve a problem, here. – 0xSheepdog Mar 30 '17 at 20:44
MarcG: The USG does permit bidirectional data, at a severely restricted rate & nature; it has to for USB to work; depending on the keyboard, I could potentially see uses that require the Teeny to send some data packets back to the keyboard as well. You'd be in full control of the source, so you could limit it however. @0xSheepdog Yes, there could be vulnerabilities in the firewall code, that is entirely why USG only communicated via the two sides using a simple serial link, wherein everything could be audited. I'm not trying to sell, it; just saying it already exists. – robbat2 Mar 30 '17 at 21:06
@robbat2 I was directing that towards the OP who has posted this dubious answer to his own question. But yes, I see and agree. I'm wondering after OPs motivation behind this question. Well, not really wondering. I don't care that much. – 0xSheepdog Mar 30 '17 at 21:10
2

Isn't this like explaing how the brain works by imagining a little man inside your head pressing buttons, and inside his head is another little man and so on. The raspberry pi is a little Computer, how do you stop a computer with a USB input only accepting HID devices, put another computer in front of it :) – daniel Mar 30 '17 at 21:20
1

I would recommend an MCU over the pi for this any day; there's just a much smaller attack surface without having an OS, drivers, etc. i bet the 2-port adapters have a cheap attiny/stm micro. There's a real opportunity to advance the tech with customizable security features. It's well worth looking into. – dandavis Mar 31 '17 at 04:18
1

for a keyboard, it could filter hotkeys like [WIN], [CTRL][ALT][DEL], etc, as well as rate-limit, even censor profanity using backspace. might be useful to many, but also smacks of "I'm sorry Dave, I cannot type that" – dandavis Mar 31 '17 at 04:42
@0xSheepdog Wow! I posted this "dubious answer" because I would like to see what people would think of the USB Firewall idea, and that's the only way. Maybe even someone would tell me it already exists and point me to it. I have no USB Firewall devices to sell. Why don't YOU make one and sell it to me? I guess you've been watching too much Netflix, and your brain is full of conspiracy theories. – MarcG Mar 31 '17 at 05:28
+1 for the response. Honestly I think that this particular SE tends to be skeptical of innovative ideas, which makes sense given the conservative nature of the topic, though it's an interesting idea if nothing else. If you want to take it a bit further, you might want three Raspberry's connected in series: [PC] <-> [#1] <-> [#2] <-> [#3] <-> [keyboard]. Have #1 and #3 act as adapters to interface with #2, which acts as a basic keystroke router via GPIO connections to ensure no hardware vulnerabilities. Then, elite hackers could compromise #1 or #3, but not #2, making it a perfect barrier. – Nat Mar 31 '17 at 07:26
That said, if you assume that users might have hardware on them, then they might also have a small camera - pretty easy to get. Then they could program the screen to use [QR-code](https://en.wikipedia.org/wiki/QR_code)-like signalling to stream data to the camera via the monitor. They could even make the QR-code part just a variation in a known background coloration that most folks wouldn't notice; for example, they might just modify the pixels in the task bar. Then an attacker could transfer files without anyone looking over their shoulder noticing. – Nat Mar 31 '17 at 07:30
If you do do the crazy microcontrollers-in-series thing, you'd probably want the secure one (the center one) implement reasonable time delays on communication. This would allow humans to still type and get the caps lock light lit up at reasonable rates, but block attackers from simulating keystrokes or transferring significant amounts of data back via the caps lock light mechanism. – Nat Mar 31 '17 at 07:37
Also if you go this way and want to be practical you could buy an off the shelf 'Emulated USB KVM' switch, and then never switch it, its pretty much what you are describing, plus some other bits you don't need. Or if you want to be impractical you should have your micro control a set of pistons that then hit the keys on another keyboard! This may introduce a little lag but it would be worth it. – daniel Mar 31 '17 at 11:41
@daniel Secure KVM Switches solve this, but they all seem to introduce lag. And we don't want any lag (ideally < 50ms). That's their only problem, apart from being expensive. – MarcG Apr 01 '17 at 04:05

score 0 · Answer 11 · answered Mar 30 '17 at 17:15

0

Here you go. Epoxy, hot glue, etc. You have given very specific requirements and conditions without giving much basis except "Highly Sensitive Data".

Your question suggests the user CAN unplug and insert USB devices into the computer DESPITE the strict nature you originally described. This implies physical access to part of the system. The old rule goes "physical access trumps all other controls".

This is the best answer I can come up with, given your supposed conditions. I have worked in government high security environments, with cross-domain solutions, and those were easier. The simple answer is usually the more secure answer.

answered Mar 30 '17 at 17:15

0xSheepdog

765
5
13

3

The concern is cutting and splicing the wires – schroeder Mar 30 '17 at 17:22
1

Hmm, did you actually glue your keyboard cable to take this picture? :) – MarcG Mar 30 '17 at 18:01
Google image search ftw, @MarcG – 0xSheepdog Mar 30 '17 at 20:23

score -1 · Answer 12 · answered Mar 29 '17 at 13:42

-1

You could use a wireless mouse and keyboard if the computer with the usb ports is not to far from your input station.

answered Mar 29 '17 at 13:42

fred beauchamp

15
2

4

YOU MUST NOT! read [this](http://samy.pl/keysweeper/). Wireless enables so many more attacks! – MiaoHatola Mar 29 '17 at 13:50
1

@MiaoHatola: what does that link have to do with exfiltration? the concern is not snooping on the typing of the user (OP could install a keycatcher), it's the user getting into the machine... – dandavis Mar 29 '17 at 13:53
@dandavis It is as easy to transfer keystrokes to the computer as it is to listen to them. The link was as reference for how easy it is to hide such a device in a 'safe environment'. Now take that, and the fact the the Teensy on the KeySweeper is able to perform an HID attack, and there goes the 'safe' in 'safe environment'. This is a direct attack vector that wasn't in the original design and now very much is. – MiaoHatola Mar 29 '17 at 13:58
if they didn't have that particular KB, you still have to splice, but i see the issue now, cool. – dandavis Mar 29 '17 at 14:02
@MiaoHatola I still don't get it... if you're not concerned about the security of the user (i.e. your only concern is a user stealing data *from* the machine) why is sniffing (or even full MitMing/spoofing) a proprietary-type wireless connection any concern? – Doktor J Mar 29 '17 at 14:52
@MiaoHatola OP explicitly stated that keylogging is not a concern. – Agent_L Mar 29 '17 at 15:24
@MiaoHatola How's about bluetooth? – user400344 Mar 29 '17 at 16:49
1

@user400344 With Bluetooth, you can connect almost as many devices as with USB. It's no good unless you've got an adapter that only allows keyboards / mice... and you might as well go proprietary if you're going that far. – wizzwizz4 Mar 29 '17 at 17:10
@wizzwizz4 Yes, I was querying about the arduino- and teensy sniffing bluetooth though. – user400344 Mar 29 '17 at 18:40
@Agent_L Even though I have explained the *attack* risk this enables through HID attacks. Lets assume it doesn't, still - a security solution should not add an attack vector - no matter what kind! – MiaoHatola Mar 29 '17 at 18:47
Side note: that device will be hidden and inconspicuous right up until the moment it goes bang in the power socket – Matt Lyons-Wood Mar 30 '17 at 01:59
1

If the user has the option of bringing their own keyboard and mouse then they would need access to the USB port to plug in their own dongle. If instead you used some wireless hub you have the same problem that they could plug in a USB memory stick instead of a HID. The attack here would be "oh the keyboard you gave me isn't working i have to go into the room to repair it, and put my filthy hands on the PC". – daniel Mar 30 '17 at 10:19

Aesthetic · Answer 13 · 2017-03-30T05:53:08.693

Based on your comment on one of the answers: The concept of "touching the machine" here is the problem.

So this is answer is suggesting a different approach rather than concentrating on USB ports.

Why not use wireless? Wireless keyboard and mouse keeps you away from using wires.
Computer Remote Access, there are applications/software that can let you control other computer remotely, locally. It make sense, if you are making a server-like setup.
Control cursor and keyboard strokes through local network device (router)? Not sure if possible, but if it is, routers have mac address filtering, and such inputs devices need to have their own MAC addresses. Check out this HP Wifi Mouse, though by reviews online, it seems to be buggy.

Allow only specific devices to be connected to USB

13 Answers13

USB attacks & mitigation

Untrusted keyboard inputs, USB & PS/2:

HDMI attacks & mitigation

DDC video attacks:

Linked