20

I was troubled from the very beginning by the fact that my U2F security fob acts as a keyboard and theoretically is able to press any key when no one is looking. Sometimes I accidentally touch it and then screen goes mad because of all those keystrokes. It seems to me a pretty bad design choice.

I was reading article by YubiCo with justifications and not much of it makes sense. It says that it’s because of drivers, but following the same logic such a security key can be just a read-only flash drive with some added extra sauce on top for key management without any keyboard jazz.

So why keyboard emulation? Are there any alternative fobs taking a less spooky approach?

Peter Mortensen
  • 877
  • 5
  • 10
IlliakaillI
  • 301
  • 2
  • 5
  • 3
    HID devices are universally supported, even on closed systems like smartphones, that makes it the ideal protocol for devices that don't transmit much data. Also the idea on Fido is that the trust level of the stick is higher than the one of the connected PC. If don't think so there are Fido sticks available with open source firmware. – Robert Mar 18 '22 at 21:07
  • 4
    Accidently touch? Really? I have mine hanging off a shot extender at the back of my desktop, and I have to stretch a bit if I want to use it. If you're accidentily touching it, then your physical setup is wrong. – Bib Mar 21 '22 at 11:54
  • 1
    Do you guys leave the FIDO device attached? I put it into the USB slot only when the browser requests it and remove it immediately after. Knowing myself I'd forget it in the slot easily which basically removes or greatly reduces the 2FA security since anyone passing by will have access to that factor... – Bakuriu Mar 21 '22 at 14:47
  • I've got a FIDO key with open source firmware. I don't have the name off of the top my head and would have to dig for it. – Walter Mar 22 '22 at 00:15

5 Answers5

23

You'd have to install a new driver on your computer in order to support a fob which doesn't emulate a keyboard, and that comes with its own set of problems (security and compatibility issues). Acting as a HID, or human interface device, ensures that the device is 100% compatible with almost any computer. This isn't any more of a security risk than plugging in any USB device. If anything, it's far more secure because it can get away with not making you install new software.

Any USB device will be able to emulate a HID if it is so programmed, so if you assume the fob you use is compromised or malicious, it doesn't matter if it acts as a keyboard (or another input device) or not, because it can. If you assume the fob is not compromised, then you are not opening yourself up to any attacks just by allowing it to input keys on your computer.

forest
  • 64,616
  • 20
  • 206
  • 257
  • 5
    In MacOS I have to approve a new plugged-in keyboard device before using it, so no, if OS is designed properly - not any random device can act as a USB keyboard. Again, USB flash memory drive standard protocol can be used to avoid problem with installing drivers. – IlliakaillI Mar 19 '22 at 02:08
  • 3
    Flash memory can be cached by the OS, so after the first read operation, the USB "drive" has no reliable way of changing its content. But this is a necessity, else you could just emulate the security fob with any USB drive. – Guntram Blohm Mar 19 '22 at 08:07
  • 1
    @IlliakaillI Any random device can _act_ like a USB keyboard. If your operating system refuses to accept its input, then it can't really do anything, you're right. Regarding flash memory access, that (usually) involves mounting a filesystem, and filesystem drivers are not the most secure either. – forest Mar 20 '22 at 00:31
  • 1
    This isn't entirely true. All actual U2F and FIDO devices are "driverless" but they act as a custom HID control device – not a keyboard, and they do not rely on key input. – user1686 Mar 20 '22 at 00:34
  • @user1686 Thanks. I'll edit my answer to be less keyboard-centric. – forest Mar 20 '22 at 01:00
  • @IlliakaillI Also beware [USB Killers](https://en.wikipedia.org/wiki/USB_Killer), which no amount of software will help you with. – Colonel Thirty Two Mar 22 '22 at 02:10
11

The type of input you're seeing is common on YubiKeys, where the USB HID keyboard emulation is used to send one-time passwords (the OTP mode of a YubiKey). This is because all modern operating systems have basic, built-in support for certain types of standard USB devices, and human-interface devices, like keyboards and mice, are one of those kinds. Thus, it's possible to support this mode on pretty much any device with a suitable USB port without the need for additional drivers. (However, it doesn't work with some keyboard layouts, such as Dvorak.)

On the other hand, the FIDO2 code generally needs additional driver and library support, and therefore isn't universally available. It is, however, more secure. Which mode to use depends on the security needs of a particular context.

There are definitely other FIDO2 fobs out there, such as the SoloKey. Its documentation doesn't reference supporting to OTP mode, so if you're really concerned, that may be an alternate option. If you just find the accidental typing option annoying, YubiKey provides the YubiKey Manager, which lets you turn it off.

Everything in security involves a threat model and tradeoffs. Personally, I find the risk of being compromised due to the YubiKey I personally bought being rogue to be very low. Shipping intentionally compromised fobs would likely put YubiCo out of business, and they seem to generally be a reputable actor. As a consequence, I am willing to use their fobs, believing them to be secure, and if the fob is secure, then the keyboard input functionality is not a concern. (I agree that accidentally triggering it is an annoyance, which is why I turn that off, though.)

bk2204
  • 7,828
  • 16
  • 15
  • That Dvorak thing had me puzzled for hours - a yubikey password always looks like gibberish, whether its typed in QWERTY or DVORAK – Criggie Mar 19 '22 at 06:14
  • 2
    @Criggie, yes, but the keyboard interface doesn't send characters, it sends keycodes, which then get translated by the OS. With a Dvorak keyboard layout, the resulting characters will be quite different from the ones you'd get with a QWERTY (or QWERTZ, or AZERTY) layout, and that's what matters to the program. – ilkkachu Mar 19 '22 at 12:21
11

Sounds like you have a YubiKey NEO or later, which provides multiple unrelated functions over the same USB connection – the "keyboard" emulation is not for U2F, it's for Yubikey's 'original' One-time Password function which predates U2F by about a decade.

(Some models also have a third interface, acting as a PIV-format smartcard.)

You can disable the OTP interface in a Yubikey using either the graphical YubiKey Manager app, or the ykman CLI tool, or the older ykpersonalize CLI tool:

ykman config mode FIDO

ykpersonalize -m3

(This will not erase the factory keys, only hide the 'keyboard' HID interface.)

user1686
  • 1,041
  • 8
  • 17
6

To add to the other answers, a Yubikey generally cannot emulate a different device other than a HID, such as a mass storage device as you suggested. Many large organizations deploy policies that prevent the use of removable mass storage devices by users in order to help thwart data loss. Those policies are intended to prevent a malicious user (or Bad USB cable) from downloading sensitive files locally. They also protect against users plugging in “found USB keys” that upload malware.

When such a policy is enabled, the OS will see that a new USB device is a mass storage device and will refuse to mount it. A Yubikey would be inert if it was emulating a thumb drive.

But unknown HID devices (like new keyboards) are almost always allowed because of accessibility issues. For example, if a person requires a specialized large button keyboard, a US employer is required by the ADA to permit them to use it so they can do their job.

EDIT: HID devices are considered “mostly safe”. Since they are input-only, they cannot directly exfiltrate data from the host. However, malicious HID devices such as the Bash Bunny can send keystrokes that will attempt to open a browser, download a program, run it, upload a file full of results, then close the browser. But your suggestion of restricting unknown HID devices is not a useful defense, as the Bash Bunny can also present the PID & VID of a stock Dell keyboard, or whatever keyboard you think should be on a whitelist. At some point, you have to accept some risk when you allow HID.

There are some very high security systems that have specialty keyboard devices dedicated to secure password entry. For example HSM vendors often use an encrypted keypad for initializing security keys. But these are not HID-compliant keypads, they are separate embedded systems with a little display that prompts users for input, they do internal cryptography, then exchange encrypted data via the USB serial protocol. They may even require custom drivers to function. These are designed with nation-state level adversaries in mind.

John Deters
  • 33,650
  • 3
  • 57
  • 110
  • this makes sense. Regarding unknown HID devices: such device should have a unique ID, so it may be logical to assume that it should be refused when connected for the first time and only enabled after explicit approval. Too bad that this is not how most OSes treat external devices by default. – IlliakaillI Mar 20 '22 at 17:18
  • 1
    @IlliakaillI we tried disabling unknown HID devices until we found we had hundreds of remote users that required a wide variety of unique HID solutions for accessibility reasons. We couldn’t manage those remotely without adding big management problems, so we switched off that policy permanently. It hasn’t negatively affected our security at all; and it made jobs easier for those who require them. – John Deters Mar 20 '22 at 19:08
  • this may be true for your local case, as I don't know what do you mean by 'we', but if we're talking about mainstream OSes, I think it should be configurable at the very beginning during OS installation. Users should be able to allow all unknown HID devices at their own risk, but defaults should be in favour of stronger security. – IlliakaillI Mar 20 '22 at 20:16
1

Keyboard emulation is a legacy feature, retained for backward compatibility.

Yubikey created their product in ~2007 - years before the introduction of FIDO/U2F (~2014) and at that time, emulating a USB keyboard was the only way to make their product work without drivers or browser plugins. [*]

This was before there were controls on plugging in USB keyboards - in those days, malicious USB devices would simply use autorun.inf to execute the attack directly (possibly by emulating a CD-ROM drive)

In modern times, it's doubtful anyone would develop a new application that relied on USB keyboard emulation - but Yubikey keep it around to support their long-term customers.

You can disable the USB keyboard emulation on your Yubikey with their administrator tools - or you can buy a different model (the blue yubikey is U2F-only) or from a different vendor entirely.

[*] Technically their product also emulates a smart card reader, but smart cards had achieved little adoption in the market at that time, except in hospitals and the military - nobody was getting rich making smart cards.

mjt
  • 415
  • 2
  • 6