11

I'm concerned about USB devices being physically attached to my MacBook laptop when I am about to unlock my computer or while my computer is unlocked.

My threat model involves an attacker who is willing to spend about $200 to gain access to my laptop, in particular my own user account or root. So, sophisticated physical attacks such as complicated hardware modifications or physical laptop replacement are not possible.

But I'd like to be able to:

  1. Leave my computer unattended but locked for a few minutes while I use the bathroom at a coffee shop.

  2. Plug-in external USB storage devices without having to boot into an isolated VM or use a guest user account. Be able to charge my phone from the USB port using an untrusted cable and still be able to use my computer from my user account at the same time. Be able to use untrusted external monitors through USB.

  3. Avoid having to physically touch my USB ports to make sure nothing nefarious is connected before I type login.

The attack I'm worried about is obviously BadUSB or customly designed USB devices that can act like keyboards (and can be produced for less than $200). These devices could be plugged in while I leave my laptop unattended, and can possibly be too tiny (think ubikey size) to be immediately noticed. Or they could be plugged in by a person sitting next to me when I show them something on my screen.

I already employ basic opsec practices, including FDE, a firmware password, a user account password that changes often, always locking my computer when I am away, no password reuse, running only binaries I trust etc.

The solution I am thinking of would be along the lines of having to "authorize" new USB devices when they are plugged in; and I should be able to view their type (e.g. keyboard VS camera VS microphone VS charging cable VS storage device). If I authorize a USB device and it is unplugged and re-plugged, I should be given the option to re-authorize it or to unauthorize it, and it shouldn't be able to act until I make the decision. And if a device tries to re-register as a different type, it should be blocked until authorized.

Do you know of a system that allows me to do that? Thanks!

Matthew Peters
  • 3,592
  • 4
  • 21
  • 39
dionyziz
  • 213
  • 1
  • 7

3 Answers3

1

I guess you only want to use one USB port at a time (you could use a hub to this port in the few cases you need more ports) and you intend to keep this macbook until its out of service. (eg, it does not matter if some USB ports gets destroyed).

Then I would suggest filling all USB ports except one with Expoxy glue. The port you select to be open would ideally be easly visible or accessible so you can later detect tampering to this open USB port.

Then you use a USB lock. Theres numerious USB locks available out there, some has a "general" key that will fit all USB locks, other have a color-coded key that will only fit USB locks of the same color, and other have a completely unique key.

If you want, you could buy one of those laptop Cable locks with a key and a USB "tounge" that locks into the USB port, and then modify the device to remove the locking Cable, leaving only the "lock". Thus you lock the "lock" into your open USB port, and then it cannot be removed without the key or using force, and using force would also destroy the USB port and leave telltale evidence that manipulatiion has been in effect.

If you very rarely use your USB ports, only occassionally, you could even use one of those serially numbered "USB seals", which is a Little plastic device that you put into the open USB port (that you select not to expoxy), and stucks permanently. To remove the seal, the seal has to been destroyed, and then the plastic seal cannot be reused. Every seal then have a serial number, that you check against a secure source (for example, a paper in your wallet that you wear on yourself at all time) when you want to "go secure".

sebastian nielsen
  • 8,779
  • 1
  • 19
  • 33
  • This solution is unsatisfactory. I sometimes want to use multiple USB ports, not just one, and I don't want to use a hub, as it's inconvenient to carry around, and bulky to connect. I also don't want to destroy the physical ports on my laptop unnecessarily. Linux provides ways of doing this at the software level – confirmation when a USB device is plugged. I'd prefer to implement this at the software level for mac if it's not available, but I was curious if there's a ready solution. – dionyziz Apr 11 '15 at 13:01
  • Then I would suggest a USB locking solution like this: http://www.lindy-usa.com/usb-port-blocker-pack-of-4-color-code-pink-40450.html . Even if it would propably be possible to remove those without the key using for example a lock pick, nobody would still not be able to insert anything without you noticing, and you can easily see if the red front of the lock is visible in the usb ports. – sebastian nielsen Apr 14 '15 at 11:28
  • I was hoping for a software solution. Isn't there anything we can do at the software level for this? – dionyziz Apr 14 '15 at 13:27
  • The problem is that USB is too near hardware to be doable in software. Yes, you can block the effects of certain USB devices, which is what many "USB endpoint protection" softwares do. They simply ignore events from USB devices preventing access by those USB devices to the computer. But still, you cannot disable a USB device in hardware level with software like turning off a USB port. Imagine the "BadUSB" device completely faking your internal laptop keyboard and mouse - voila you would have to ignore events from your own keyboard making it impossible to authorize the action. – sebastian nielsen Apr 15 '15 at 03:50
  • That's not true. You can distinguish an external USB keyboard/mouse from an internal one on your laptop - they are separate devices and the software has access to enough data to distinguish between them at the software level. This is true for Linux and Mac, similar to how you can distinguish PS2 mice and keyboards from USB ones. I don't see why a software solution is inadequate. – dionyziz Apr 15 '15 at 11:11
1

If you're concerned about BadUSB and similar attacks, you'll just need to resort to checking all of your ports every time you come back after leaving your computer unattended. Do note, however, that even this doesn't protect you from BadUSB.

BadUSB means I can take a normal piece of USB equipment, flash custom firmware on it, and wreak havoc with it. This can be done relatively quickly, provided that the USB chipset on the device in question is known in advance. An attacker can grab your WiFi dongle, BadUSB it, and put it back into your computer. BadUSB is even worse: an attacker can flash custom firmware to one device, infect your computer, and then from there ultimately infect all USB devices plugged into your computer at any point in the future, so long as BadUSB persists.

The best solution to BadUSB would be a hub of sorts which does the following:

  1. The hub itself should never allow firmware to be flashed to it, or at least mandate that all firmware be cryptographically signed.
  2. The hub should maintain a permissions list for all devices attached to it. When you plug in a device, the hub should notify the computer that a USB device describing itself as a mouse has been plugged in.
    • If it ever requests to be a keyboard etc., you should get a notification.
  3. No firmware flashing through the hub should be allowed. This protects your devices from being BadUSB'd.

BadUSB is bad. Enough said.

Do note that at least some operating systems blacklist certain USB devices known as pwnage devices. This isn't good enough, however, as a USB "id" is a weak and easily forgeable thing: your Logitech camera could identify itself as a Apple Keyboard.

Naftuli Kay
  • 6,715
  • 9
  • 47
  • 75
  • This is unsatisfactory. Why should I employ a hardware solution, a hub, when a software solution can distinguish the types of devices at an operating system level. My operating system already knows that something is a keyboard and that something else is a camera. Let's use that for detection. I don't want to carry a USB hub every time I want to use my laptop. I don't want to manually check ports either. Especially when it's possible to do so at the software level. I can do this on Linux. Why not mac also? – dionyziz Jun 10 '15 at 22:17
  • A software solution could possibly work, but you're assuming that your computer's USB ports are trustworthy. BadUSB could rewrite the firmware on your ports if it ever gets in. Software gets you about 90% there, with that caveat. – Naftuli Kay Jun 11 '15 at 00:04
  • Software can detect between device types. If BadUSB changes the firmware to modify device types, this can be detected at the software level. If the device type is already dangerous, e.g. a keyboard, then even a hardware solution doesn't help. So software could get you 100% there. – dionyziz Jun 11 '15 at 13:11
1

I wrote a partial solution to your need which I share.

I only want to enable USB on exceptionnal occasion. I'm running a computer on which the use of an USB key can't be allowed.

I wrote a shell script usb which is only switching on the required extensions to enable visibility of USB mass storage when I need it. Here is the man:

Usage: usb [on|off|]

To enable USB mass storage:

usb on

to disable USB mass storage:

usb off

to check if USB mass storage can be recognized or not:

usb

This shell script is based on:

kextstat
kextunload

This let me use my USB port to reload an iPhone, but doesn't protect me of a BadUSB attack.

dan
  • 3,033
  • 14
  • 34