Research available protections against rogue USB devices

By “rogue USB” here we refer, for example, to the BadUSB attack described by SRLabs in https://srlabs.de/badusb and that can spread malicious firmware across USB peripherals.

• USBGuard
  • source code
  • Rule language for writting USB device authorization policies, supporting whitelisting and blacklisting based on device attributes
  • daemon + IPC + a Qt applet
  • in Debian Stretch
  • needs some UX improvements before we ship it: https://github.com/dkopecek/usbguard/issues/157
• Linux kernel’s “authorized_default” option for the usbcore module
  • could be set to 0 when the system is locked (logind may help); note that this breaks things if the system’s USB keyboard was unplugged while being locked
  • setting this parameter on-the-fly isn’t enough, one also needs to for bus in /sys/bus/usb/devices/usb*; do echo 0 > ${bus}/authorized_default ; done
  • In GNOME: https://ryuzakikk.github.io/gnome/internship-preparation/, https://ryuzakikk.github.io/gnome/internship-update-1/, https://ryuzakikk.github.io/gnome/internship-update-2/, https://ryuzakikk.github.io/gnome/internship-update-3/, https://ryuzakikk.github.io/gnome/internship-update-4/

Parent Task: #5451

Related issues

• Related to #5684 (closed)
• Related to #15767
• Related to #15900
• Has duplicate #8989 (closed)

Original created by @intrigeri on 9569 (Redmine)