Luke, there is no real ways to block BadUSB.

BadUSB is like this: you get some USB device. It pretends to be USB flash drive. It is device who makes such abstraction. There is some CPU ("controller") inside of device. It talks USB. And exposes device as USB flash. If device's firmware haves malicious intentions, it can suddenly misbehave.

Flash can return bogus data, possibly causing foreign code execution in way you don't even usually expect. Just rewriting file on flash would not help - it is controller who passing all requested data. It can do runtime patching of data on the fly. Sure, you can add checksums, etc and eventually it would get too complicated for controller to do it unnoticed. But you should understand: there is CPU. It runs foreign code. Most of time you do not know what is this code and what it can do.

BadUSB attack goes a bit further. Say, flash drive can suddenly became keyboard. USB is universal bus, device functions are purely software-defined by device firmware. So there is nothing wrong if device suddenly becomes something else. It is technically possible. Then "flash drive" can suddenly type some commands into your system. Possibly executing something nasty, if guess has been correct (device can't see/analyse your screen easily so its blind attack). Say, in windows you usually can emit kypresses like <Win+R>, "calc.exe", <enter> - and well known PoC (aka calculator) is here. Boo-hoo.

There're even more sophisticated attack possible and reported to exist. Many modern 3G/4G modem+router devices are full fledged computer inside. They often run Android or Linux internally. So on one side device haves network connectivity, in fact being autonomous computer inside and it pretends to be usb peripheral for you. Needless to say, someone who had malicious intent can either hack such device remotely or put malicious code into firmware. Then device could suddenly turn into keyboard. Wireless keyboard. Incredibly long range wireless keyboard which can be controlled from any place around the world.

So what BIOS can do about it? Basically nothing: it does not handles devices enumeration and so on once OS booted. It can disable USB controller I guess but then you'll be completely unable to use USB devices. Doesn't sounds very cool, right? There is no way to change this without completely wrecking compatibility with existing USB devices.

It is up to OS to defend itself at this point. I can imagine OS can request some extra confirmation to use new, previously unknown keyboard (and maybe other potentially troublesome device classes) and just refuse to deal with new keyboard without some extra confirmation from user. Typed via old keyboard, obviously. But who does it right now? Nobody? Hmm, okay - now BadUSB attacks are problem.

I can imagine some funny ways to divert BadUSB at hardware level. Imagine you have 4G USB modem and it got hacked. But if it has been plugged into some TL3020 running openwrt and it lacked HID kernel module - uh-oh, good luck to type something from "keyboard". And it's not like if pocket sized router needs keyboard for normal course of actions. So its possible to "firewall" suspicious devices. Yet it would require some chunk of hardware where you can control firmware and hence can intercept undesired activity.

But key problem acutually is the fact most devices are running internal firmware. Of course well hidden and blob-only most of times. So you never can be sure what this crap does, is it vulnerable or not, etc. All interactions with device are handled by device's firmware. So device can do whatever it wants and there is no real way to prevent it. You never know what particular device is up to.

basicly you are fucked with it... depends on your usecase, is a external keyboard no option? depends on your needs of the keybaord what do you want to do, develop or just type components. I am a bit a extremists lately with keyboards so what many people will be happy with I am not

I use a x220 with a japanese like layout (with normal letter keys), the advantage is that it has more thumbkeys, having more or less only one big space bar and pressing nothing else with thumb is not very good idea because its the strongest finger, why would u use the small weak finger for enter as example I have enter and tab and space in the middle the most used keys and the menu key its very special setup like you shure guess by now

As major keyboard I use trulyergonomic keyboard. I would not use the keyboard of the laptop for a longer time and buy a mechanical keyboard.

I dont really know whats really a good keyboard for laptops a few years ago I was pretty happy with a 10" samsung nc10 keyboard, anything is possible. but I guess I did not code much at that time. And you adapt to each keyboard over time the question is does it tire your hand faster or not.

Or to make this long post short, I dont know how well the asus keyboards are, the asus keyboards seemed pretty solid on the old asus netbooks but thats very subjective

and it depends also much on your logical layout and how you press keyboards again what do you want to do with it. I think I need to start learning dvorak now finaly

Is there a database of motherboards that have this shit on it? Because it literally means you have no control over the hardware anymore, if Intel dictates what can and cannot run on it.

I honestly was not aware of this when making recent computer purchases including Intel hardware - now I have another anti-user anti-freedom DRM mechanism to stringently avoid in future purchases. Fan-fucking-tastic.

Eat shit Intel execs, you assholes. Stop trying to take my software and hardware freedom. I want god damn coreboot on my systems, not your UEFI black box bile that is spying on me at the most fundamental roots of my hardware. You don't get more businesses pulling this shit.

Hopefully some powerful AArch64 laptops will be coming out in the near future. That should solve the problem, or some Intel processors that only support Coreboot.

BadUSB means untrusted USB devices cannot be used.

What this has meant to me since I found out about it is this: flash drives of unknown source are just as dangerous on Linux machines as Windows ones and must not be used. Each machine that is security critical must be used only with a predefined and known set of known good USB devices. Best bet is to buy flash drives new and randomly in-person with cash, never order them for later delivery, in short never to allow the source of a USB device to predict who will be using it. Also, this means not using 3g/4g radios that plug in by USB just like not using PCI-e modems. The wifi device is best used on USB because that makes hacking from it a bit more diffficult then doing so from the bus, with the further requirement of getting control of it by packets sent from the compromised router.

Short of BadUSB, an attacker targetting you directly and knowing what OS you use could put literally any attackware against your OS or your firmware on a USB drive and leave it where you are sure to find it. That's how they think Stuxnet got into Persian nuclear facilities, from which it then escaped to the Internet. If you see a "lost" USB drive around your home or office, presume it malicious and destroy it. If you must use random flash devices, use them with a quarantined junk machine not networked with the ones that count.

Good point and also NEVER let anyone plug any USB device into your system, because a BadUSB device can masquerade as a mouse, keyboard or a cable. A good reason to block USB devices that are storage devices from highly secure systems.

Does Linux have a way to disable USB storage devices, like in Windows?

If google made a pixel successor just as open as the original there'd be little doubt in my mind about buying it. All this talk of open laptops and the pixel always gets ignored for some reason - it's not blob free AFAIK but it's a hell of a lot closer than 99% of laptops while having great specs and guaranteed Linux support.

More on BadUSB

A total defense would require total isolation between computers used with unknown flash drives, and those used for sensitive files. Only network connections could be used between them, and preferably the machines and OS's used would not be binary-compatable. In short, the inverse of the USB bridged network air gap. My machines only get used with a limited set of known USB devices anyway, but I still find this nasty enough. Certainly this complicates moving data that originates on a network to air-gapped systems, though single-use flash devices can go the other way with impunity (DVD is cheaper though). There are of course some things that are only safe on a machine never networked and never connected to any unknown device (USB or otherwise), the only way to move data in or out of such machines is on something like a DVD that does not contain firmware or executable code at all beyond what you write to it.

I looked at the original BadUSB article



And see that this is not a firmware attack on other firmware, reproducing onto other devices-this time around. The main barrier to that would be predicting the firmware to be attacked. On the other hand, a flash drive pretending to be a keyboard could simply log into a website and download that "correct" worm to infect the target, or even simply make and export SSH keys, and if necessary install and start an SSH server to allow remote control for this purpose. Certainly such a machine could be used to attack firmware in USB devices, seeking out those whose firmware is writeable from the USB interface and ignoring the rest.

A viral attack that spreads to new USB devices directly by modifying firmware as opposed to the OS in computers (or cameras, phones, etc) has yet to be reported from what I have seen, When such reports do come out, it will remain safe to move files by brand-new USB devices from known good devices (computers, cameras, etc) to untrusted ones (then discard the USB drives), but the reverse will not be true. Moving files the other way will require "quarantine" servers in the middle to limit any effective attack to one that can target both the suspect and the quarantine OS or BIOS, then from it infect additional USB devices. A new device in a potentially infected computer is considered infected after but not prior to being plugged into it, and can only infect those devices the original programmer designed it to attack. Thus quarantine servers should run a different OS than the suspect machines, possibly one of the BSD's with no Internet connection and no graphical interface to limit the attack surface, running over Coreboot. If the payload can't get control of the server, than it has no access to the second set of USB devices that move only from the quarantine server to the valuable machines, nor the ablity to transition to a network attack if an ethernet cable is used instead of USB for this job.

You've missed the point of Secure Boot. It's still the AVs responsibility (as well as the user) for preventing malware from entering the system. The point of Secure Boot is to prevent malware hiding as a low level rootkit that the AV can't detect. Yes, the AV has already failed if you get to the point where Secure Boot helps, but if the AV signatures are later updated then the malware can be detected.

It's also a means to prevent piracy of Windows by preventing hacks like the SLIC BIOS emulation bootloaders. Granted, you could just disable Secure Boot if you're attempting such a hack...

Boot Guard has only one application - it's a tool that facilitates the implementation of vendor-locked x86 firmware. Intel knew full well what they were doing and the blame lies squarely on them.

Yeah, let's all embrace vendor locks.

/facepalm