 Hello everyone welcome to our next talk from Tobias Miller and Ludwico then it's about USB borne attacks Is this on our perfect okay, so if there's trouble with the microphone let me know so I'm Toby. Hello, don't know if you know me I am in the ground project and so is Ludwico. Hi, and I'm very happy to be here And to be talking to you about well the attack surface of USB How many of you have a device that's capable of having a USB device attached? Quite a few there's some who haven't raised their hand I'm surprised like do you have a computer? so um We're working on protecting against rogue USB devices that is Ludwico is doing all the work And I'm telling him how good he is and I congratulate him to his achievements And We will present what we think For how we think we should Introduce these capabilities of protecting against USB devices such that they actually Work in the in terms of they unfold their protection capabilities and what that means Well, you will hopefully see Once we have the examples of why we think it doesn't right now, but um First let me tell you really quickly why I believe that GNOME is in a very good spot of providing these protection capabilities So the sole reason of gnomes egg gnomes existence as you all know because we're in positive them is freedom so gnomes was well created as a free alternative, you know to back in the day proprietary systems and There's many definitions of freedom including those you know for your free computing We also believe that you should be free from concerns of your computing being compromised and we ought to achieve this well as well as possible without compromising on Your way of using the machine or your usability Why do I think that we're in a good position because it turns out that filtering out extra notice information is The basic function of consciousness, so your brain does nothing else but filtering out all the unnecessary stuff And I think that with gnomes we found workflows and ways of interacting with the user that prevents Well unnecessary things and allows the user to concentrate on what well they want to do because we firmly believe that the user does not sit in front of The computer because they like to sit in front of the computer I'm sure many of us do but most people I believe or most people we believe in the gnomes project are sitting in front of Their computer because they need to perform a task and if you interrupt them Performing the task then users go to great length of getting back to their work So I believe that once you make the use of part of your security system You're gonna have bad time You must not you know make the user make decisions that they will regret and in fact there have been studies Academic studies which show that well you better throw a coin rather than letting the user decide you end up with better decisions so What is the problem about interrupting the user? Well, I as I've said once you Distract the user phone they want to achieve they will want to go back to that and they Click on that button on the lower right because they know that this this click makes this annoying dialogue disappear So prompts are dubious in first place security prompts are just wrong. I claim that you must not Prompt the user or interrupt the user doing their work with a security relevant prompt asking the user something worse if you're making this decision that the user took under stress permanent I Plain that this is plain evil. You must not do that under any circumstances if you take one thing away, then it's this do not Have interactive or use interaction in a way that distracts the user from whatever they're doing and make this decision Permanent such you prevent the user from learning how to undo this decision So don't do this. What do I mean? So I've brought a few example It's it's known projects. It's known software. So, you know, it's um, I'm blaming and shaming but it's it's all lost anyway It's um, this is you all know this this connections entrusted Do you want to continue anyway? This happens or happened when you opened your chat application? You know imagine the user they want to chat they open the chat application and they're being asked You've all you've opened the strap chat application Do you really want to open or rather not have you know? Decided that you within this 20 milliseconds that I've Took to load the style of do you now not want to open the chat application? hmm and I mean I sympathize with the with the developers of Like using this user interaction because it's like a relatively cheap way of alerting the user and you know Pushing off responsibility, but um, well, I couldn't talk about this at great length But we don't have time for that. So there's some another one which I which I liked Your software or this software is just a package install like some software installation thingy And it says it tells you that the software you've just downloaded isn't signed and is not trusted by a provider and so on and We can make sense out of that because we're in the security devil You know, we're the experts in the field, but um, I have parents and they you know They want to use the computer to send me an email preferably and tripletly and so on but um This is gibberish. This doesn't make any sense like how would they know whether you know The software is trusted or not like they don't have any clue And this is my absolute favorite. It's um, you know, you get this prompt and it says Albert found a new update Which fixes your problem, please run before submitting the bug pkcon update dash dash report dash if you enable and then yes What like so this is terrible, right? And I think we can generalize this into if you have a security system And you require the user to do anything with it That's fine, but be ready to lose half of it the audience half of your user base with every single click or keystroke and Because we're at past them. I thought it'd be funny to show you this. Does anybody remember or know what this is? He signing yeah, what do these people do? Like like what do they actually do? Yes, they do keep signing, but what do they do? Yeah, they like walk along each other and they mumble fingerprints like these hexadecimal numbers and you know It takes ages and it's awful because it's cold because it's February, you know And like in the middle of Europe, it's like cold and then you get home and then you're not sure what you know what you're actually read and so on that's a terrible and Well, it's we've also fixed that I think so there's no peace sign But we're not here to talk about no peace sign, but that's the mindset right you're trying to reduce all this all these things That security people came up with By something that well, we'll hopefully be able to be used by you know normal people So That's the general mindset of why I think or we think We're in a good position and now I'm very excited to hear Ludovico talk about the actual USB stuff so as top you say the USB devices are everywhere and The users maybe most of the time don't think that the USB is a threat to their computer and and Maybe even the most common scenario is when a user lock his computer It goes to the bedroom and it leaves the computer unattended In this scenario the USB ports are still running So someone can pass by and plug malicious USB device to the computer and Most of the time Users are not aware of this and so USB devices that can be really dangerous for example Just the recent screenshot of the CV list for USB Related to USB it's as more than 200 entries and The most famous attack to USB using USB device is the bad USB where Malicious device it's just it was just a pen drive But it also advertises itself as a keyboard. So when you plug this device in it can Act as a keyboard and enter keystrokes automatically so this is CV that we tried to demo and This is a VM of Ubuntu 14.04 because the CV is two years old and Just using specially crafted USB device Like this, it's an Arduino Leonardo clone it Advertise itself as a MIDI keyboard that has a bug in this particular Kernel version and just plugging this device in this computer. It will create a kernel panic This can also be exploited to gain a root shell in this computer So in this case, it's just it's just a kernel panic, but it can be even worse From a MIDI keyboard when it's the last time you've attached a MIDI keyboard So the any USB device has the privilege of loading any kernel driver that you've installed on your system It turns out that if you have a general purpose distribution Well, then you have all the rivals that have ever been written for Linux ever And it turns out that this is quite a large code base your tech services very large in this case yeah, that's right and What other people already did to mitigate this USB problem Well, for example in Windows, there is a Kaspersky that Let you enable USB protection and every time you plug a new device You'll get this prompt with a pin that you need to enter with the newly plugged device It's confirmation that You are willingly plugging keyboard or mouse in your computer This is a USB garden, it's This is the UI of USB garden it lists all the currently plugged in USB devices and It says if they are allowed or or blocked in the current state and This is the related the Setting page of USB garden where you can set the default action for new USB devices and The timeout Other stuff In practice when you plug a new device you get this pop-up right here It has a bunch of numbers and letters It says the serial number the name of the device This is the USB class and you have 23 seconds to decide if you want to allow it or block and If you don't act in this 23 seconds this pop-up will go away and you have this USB device that will not work This is a USB garden home, it's a better attempt to Managing USB protection it still lists all the USB devices that you have and When you plug a new device you'll get a notification better integrated in the system with the allow or block button But still in this case user needs to decide what to do and also if you don't Press any of these two buttons in Maybe five ten seconds this notification will go away and you will not be able to see these buttons anymore This Driver The new plug the new plug the device is blocked until you press allow so If you don't have any other in the mouse or keyboards already connected you cannot Already If they're authorized at that good time, yes So for the internet there have been many comments around whether this Dialogue now could be used from this malicious keyboard that you've just plugged in the answers we get back to that in a few times So the thing is that you can clone the USB device So if there is any rule that allows some kind of USB device with a specific serial number You just call it and it is allowed by default. You don't see this pop-up and you can play with that Yeah, this is our just the numbers advertised by the device itself so you can clone them and if you know that a particular device is already authorized that you can Clone this the device with yours. So Then we go here where even just installing USB guard with its UI Bunch of users Completely blocked it's their self from it's very secure system. Yeah, in this case and they are Completely protected from malicious USB devices so our attempt here is the web a few Takeaways here and the first one is that we don't want to lock users out from their system and We tried the unapproach where is That we incrementally Build the protection So we started from a simple cases and then we grow grew it up for example, the first step was a switch on off where you can disable all new USB devices and This was rated to Simple use case where the user may be They they go they they want to go for a travel and so they bring their laptop with them they want to be secure against the USB devices that some user may plug in their laptop So they just turn on the protection and know just be devices will be allowed Then more smarter Protection it's why lock screen is on in this case If the lock screen of your computer is on then no USB devices will be allowed If the lock screen is off, then you can plug in you USB devices and this is Because if your lock screen is on maybe it's because you are not in front of your computer so you don't want to plug new devices and The first step that is still our work in progress is to treat differently the keyboard because they are one of the Category more dangerous for us be because you can plug a keyboard that automatically inputs Some keystrokes on your belief So this is How we present our functionality This was a concept where in the control center in the privacy tab but we added this disallow new USB devices row and It had a simple on-off switch And we're being hacked The second attempt For the scenario we had this drop-down menu with where you can select the Protection level that you want. This is like always protect or only when the lock screen is locked and This is how it currently works. So it's Okay, it works. We have this on-off switch and then you can select the Protection level that you want for your USB devices and It also checked the because we in the back end we use the USB garden so It checks if USB guard is currently available in your system And if it's not then you are you cannot turn on the protection We also show An icon the top bar Letting the user know that the USB protection is currently active and Also in this case if USB guard is not available or the protection is not active. We don't show the icon and This is a recap. I don't know if you can see this Of what happens when you plug a new device in your computer if the USB protection Then you the device will be authorized or It will for example if you what if you have USB guard installed and manually configured or use a third-party UI for USB guard then From the GNOME standpoint, we don't We don't block this device will let the user do what they Configured in your in their system if the USB protection is on then we as GNOME are the one that manage the USB guard the configuration So if the protection is never blocked then we manually authorize the devices new devices that are plugged in the system if You have a block with block screen then we check if the lock screen is active If the lock screen is not active then we authorize device if the lock screen is active we added this extra check about keyboards and We check if the plug the device is a keyboard because if for example your main keyboard breaks and you have the protection enabled then you are unable to plug new A new keyboard in your system and you're basically locked out of your system. Yeah, so in this check we Control if the keyboard in that you are trying to plug is the only available keyboard in your system If it is then we authorize the keyboard even if the protection was active This is Mainly a choice we we choose that because we We are willing to compromise a bit of security in favor of more usable system Okay, this is the Right, so notice how we've tried very hard to not ask the user about whether they want to have this device attached We try to infer the the intent of the user By you know by other means that we have available as the session for example the lock screen and We hope that this provides better protection overall Knowing that users will know the security solution without maybe even knowing that it exists because it just works, you know and We haven't finished Like if this is all work in progress, right? so if you have like comments or ideas then now is the perfect moment because we're just right now in the process of Well letting all bits and pieces fall in place so that this works So if you have ideas as to you know, what else needs to be done or should be done And we're all ears in in for taking comments regarding what to do Think them the most prominent attack that we've seen this bad news beast of we're trying to be clever about this And try to swallow the keys that are not or that we consider to be dangerous So a keyboard well can press all like sorts of keys, right? And we somehow need to deal with a keyboard pressing save Out F2 and then are or something because we wouldn't want a you know, and which is keyboard to steal our minds to the high school whatever so We're in the progress of writing this this code and getting getting the infrastructure in place to well detect whether keystrokes have come from a Keyboard that we are not well fully trusting yet, maybe and yeah, this is this is all being developed right now as we speak So again, if you have comments around this, please, you know approaches and let me just finish up this last slide we have other things that we have on the horizon The most important one probably being the USB type C authentication. So there is in the standard is a way for USB devices To well to be authenticated. So in the future USB devices will have Private keys and certificates and then you know you can ask the device whether it really is that device that you think it is and For better or worse. I don't see how it currently would work in Linux. So we will have to deal with this situation eventually and Well, sort of like there's a thunderbolt as well. It's a very You could argue that it's very similar in what it does and how it works. So we might Sort of touch base with the some thunderbolt stuff and reuse things and bits and pieces from there another bigger problem is that we if we wanted to eventually ramp up protection capabilities as We've mentioned we want to start slowly and then incrementally build up our protection capabilities and one thing we don't know yet how to do properly is the early good phase like before our stuff even runs That's a bit, you know, unknown how to do that Yeah, with that, I think we're ready to close and take questions and first we'd like to thank you for your attention And then we're happy to discuss now or later So that being a few hands maybe Maybe let's use the Microphone for the internet So what do you authorize devices or interfaces, right? So us using USB guard, there's only devices for now Okay, because kernel now supports also interface authorization And I think it is way better Because the typical attack vector for that to still exploit the same CVE would be just to provide the money in the middle device that will introduce with the same vendor ID product ID Etc a skateboard and odd interface with the middle