Laptop / USB Question

Hello Everyone,

I’m working to securing my digital presence holistically…. I have deleted social media accounts, removed voice assistants from my home, switched to proton mail, and started using a VPN. I’m now working on moving off Windows 10 and settled on Qubes-os. I travel frequently with sensitive data so a laptop is a must. I was originally planning on building one; however I was drawn to the Librem 14 due to their work to secure the BIOS / Intel processors. My only hesitation at this point is that I often need to use an external keyboard and the Librem does not have a PS/2 input for a keyboard which will mean I use USB for the keyboard and mouse. If I use no other USB devices with Qubes-OS, how much risk is introduced by using a wireless USB mouse keyboard? I saw several posts on this,but did not fully understand how risky USB is if I only use a keyboard and mouse and no other USB devices. Thank you for any advise!

You’ve taken the first steps into taming the beast. Respect is due, but keep deepening your understanding of how those things work, right down to the individual steps, so you can better prevent yourself being taken advantage of.

Like, if you can explain a concept without using any jargon or “buzz-words”, then it shows you truly understand it :slight_smile:

So just to clarify, you don’t want to use the internal keyboard and trackpad? It’s fine if you don’t, but just wanted to check.

Well, let’s have a think about what is actually happening when you plug in a wireless keyboard.

You’re introducing a wireless antenna as a USB device into your machine that parses incoming radio waves from “another entity” and converts them to USB HID keystrokes via its USB plug to your Librem’s USB controller.

This wireless antenna USB device may or may not be pre-programmed to do other things, including things that might not be immediately apparent to the end user (that’s you).

The danger doesn’t lie in the fact that it’s “wireless”. That danger lies in the way the device operates, what protocols it uses, and how those protocol could potentially be exploited to get the device to do something that it shouldn’t be doing.

You have to consider this:

  • Do you know for a fact that this USB wireless receiver will only accept requests from your keyboard and nothing else? (The answer is NO, unless you built it yourself)
    • A keyboard from the guy next to you while you’re travelling?
    • A spoofed keyboard (this is not hard to do with a computer and any wireless antenna, once you figure out how that peripheral communicates, and how to send it similar commands)
    • A backdoor in the firmware (suddenly the USB dongle tells your laptop that it’s also a wifi antenna, and your computer acknowledges and uses it to connect to an attacker’s ad-hoc network)
  • Do you know that communication between the keyboard and dongle is encrypted?
    • You’d be surprised at how many are not… usually the cheap ones are not :rofl:
    • Is it encrypted both ways? (If an attacker knows when you’ve got your Caps Lock on, that information can be useful in some attack scenarios)
    • If it is encrypted, does every single device in that model class use the same encryption keys? (Most likely, yes, unfortunately… and then BOOM, the guy sitting next to you with the same dongle now knows your password :wink:)
    • If it is encrypted, can I add my own custom encryption key? (The cheap ones usually don’t have any software/firmware that allows this to happen, so unless you are prepared to “get your hands dirty”, “pop the hood” of the device and hack your own encryption key into it, the answer is likely no)

If these are all things you’re prepared to accept, then happy days. But most people who understand this would unlikely be willing to accept this :laughing:

Your assumption that a keyboard is just “a keyboard” is what’s tripped you up before :stuck_out_tongue:

But hey, you’ve taken your first step into a larger world. Welcome! :slight_smile:

1 Like

Thank you very much for the detailed reply. I’m absolutely committed to focusing on and learning about digital security. I’m a data analyst by trade so thankfully I have some technical (Python, SQL, etc.) expertise and I’m starting with a basic understanding of technology and data. As it relates to the USB, the keyboard does not need to be wireless. My wrists are not great so typically typing on a laptop is not ideal. I was fine with a PS/2 mouse and keyboard, but the laptop I was looking at only has USB hence the conversation around trying to figure out if I can use a USB laptop securely. Is there a way to configure USB to only accept keyboard/mouse type actions so they can’t execute any code? I guess that’s the part I’m struggling to understand… why/how would a computer allow any other input from the mouse / keyboard then expected data related to what is being typed / mouse movements.

Oh brilliant. Then you’ll know what happens if you view things on too macro a level :stuck_out_tongue:

Those skills will serve you well once you understand how the internet truly works (you’ll know that you fully understand it because you’ll be absolutely horrified by it).

These will help get you started:

These are easy to understand, and are actually really good at explaining the concepts.

No, it doesn’t. But you asked about wireless.

At least you’re now versed on wireless threats :wink:

Basically, the rule of thumb is cables wherever possible. When a wireless antenna transmits anything, it basically screams it out at full-volume in all directions simultaneously. Yes, it is possible to send “directional” signals, but that still isn’t something that is standard across the majority of devices yet.

The thing that makes wireless communication “secure” is making sure that whatever you’re screaming out can’t be understood by anyone else except the intended recipient.

Mind you, if you don’t own/control 100% of the cables you’re using to communicate (work networks, a VPN, public networks like the internet, etc.), then the same principle applies.

Encryption, encryption, encryption :slight_smile:

You’ll need to go deeper than “use securely” in order to get the answers you seek…

Secure against what?

The most secure laptop is one that has no electricity running through it. Fun fact: It’s also the least usable laptop in the world. So you need to find your own sweet spot somewhere in the middle, based on what you’re prepared to accept.

That’s OpSec in a nutshell :slight_smile:

No. That’s both the greatest strength and greatest weakness of the Universal Serial Bus (USB). Only one port/plug type, but that port/plug can be ANYTHING. Also, USB doesn’t do any kind of “verification” of what a device actually is, and what a device is and what the device declares itself to the computer as. The computer will just accept whatever the device says at face value.

It has to do that for USB to actually function properly…

Because of this, there is a market for tools such as this:

If you don’t wish to click on the link, you can search “USB Rubber Ducky” or “BadUSB” on your favourite internet search engine.

So, can I remove drivers for all USB devices except keyboards and mice?
You could, but if I got into your machine, the first thing I would tell it to do would be to put all those drivers back (you know, after stealing your private keys, loading monero miners, and adding you to my botnet :smiling_imp:)

Will it be “more secure”?
Stop throwing that term around like it means something :expressionless:

Is there a way to exploit it?
Well, if your computer will accept keystrokes, I could send keystrokes that open a terminal, install drivers, and get your USB qube to do things without your knowledge (assuming your computer blindly accepts anything coming from that USB device, which it would by default. Qubes OS is different, and that difference is explained below).

Because USB is one-size-fits-all, and is a convenience port. I’m glad it exists, but it also has its drawbacks.

If you funnel all passengers at an airport through one entrance, what about the celebrities and VIPs? What about the airport staff? How do you tell them apart?

No, you can’t issue a standardised “VIP Identity Card”. Besides, even if you did, half of them would leave that card at home and be like “Don’t you know who I am? I swear, you’ll never work in this industry again if you don’t let me in!”, etc etc.

Because of this, it’s the path of least resistance to just take their word for it. USB is somewhat similar.

Do you see how you’re kind of going in circles chasing your tail? :frowning:

On the default intended configuration, Qubes OS will alert you with a big dialog box if it detects a HID (Human Interface Device), and will then ask you whether you want it accept input from it. You can then decide whether you want to or not.

For example, if you plugged in a device that you thought was a flash drive, and then that dialog box showed up, you probably wouldn’t want that device plugged into your computer pretending to be a keyboard.

If you trust the device (for example, a keyboard you built yourself and wrote the firmware yourself for), then you’d likely be alright accepting that device.

1 Like

Thank you again for all the information! This will be a great springboard as I take a deep dive into these topics… the information about USB greatly increased my understanding!