I am questioning how dangerous using a USB keyboard actually is, because even if we assume a keyboard is somehow infected with BadUSB, what can it actually do, except type?
The fact that it may represent itself as another device (e.g. a network card) does not mean it actually has the instruction set to be a network card. So, it can only type commands. A PS/2 keyboard can do the same. So, what’s the difference?
To my mind, the process of installing Qubes OS from a USB drive is much more of a problem because:
-
The installer is stored on the USB drive unencrypted, i.e. the firmware of the USB drive has full access to it and can modify it. Additionally, a specially crafted USB device could probably infect the BIOS/UEFI.
-
That firmware is proprietary in almost all cases. Even if it is not, one still needs to somehow be able to verify what exact firmware the USB drive uses, or flash one’s own build of it. Then the question is - how does one do it? On what hardware and OS? How is that hardware (and everything related to it) guaranteed that it itself is clean and won’t infect the USB drive? IOW, how does one “start clean” along the chain?
So far, the only FOSS/H USB drive I know of is Nitrokey Storage. Its unencrypted storage, however, is only 2 GiB. So, to be able to put a Qubes OS installer on such device, first one needs to rebuild its firmware and reflash it.