I am struggling to understand the risks of using a USB keyboard and/or mouse.
The devs recommend against it:
But, why can a USB keyboard control the whole PC if it’s connected to a VM? What do I do if I don’t have the ability to install a second USB controller in my PC? Does the second USB controller really solve anything, as it’s still a USB? Why is PS/2 keyboard not a problem, but USB keyboard can control dom0?
And most importantly, what is the futureproofness of this? PS/2 peripherals and actual PS/2 internal controllers (not a faked one that actually converts it to USB) are few and far between nowadays and it’s only going to get worse. There simply has to be another solution in the long term.
Currently I’m wondering if it’s even worth it to use Qubes if I break its isolation by using a USB keyboard because I have no other choice. I don’t want to use a laptop (which generally have internal PS/2 keyboards) because they are horrible for ergonomy, and buying one only for the keyboard and using an external monitor is just a waste of money.
Is this about shady proprietary firmware in the keyboard, like a rubber ducky attack? I heard about the possibility to even implement a network-connected spyware in a keyboard’s cord due to USB’s innate insecurity because the USB is capable of doing so much. Would building your own one and flashing it with open firmware like QMK be a solution? However, there is still the USB mouse…
Wouldn’t this be solvable with something like a “usbguard”? It’s a utility that can control which USB devices can interact with the system. If for example I allow only one device with a keyboard interface at a time, wouldn’t that protect me from rubber ducky-like malicious storage devices with hidden input interface? Whitelising specific devices sounds risky because if it breaks, I get locked out permanently.