Understanding the USB keyboard problem

I am struggling to understand the risks of using a USB keyboard and/or mouse.
The devs recommend against it:

But, why can a USB keyboard control the whole PC if it’s connected to a VM? What do I do if I don’t have the ability to install a second USB controller in my PC? Does the second USB controller really solve anything, as it’s still a USB? Why is PS/2 keyboard not a problem, but USB keyboard can control dom0?

And most importantly, what is the futureproofness of this? PS/2 peripherals and actual PS/2 internal controllers (not a faked one that actually converts it to USB) are few and far between nowadays and it’s only going to get worse. There simply has to be another solution in the long term.

Currently I’m wondering if it’s even worth it to use Qubes if I break its isolation by using a USB keyboard because I have no other choice. I don’t want to use a laptop (which generally have internal PS/2 keyboards) because they are horrible for ergonomy, and buying one only for the keyboard and using an external monitor is just a waste of money.

Is this about shady proprietary firmware in the keyboard, like a rubber ducky attack? I heard about the possibility to even implement a network-connected spyware in a keyboard’s cord due to USB’s innate insecurity because the USB is capable of doing so much. Would building your own one and flashing it with open firmware like QMK be a solution? However, there is still the USB mouse…

Wouldn’t this be solvable with something like a “usbguard”? It’s a utility that can control which USB devices can interact with the system. If for example I allow only one device with a keyboard interface at a time, wouldn’t that protect me from rubber ducky-like malicious storage devices with hidden input interface? Whitelising specific devices sounds risky because if it breaks, I get locked out permanently.

1 Like


A PS/2 keyboard is directly connected to dom0. On the other hand, USB keyboard is connected to USB VM, as are all other usb devices.
So if the USB VM is compromised and you type your password in your keyboard, it is possible to an adversary that compromised your USB VM to know it and try to exfiltrate it using some other USB device.
But you can bend this scenario, so you have some advantage:
1 . You can use one USB controller only to you USB keyboard (and possibly mouse). That way it is harder to exfiltrate data.
2. I think you can even go beyond this and create a USB VM only to keyboard if you have more than one USB controller.
3. You can use disposable USB VM. That way, even if you USB VM is compromised, the problem will not survive (hoppefuly) to a VM reboot.

PS: notice that the point of USB VM is to isolate dom0 from USB devices, because they can be attack vectors. And dom0 compromise is game over.
PS2: I am no specialist in security! Just sharing my understanding.


Actually I thought it was the other way around. Qubes will not create a USB VM (upon installation) if you are using a USB keyboard.

1 Like