Vectors of Attack via USB Devices

I’ve been having a look through the documentation around the usb qube and assorted vectors of attack. Device handling security | Qubes OS

I have a few questions.

Why are PS/2 devices recommend? What makes a PS/2 device secure and a USB device insecure? I get the impression USB devices in general have more vectors for exploitation.

The main emphasis seems to be on protecting against untrusted USB devices, which makes sense. Then the thought arises what makes a device trusted. I’d say a completely trusted device is one that has only ever been used on a given device from the factory (if a middle man has fiddled with it). Then there would be varying degrees of trust from there, i.e a USB which has been used on another device but formatted, or a mouse you’ve never lent to anyone but used on other devices etc…

Are there concerns around other USB device, say a DVD drive? which obviously isn’t an input device, like a keyboard or mouse.

I’m under the impression qubes is built in such a way that if someone gets your device, plugs a usb device in that usb device is completely blocked from interacting with the device unless you log in and “attach” the usb device to a qube, is that correct?

USB is a shared bus, i.e. all USB devices attached to the same PCIE hub will be able to talk to each other. Malicious USB devices (e.g. your DVD writer) can also easily register themselves as keyboards or whatever they want.

PS/2 is not shared and restricted to keyboard or mouse only IIRC.

What security properties you have wrt USB heavily depends on how you configure Qubes OS and/or what you did during the Qubes OS installation (e.g. if you used a USB keyboard during install or not).

Currently there are 3 modes:

1. Some USB controllers in dom0 (e.g. if you need a USB keyboard) & USBGuard disabled → Qubes will warn you during boot about “unrestricted USB” or so. → Essentially any bad USB device on any such port may gain control of Qubes OS.
2. Some USB controllers in dom0, restricted by USBGuard. → Some protection, useful for those who need USB keyboards.
3. No USB controllers in dom0, all assigned to sys-usb. → Best protection for those with PS/2 inputs. Good, but less great with input forwarding from USB keyboards to dom0 (see the doc article you mentioned for the remaining attacks).

Mode 2 was added with 4.1 and doesn’t exist on 4.0.

Sorry to hijack the thread, but may I ask: Does having a USB to Ps/2 adapter, then also a Ps/2 to USB adapter to connect USB keyboard / mice to a USB port make any sense whatsoever?

Is Ps/2 only valuable if you have a ps/2 port, as that then operates entirely different to the USB controller bus structure you mentioned?

Sorry if this sounds ridiculous, I just wasn’t sure if there was some sanitizing effect of having a USB peripheral communicate through Ps/2 that stands on it’s own, even if it is just converting from usb to ps/2, then ps/2 back to USB. It seems that may have been a fundamental misunderstanding.

This doesn’t sound ridiculous at all. I was actually going to ask the same thing I guess at the end of the day, you are still plugging a USB device in and whatever that device is, I guess, could be malicious, if it’s just an adapter cable one would think that’s less likely to be malicious. If you’re going from USB to Ps/2 and back again that could potentially introduce two malicious devices in theory.

Yes, I guess I just wonder if there is something about what ps/2 forces a peripheral to communicate its information that might cut off its ability to execute malicious code & try to hijack other devices on the bus. As I type this it seems unlikely, and really the advantage of ps/2 is just having the peripheral not be on a USB bus in the first place where it can spoof as something else etc.

I know badusb type attacks can occur with cables (look in to OMG cables) so perhaps even if that was the case that forcing the peripheral to communicate via ps/2 somehow sanitizes its input, that having it go back to a USB that you can’t totally trust is just shifting the trust downstream.

Malicious code in the keyboard / mouse would seem niche enough of a threat model that just reintroducing a USB cable that could be an OMG type cable doesn’t really do anything to solve your problem, even if it does sanitize the peripheral itself.

Yeah I get you, hardware communicate, USB buses, low level protocols etc aren’t really my wheel house so this thread is great. Re link: Oh wow, thanks for sharing wasn’t aware cables like that were so easily available

It is possible to have malicious PS/2 devices. You can program a device to simulate keystrokes and mouse movements in exactly the same way. They’re just electronic signals, after all…

Any USB device can suddenly send a signal like “Hey! I’m a keyboard now!”, and most OSes will just go “cool, no problem, buddy”, and accept input from it.

It wasn’t necessarily a “bug” or an oversight. Quite a few bluetooth controllers, and even USB some sound cards will send HID signals, for example, if the volume buttons are pressed on the headphones connected to the sound card), which is pretty cool functionality (just a nightmare for security).

What makes PS/2 special is that it is only for input, and cannot be made to do anything else (not without some serious surgery on the machine). Not only this, most PS/2 inputs would not be interchangeable (most motherboards had a KEYBOARD port and a MOUSE port, and they wouldn’t work if you plugged the wrong one into the wrong port). This also meant that it was a massive pain in the derriere (but not impossible) to plug in multiple keyboards into the same machine. Also, if a PS/2 keyboard or mouse was unplugged, the ports would stop working until the machine was rebooted. Granted, it wasn’t on every machine (and it SUCKED if you accidentally pulled the mouse cable a little too hard…), it was definitely something that helped prevent “hijacking” of machines by peripherals.

Before USB, peripherals weren’t able to declare to the machine what they were, and have the machine accept it at face value. The printer went via the parallel port, the modem went via the serial port, the external hard drive went via the SCSI port, and they never mixed…

A PS/2 device cannot suddenly declare itself as something else (a scanner, a printer, a HID device, a hard drive, a monitor, an eGPU, a wifi antenna, an ethernet port, a serial tty, a stylus pad, a keyboard, a sound card, or anything else) like USB devices can, even without being unplugged and plugged back in.

This means that if your cursor starts moving around wildly, or you start getting weird inputs, they can only come from one place. Well, that’s the idea, at least

So, that’s at least something…

I guess that it heavily depends on the precise electrical implementation of the adapters and one would likely have to try whatever attack method one would like to prevent with it to be sure.

Personally I’ve never had any success with any ps2-USB adapters even for their intended use case at all.

Modern motherboards seem just have a single port that accepts both mouse and keyboard, it’s color coded half green and half purple to show it can use both types of hardware.

I have 3 desktop systems at home, it’s the same on all 3.

Well, there you go. I stand corrected.

Hmmmm, maybe you (but actually I suspect that you meant not you but someone else ) should stand where I am, because that is not necessarily so (or were you meaning something else with the acquiescence ). Perhaps what @alzer89 meant was that the single port systems could be taken to comprehensively be an indication that there is not a limit to the plugging in of keyboards & mice with all PS/2? Likely that the design of the single port system is slightly different than those with two both in hardware & BIOS/UEFI, not sure that you can rule in the possibility that with a two jack system that you can interchange the types of devices as handily as might be suggested.

There are a few new motherboards from common motherboard manufacturers (not referring to the custom ones made for vendors of complete systems like laptops or commodity PCs like Dells et al which is a bit off to the side of what I consider for this - since the motherboard & the selected interfaces often depend upon the vendor’s understanding of the market for their products & hence may have substantially fewer with PS/2 ports) each generation that have two jacks, a few more that have one jack & a few that have none but PS/2 isn’t as invisible in the world as some would have you believe. I know, the number of people prepared to build systems from the ground up is limited also - costs, etc. I also hesitate to fill in gaps here by specifically mentioning models as the availability of the products might sharply shift (oh how I would love to influence the purchase of such if it could only be guaranteed to influence the manufacture - more good designs instead of less ). Not to mention that some might take this as an endorsement of products which would not suit as I can not support these products which others might feel that I had endorsed. I periodically peruse the offerings of Asus, Gigabyte, Asrock, MSI, et al for motherboards so I have some experience here (building personal-use systems for something like 20+ years).