USB Keyboard and Mouse Risk

Qubes-Whonix
1

Hi mods - I have searched both the Whonix and Qubes documentation regarding this issue - feel free to delete/re-direct as necessary if it is too general for this forum e.g. Qubes users forum.

It is understood that USB devices in general pose significant risks for Dom0 in Qubes - and thus Qubes-Whonix - see expert opinions here:

Joanna notes possible attacks coming from: malformed partition tables, malicious devices pretending to be keyboards/mice, sniffing/spoofing signals on the bus, and downloading of buggy/malicious drivers.

The greatest risk from USB drives, removable media and attachments appears to be they can’t (commonly?) be independently delegated to different VM domains when a user has a USB keyboard and/or mouse arrangement.

If I understand correctly, all USB controllers ‘live’ in Dom0 and most often are: shared, or there is only one controller available, or none free to assign. Users have already reported locking themselves out of Qubes installations (no keyboard) by creating USB VMs in this scenario.

So my question is, what are the real world security implications of using a ‘dumb’ USB keyboard and/or mouse in a desktop arrangement regardless. That is:

  • How dangerous is it if other USB devices are not attached e.g. removable drives, USB sticks, cameras etc?
  • How easily can this arrangement be remotely (not locally) exploited?

The Qubes architecture documents state that only PS/2 connected keyboards and mice (like those mostly found in laptops) are currently safe for proper isolation i.e. because they don’t rely on USB-controllers found in Dom0.

Is the only sensible suggestion that Qubes-Whonix desktop users migrate to PS/2 ports (when available) for their keyboard and mouse? It is mostly still supported on modern hardware, despite the aging status of the six-pin protocol (1987).

I wonder if this issue is sufficiently mitigated when full PVUSB functionality becomes available in Xen (4.7?). That, plus full GUI VM status will have Qubes-Whonix rocking. :wink:

Anyway, I’m interested to hear your thoughts (a one-liner is fine if too off-topic).

P.S. The documentation may benefit from basic instructions on installing the Selfrando-enabled Tor Browser in a Whonix template e.g. SHA256sums, PGP verification, creating a new menu entry etc. More testers for this outstanding new resource would be great and surely will appeal to the Whonix community in general.

https://blog.torproject.org/category/tags/selfrando

2

This belongs to Qubes support channels.

https://forums.whonix.org/t/what-to-post-in-this-qubes-whonix-forum-and-what-not

3

Hi Patrick

No problem. This solution may be of interest to other readers running Qubes-Whonix on a desktop computer (many I suspect).

To remove the risk of the USB mouse and/or keyboard allowing a hacked AppVM to access dom0, this works:

STEPS

  • Check your computer has PS/2 ports for keyboard and mouse (most do)
    See: PS/2 port - Wikipedia

  • In dom0, a) list the devices on your system with:

lspci

and b) check which USB bus the device(s) are connected to:

lsusb

  • Buy x1 or x2 $2 PS/2 to USB hardware adapter(s)

  • Re-install Qubes with the USB mouse and/or keyboard plugged into the PS/2 adapter(s)*

  • At the template creation step of the installer, select the creation of a ‘USB’ qube in addition to other desired templates (Whonix, sys-whonix etc.)

  • Reboot

  • Check the USB keyboard and/or mouse now do not have any existing USB connections by re-running:

lsusb

  • Check all USB devices are now assigned to your sys-usb VM (VM settings → Devices)

*Note: you can’t just use the physical adapters in a pre-existing Qubes 3.1 installation that already detected your USB mouse and/or keyboard when setting up the system the 1st time around - the risk to dom0 remains. Even if you try, it will typically only detect either the keyboard or mouse via the adapter and not both at the same time.

Special case: This matter is complicated if you only have one PS/2 port. In that case, you should use the USB keyboard in the PS/2 adapter, and use the mouse forward proxy (in the usbVM) for mouse use only. The system should be set to lock-screen after a short period so that it cannot be used maliciously (credit: CooloutAC).

CUSTOMIZED QUBES INSTALLATION (OPTIONAL)

Consider a customized installation of Qubes, instead of the auto set-up.**

** This step allows you to remove any insecure dual boot arrangements you may have created e.g. Windows and other spyware.

  • Enter the custom installation page of the Qubes installer

  • Delete all existing partitions

  • Set the Qubes partition defaults:

Boot partition - mount point: /boot, name: sda1, size: 500mb, type: standard partition, filesystem: ext4, do not check the ‘encrypted’ box

Root partition - mount point: /, name: sda2, size: (the rest of your drive minus 5-10gb for swap), type: LVM, file system: ext4, vol group: qubes_dom0, check the ‘encrypted’ box

Swap partition - name: swap, type: LVM, file system: swap, vol group: qubes_dom0, check the ‘encrypted’ box

  • Reboot and cross fingers.

OUTCOME

If all has gone well, you have a working keyboard and/or mouse AND a pretty ‘USB’ appVM sitting on your Qubes-Whonix desktop.

If you have no dom0 assigned USB devices, you can now connect potentially dangerous USB devices - USB block devices, webcams etc - via the sys-usb VM without having dom0 hacked i.e since your USB controllers should be free of input and programmable devices.

Note that single USB devices can be attached to any VM under Qubes 3.2

See “Creating and Using a USB Qube” and “Finding the Right USB Controller” for further information:

6

Thanks CooloutAC - will note above your good work-around. I got lucky with the USB controllers and ports myself.