Hi mods - I have searched both the Whonix and Qubes documentation regarding this issue - feel free to delete/re-direct as necessary if it is too general for this forum e.g. Qubes users forum.
It is understood that USB devices in general pose significant risks for Dom0 in Qubes - and thus Qubes-Whonix - see expert opinions here:
Joanna notes possible attacks coming from: malformed partition tables, malicious devices pretending to be keyboards/mice, sniffing/spoofing signals on the bus, and downloading of buggy/malicious drivers.
The greatest risk from USB drives, removable media and attachments appears to be they can’t (commonly?) be independently delegated to different VM domains when a user has a USB keyboard and/or mouse arrangement.
If I understand correctly, all USB controllers ‘live’ in Dom0 and most often are: shared, or there is only one controller available, or none free to assign. Users have already reported locking themselves out of Qubes installations (no keyboard) by creating USB VMs in this scenario.
So my question is, what are the real world security implications of using a ‘dumb’ USB keyboard and/or mouse in a desktop arrangement regardless. That is:
- How dangerous is it if other USB devices are not attached e.g. removable drives, USB sticks, cameras etc?
- How easily can this arrangement be remotely (not locally) exploited?
The Qubes architecture documents state that only PS/2 connected keyboards and mice (like those mostly found in laptops) are currently safe for proper isolation i.e. because they don’t rely on USB-controllers found in Dom0.
Is the only sensible suggestion that Qubes-Whonix desktop users migrate to PS/2 ports (when available) for their keyboard and mouse? It is mostly still supported on modern hardware, despite the aging status of the six-pin protocol (1987).
I wonder if this issue is sufficiently mitigated when full PVUSB functionality becomes available in Xen (4.7?). That, plus full GUI VM status will have Qubes-Whonix rocking.
Anyway, I’m interested to hear your thoughts (a one-liner is fine if too off-topic).
P.S. The documentation may benefit from basic instructions on installing the Selfrando-enabled Tor Browser in a Whonix template e.g. SHA256sums, PGP verification, creating a new menu entry etc. More testers for this outstanding new resource would be great and surely will appeal to the Whonix community in general.