usbguard icon indicating copy to clipboard operation
usbguard copied to clipboard
verified publisher icon USBGuard

BashBunny keyboard handling

Open Thorsten-Sick opened this issue 8 years ago • 1 comments

IMHO many BashBunny attacks can be prevented if the screen is locked after a keyboard is attached to a live system. Directly after the screen is locked the keyboard is activated. That way the user will have to authenticate before entering commands.

Alternative: Do not lock the screen but show a modal dialog where the only exit is possible by a human entering a randomly generated string to confirm he's not a BashBunny

That way a user could switch keyboards in the event of a coffee-spill damage to the old one. Which is not possible with the current whitelist/blacklist...

Maybe this could be handled by UsbGuard and a cooperating GUI application that will just get a DBUS notification.

Background Info: I did analyse the BashBunny attacks. Most of them use HID as an entry point of the attack and require an unlocked account:

https://github.com/Thorsten-Sick/rabbitstew

Thorsten-Sick avatar Dec 13 '17 10:12 Thorsten-Sick

We are currently working towards detecting modifier keys and e.g. block them rather than the whole keyboard. The advantage is that we don't annoy the user with locking their screen and that things like yubikeys keep working.

muelli avatar Jan 29 '19 19:01 muelli