Originally Posted by
DuckHook
You can mitigate potential BadUSB attacks by defining udev rules that shut down new HID devices as per
this strategy. But it's just an awkward kludge, and until USB is redesigned to be more secure by default, there really isn't much that any of us can do.
Thanks very much for the reply. I really appreciate it. It's a shame that this has been known for years, and almost nothing has been done about it.
The link advocates the following:
"...create a file /etc/udev/rules.d/10-usbblock.rules with the content:
#ACTION=="add", ATTR{bInterfaceClass}=="03" RUN+="/bin/sh -c 'echo 0 >/sys$DEVPATH/../authorized'"
If you want to block other classes too, then look up the class number, and copy the line, and change the class.
Now you can block all new HID devices using the command
sed -i 's/#//' /etc/udev/rules.d/10-usbblock.rules; udevadm control --reload-rules
and unblock with:
sed -i 's/^/#/' /etc/udev/rules.d/10-usbblock.rules; udevadm control --reload-rules
Before you shut down, always unblock, as the setting is persistent, and your "good" HID devices would be rejected on reboot.".
Are you saying that if I do exactly that, it will protect against a BadUSB attack? More importantly, is the unblocking command guaranteed to work correctly? I don't understand the syntax, and I have almost no way of debugging it. It looks like an easy way to at least temporarily brick my computer if anything goes wrong.
I will be very much in need of temporary protection in the near future. Kludge or not, I think we all need it.
Bookmarks