As someone who has only spent enough time to superficially comprehend this threat, I am left wondering why Windows does not have a mode wherein I would be UAC-prompted to activate any newly-attached USB device, regardless of what it is. I'd like the OS to say, "Hey, it looks like you just attached another keyboard. Please authenticate on your boot keyboard to accept this new keyboard." Similar for other kinds of devices. "You just attached a new network adapter. Please authenticate to enable this new adapter."
I would enable such a feature without hesitation. Especially with Windows Hello-enabled UAC, the additional pain of authenticating in order to use USB devices is minimal. But even if I have to type in my password every time I attach a device, that's fine.
> Please authenticate on your boot keyboard to accept this new keyboard.
There's an IMO nicer protocol to use: have the display say "Please type 'foo bar baz' into the keyboard to activate it" where 'foo bar baz' is some random challenge. This doesn't depend on having a trusted keyboard or mouse with which to answer.
When the system is booted, which HID should it consider authoritative?
I suppose your solution would mitigate some of the problem but you could imagine MS being reluctant to take on this complexity without being confident it would squash the risk entirely. Imagine all of the new interesting failure modes of not just accepting all HIDs.
All of them. 90% of the risk comes from new devices attached after boot (and subsequently detached before reboot). Eliminating that threat can be done without inconveniencing users.
We're trying to do better when best is really, really hard. Saying "it's not perfect so it's not good enough" really doesn't make anything harder for attackers.
If you trust on boot, and someone forces a reboot, then that is a huge alert that something has changed.
And the thing about being Mossad'd is that even if you're being individually targeted, making it harder often is what lets you know you're being attacked.
Raise the bar to fend off attackers!
But if you put a USB device into a PC, wouldn't you want to authenticate it regardless of what it has on it? I think Microsoft's UAC security is pretty flawed in general, as it puts all the responsibility of installing an app package and making sure it's secure on the user.
Users who find a "lost" USB stick on the street would still authenticate it in Windows when they get home, so this would do nothing to protect them.
If they find a "lost USB stick", and the dialog box says "This is a network adapter, do you want to send your internet traffic through it", then they at least have that.
While this is a decent stop gate measure, I think Microsoft could remove this issue in its entirety in a way that's not overly intrusive: Every time you plug in a new device open up a dialog that says "We have detected a new {x} device and will activate it in 10... 9 ... seconds" with an option to activate right away, block the device, or approve for automatic activation in the future. This way you would notice if you plugged in what you thought was a usb stick, and it showed up as keyboard to block the device before you encountered an issue. On the same token if your main keyboard broke, and you had to replace it, you could do so without having to restart your computer.
I would enable such a feature without hesitation. Especially with Windows Hello-enabled UAC, the additional pain of authenticating in order to use USB devices is minimal. But even if I have to type in my password every time I attach a device, that's fine.