I think a partial solution to this is when a USB device connects it should need permission to perform certain categories of actions. Like Safari asks the user “this website would like to know your location”, MacOS could tell users when they plug in their phone to charge off their laptop: “The device you just connected wants to be a keyboard. Allow?”

Yes, it would still spoof the apple Magic Keyboard or whatever, but you’d need to allow the keyboard to be a keyboard every time you connect it. If you plug in something that should definitely not be a keyboard, you can investigate the cable by swapping out with a known good cable.

Don't know about macos, but USBguard exists for Linux. I tried it for a while, and found it too annoying to continue.

https://usbguard.github.io/

The annoyance comes mostly from cheap USB gadgets not having serial numbers. Someone invent a cheap way to have a part of mass manufactured ROM contain entropy (fixed per device).

To defend against devices pretending to be a keyboard to type malicious code, all you need is to display a random code on the screen and ask the user to enter it.

Any legitimate input device will easily pass this check, while devices that pretend to be keyboards won't because they have no view of the screen.

Interesting, now we've gone from bluetooth pairing PINs to USB pairing PINs.

Of course the attack here is then to replace the keyboard USB cable with the evil one.

how do I validate my keyboard initially? how do I validate my mouse initially?

something would need special treatment that would be an attack surface.

You can't validate your keyboard. But you can confirm that you keyboard is a keyboard and not a storage device or network interface or whatever. And that your webcam is also not a keyboard.

It's a defense against the OMG cable which attacks you when you connect known-good items. If Logitech or Apple peripherals are counterfeited it will provide less benefit.

I think what he meant was, how do you accept the keyboard prompt if this is the initial keyboard connected to the system? Same goes for mouse. A bit of a chicken and egg problem, unless you blindly accept the first keyboard plugged into the system, which defeats the point.

Showing a PIN on the screen, to type in, helps a long way. But what if I replace the USB cable for your keyboard? (Or replace the whole keyboard, but that's more noticeable.) Most people would just re-authenticate their keyboard immediately, because this stuff sucks enough that we don't even blink when we need to redo a Bluetooth pairing because the planets changed their alignment again.

https://news.ycombinator.com/item?id=21946511 https://news.ycombinator.com/item?id=28394035 https://news.ycombinator.com/item?id=36080629

Man, Hak5 is such a solid throwback. One of the last good things on what ZDTV got morphed into.

"Teehee, this is totally for research and security teams!"

This looks useful for showing a demo to management folks. The fact that it's readily available just makes it even better for scaring them.

As a manager I bought and distributed these to senior ICs to demonstrate how much work someone could put into compromising you

That kind of depends on how your "management folks" react to "being scared."

Not everybody survives after telling unexpected or inconvenient truths to the monarch.