USB Hub Security

  • Release Candidate 6
    Guest:
    We are at a “proposed final” true release candidate with nothing known remaining to be changed or fixed. For the full story, please see this page in the "Pre-Release Announcements & Feedback" forum.
    /Steve.
  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.

tmcquinn

New member
May 1, 2022
2
0
I just joined and I apologize in advance for any breech of etiquette. I will learn my way around in time.

I am a big fan of Chromebooks. I'm trying to replace an ancient Windows machine with a current Chromebook. I need to connect more things to it than I have ports (monitor, keyboard, mouse, MIDI piano). A USB hub solves the plumbing problem. But I can't bring myself to use the external keyboard via the USB hub to enter my Lastpass password. I don't know what might be lurking in that little box and I don't want to find out the hard way.

So here's my question, how promiscuous is USB? If I plug the hub (with everything except the computer keyboard) into one USB port on the Chromebook and the keyboard into another, will the keyboard output be shared with the other USB ports? In other words, would the USB hub still be able to capture my keystrokes?
 
That would be difficult to tell without looking at the USB hierarchy in the system and understanding the data flows through the system.

USB Hubs could have a key logger built in, as could the external keyboard itself.
If there is only 1 USB Root Hub, then all USB ports pass through that to be processed by the system. Hardware with limited ports usually use 1 root hub. Even with multiple USB Root Hubs, they may all be running through 1 USB Extensible Host Controller. Infect that somehow and you get everything.

Generally though, there has not been a lot of widely spread USB based attacks. These are usually targeted at specific valuable individuals or information.

Even if there were something listening to your key strokes, it would have to know that what application you were executing at the time of typing. Then it would have to get the key strokes and application information out of the system to somewhere else. You could have applications watching outgoing traffic for this, but it may not be worth your time.

ChromeOS is no different than Windows in the fact that you can download, install and give malicious software permissions to do more than it needs. The Google PlayStore has been trying to clean out these malicious apps from their app store, but it is a big job that isn't easy to do.

Sticking to necessary apps would help. Especially if you knew the company that wrote the app, and it is regularly updated. Avoiding questionable apps (Battery Managers, Fake Security apps, Keyboard extension apps, 3rd party File Manager apps, File Security apps and fake cryptocurrency wallet apps.

If you want to add security apps to your Chromebook, stick with the bigger names like Malewarebytes, Norton and McAfee. ChromeOS has file management built in, so learn it, instead of getting a random app to make it behave like Windows.

In my opinion, you are probably not important enough to need to worry about your LastPass master password being stolen, and if you stick to the larger app vendors (avoiding the Chinese authors), you don't fall for the fake web pages saying your system is infected and you need to clean it with the offered malware, and you stick to trusted app stores then you should be safe enough.

Maybe someone else has more of an internal view of a USB connected keyboard and hub that can answer your question better.
 
Norton... The Norton that installs a surreptitious crypto miner on your system? Yeah, maybe not them.
 
Well first, consider what path a hacked USB hub might have to exfiltrate the data? Unless it has a path to the Internet, the only attacker would have to be pretty local, most likely so local as to have access to the computer to begin with. If it wanted to use the computer as a go-between to the Internet, then the PC would need to have the necessary malware driver... and if you have malware on the PC, why bother f**king around with the hardware of a USB hub. I guess the hub could theoretically have a mobile service attachment (an eSIM probably) built in, but since that would then require paid service, it seems unlikely to be anything but a specific targeting. If you were traveling internationally and the hub could be altered by a (most likely) government operative, then you might have something to be concerned about.

If I were you, I wouldn't lose sleep worrying about your USB hub attacking you. Odds are very high you're not being targeted. If you were wealthy or important enough, you wouldn't be here talking to us.
 
Thanks. I'm not losing sleep over any of it. I just was curious if one USB port can see what's going through another. This particular hub also has an Ethernet port that I use so it doesn't seem too far fetched that it could exfiltrate data if that was the goal.

I have to admit it might be a challenge knowing that a particular stream of characters was my lastpass password. I'm not a high value target by any definition but I do hope that the idea of spy chips in our hardware is just a figment of my imagination.
 
Using TOTP for 2FA (eg Google Authenticator or similar) should help partially insulate you from master password compromises.

That being said, you should not connect untrusted hardware to your machine when possible. Stick to name brands, and hope that if they have an issue, enough devices are out there that someone will notice and report it.

On a Chromebook, the only thing I can think of that would worry me would maybe be a USB firmware attack (bad USB). In this case the USB device identifies itself as a HID (keyboard) and could run a malicious shell script. Chances of that are slim, unless you are a worthy target.
 
Norton... The Norton that installs a surreptitious crypto miner on your system? Yeah, maybe not them.
I almost added *)cringe(* notes to both Norton and McAfee but didn't because the point was if they wanted some virus scanning...

These are the first apps I remove from new computers.