USB Hub Security

  • SpinRite v6.1 Release #3
    Guest:
    The 3rd release of SpinRite v6.1 is published and may be obtained by all SpinRite v6.0 owners at the SpinRite v6.1 Pre-Release page. (SpinRite will shortly be officially updated to v6.1 so this page will be renamed.) The primary new feature, and the reason for this release, was the discovery of memory problems in some systems that were affecting SpinRite's operation. So SpinRite now incorporates a built-in test of the system's memory. For the full story, please see this page in the "Pre-Release Announcements & Feedback" forum.
    /Steve.
  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in please checkout the “Tips & Tricks” page for some very handy tips!

    /Steve.
  • BootAble – FreeDOS boot testing freeware

    To obtain direct, low-level access to a system's mass storage drives, SpinRite runs under a GRC-customized version of FreeDOS which has been modified to add compatibility with all file systems. In order to run SpinRite it must first be possible to boot FreeDOS.

    GRC's “BootAble” freeware allows anyone to easily create BIOS-bootable media in order to workout and confirm the details of getting a machine to boot FreeDOS through a BIOS. Once the means of doing that has been determined, the media created by SpinRite can be booted and run in the same way.

    The participants here, who have taken the time to share their knowledge and experience, their successes and some frustrations with booting their computers into FreeDOS, have created a valuable knowledgebase which will benefit everyone who follows.

    You may click on the image to the right to obtain your own copy of BootAble. Then use the knowledge and experience documented here to boot your computer(s) into FreeDOS. And please do not hesitate to ask questions – nowhere else can better answers be found.

    (You may permanently close this reminder with the 'X' in the upper right.)

tmcquinn

New member
May 1, 2022
2
0
I just joined and I apologize in advance for any breech of etiquette. I will learn my way around in time.

I am a big fan of Chromebooks. I'm trying to replace an ancient Windows machine with a current Chromebook. I need to connect more things to it than I have ports (monitor, keyboard, mouse, MIDI piano). A USB hub solves the plumbing problem. But I can't bring myself to use the external keyboard via the USB hub to enter my Lastpass password. I don't know what might be lurking in that little box and I don't want to find out the hard way.

So here's my question, how promiscuous is USB? If I plug the hub (with everything except the computer keyboard) into one USB port on the Chromebook and the keyboard into another, will the keyboard output be shared with the other USB ports? In other words, would the USB hub still be able to capture my keystrokes?
 
That would be difficult to tell without looking at the USB hierarchy in the system and understanding the data flows through the system.

USB Hubs could have a key logger built in, as could the external keyboard itself.
If there is only 1 USB Root Hub, then all USB ports pass through that to be processed by the system. Hardware with limited ports usually use 1 root hub. Even with multiple USB Root Hubs, they may all be running through 1 USB Extensible Host Controller. Infect that somehow and you get everything.

Generally though, there has not been a lot of widely spread USB based attacks. These are usually targeted at specific valuable individuals or information.

Even if there were something listening to your key strokes, it would have to know that what application you were executing at the time of typing. Then it would have to get the key strokes and application information out of the system to somewhere else. You could have applications watching outgoing traffic for this, but it may not be worth your time.

ChromeOS is no different than Windows in the fact that you can download, install and give malicious software permissions to do more than it needs. The Google PlayStore has been trying to clean out these malicious apps from their app store, but it is a big job that isn't easy to do.

Sticking to necessary apps would help. Especially if you knew the company that wrote the app, and it is regularly updated. Avoiding questionable apps (Battery Managers, Fake Security apps, Keyboard extension apps, 3rd party File Manager apps, File Security apps and fake cryptocurrency wallet apps.

If you want to add security apps to your Chromebook, stick with the bigger names like Malewarebytes, Norton and McAfee. ChromeOS has file management built in, so learn it, instead of getting a random app to make it behave like Windows.

In my opinion, you are probably not important enough to need to worry about your LastPass master password being stolen, and if you stick to the larger app vendors (avoiding the Chinese authors), you don't fall for the fake web pages saying your system is infected and you need to clean it with the offered malware, and you stick to trusted app stores then you should be safe enough.

Maybe someone else has more of an internal view of a USB connected keyboard and hub that can answer your question better.
 
Norton... The Norton that installs a surreptitious crypto miner on your system? Yeah, maybe not them.
 
Well first, consider what path a hacked USB hub might have to exfiltrate the data? Unless it has a path to the Internet, the only attacker would have to be pretty local, most likely so local as to have access to the computer to begin with. If it wanted to use the computer as a go-between to the Internet, then the PC would need to have the necessary malware driver... and if you have malware on the PC, why bother f**king around with the hardware of a USB hub. I guess the hub could theoretically have a mobile service attachment (an eSIM probably) built in, but since that would then require paid service, it seems unlikely to be anything but a specific targeting. If you were traveling internationally and the hub could be altered by a (most likely) government operative, then you might have something to be concerned about.

If I were you, I wouldn't lose sleep worrying about your USB hub attacking you. Odds are very high you're not being targeted. If you were wealthy or important enough, you wouldn't be here talking to us.
 
Thanks. I'm not losing sleep over any of it. I just was curious if one USB port can see what's going through another. This particular hub also has an Ethernet port that I use so it doesn't seem too far fetched that it could exfiltrate data if that was the goal.

I have to admit it might be a challenge knowing that a particular stream of characters was my lastpass password. I'm not a high value target by any definition but I do hope that the idea of spy chips in our hardware is just a figment of my imagination.
 
Using TOTP for 2FA (eg Google Authenticator or similar) should help partially insulate you from master password compromises.

That being said, you should not connect untrusted hardware to your machine when possible. Stick to name brands, and hope that if they have an issue, enough devices are out there that someone will notice and report it.

On a Chromebook, the only thing I can think of that would worry me would maybe be a USB firmware attack (bad USB). In this case the USB device identifies itself as a HID (keyboard) and could run a malicious shell script. Chances of that are slim, unless you are a worthy target.
 
Norton... The Norton that installs a surreptitious crypto miner on your system? Yeah, maybe not them.
I almost added *)cringe(* notes to both Norton and McAfee but didn't because the point was if they wanted some virus scanning...

These are the first apps I remove from new computers.