Google has launched a new software tool designed to detect possible intrusion attacks on USB keystrokes and block devices from which they originate.
With keystroke injection devices that are readily available, they can send incredibly fast keystrokes while being invisible to the victim effectively. Keystroke injection attacks are delivered via USB and involve a Human Interface System Driver.
The tool released by Google this week, intended for Linux systems, tests the timing of incoming keystrokes to decide if this is an attack based on predefined heuristics, without affecting the user.
There are two modes of operation, namely, MONITOR and HARDENING. It does not block devices labeled as malicious formerly but will write information on them to syslog. However, in the latter mode, the tool automatically blocks devices that are marked as malicious/attacking.
USB Keystroke Injection Security ships with HARDENING mode allowed by default and available in open source on GitHub, where a step-by-step guide offers instructions on how to get up and run the systemd daemon enabled at reboot.
“The tool is not a silver bullet against USB-based attacks or keystroke injection attacks, since an attacker with access to a user’s machine (required for USB-based keystroke injection attacks) can do worse things if the machine is left unlocked,” Google explains.
The solution is designed as an added layer of protection by letting users see the attack happening, as the keystrokes are either delayed enough to circumvent the tool’s logic or happen fast enough to be detected by the tool.
The tool can be complemented with other Linux tools, such as fine-grained udev rules or open source projects like USBGuard, to make successful attacks more challenging. The latter lets users define policies and allow/block specific USB devices or block USB devices while the screen is locked,” Google also says.