Google has released a new software tool designed to identify potential USB keystroke injection attacks and block devices they originate from.
With keystroke injection tools being easily availabile, they are able to send keystrokes immensely fast while being effectively invisible to the victim. Delivered over USB, keystroke injection attacks require a Human Interface Device Driver.
Meant for Linux systems, the tool announced by Google this week measures the timing of incoming keystrokes in an attempt to determine if this is an attack based on predefined heuristics, without the user being involved.
Two modes of operation are available, namely MONITOR and HARDENING. In the former mode, it won’t block devices classified as malicious, but will write information about them to syslog. In the latter mode, however, the tool immediately blocks devices classified as malicious/attacking.
USB Keystroke Injection Protection ships with the HARDENING mode enabled by default and is available in open source on GitHub, where a step-by-step guide provides details on how to get up and running the systemd daemon that is enabled on reboot.
“The tool is not a silver bullet against USB-based attacks or keystroke injection attacks, since an attacker with access to a user’s machine (required for USB-based keystroke injection attacks) can do worse things if the machine is left unlocked,” Google explains.
The solution was designed as an added layer of protection by letting users see the attack happening, as the keystrokes are either delayed enough to circumvent the tool’s logic, or happen fast enough to be detected by the tool.
“The tool can be complemented with other Linux tools, such as fine-grained udev rules or open source projects like USBGuard, to make successful attacks more challenging. The latter lets users define policies and allow/block specific USB devices or block USB devices while the screen is locked,” Google also says.