Google: Linux systems can use this new tool against USB keystroke injection attacks

Google's open-source tool makes USB keystroke injections harder but it's no silver bullet.
Written by Liam Tung, Contributing Writer on

Google's open-source developers have released a new tool for Linux machines to help fend off stealthy USB keystroke injection attacks. 

The open-source tool, dubbed USB Keystroke Injection Protection, aims to impede but not necessarily stop the attacks that can inject keystrokes in the blink of an eye and are likely to go undetected by the victim.

Just glancing away from the screen is enough time for the keystroke injection attack to occur, unnoticed by a person sitting in front of a computer. 

USB-delivered keystroke attacks were initially devised to ease system administrator tasks, but attackers repurposed the technology for malicious goals, explains Sebastian Neuner from the Google Information Security Engineering Team.

SEE: 10 tips for new cybersecurity pros (free PDF)

Keystroke injection attacks can be pulled off with a simple thumb drive that allows the device to automatically run code on a PC it's plugged into. 

Keystroke injection attacks are just one type of USB attack. The most famous was Stuxnet, the malware suspected to have been developed by the US government, which employed a USB device to infect air-gapped computers in Iran's nuclear facilities in 2008. Since then security researchers have developed so-called BadUSB attacks

Security researchers have also identified bugs in Logitech's USB dongles for communicating with wireless peripherals that allow an attacker to inject keystrokes. 

Neuner, whose research has focused on USB security, explains that the tool measures the timing of keystrokes coming from connected USB devices. The tool aims to detect if the keystrokes have been made without human involvement, or as Neuner explains, to determine whether the keystrokes were based on "predefined heuristics". 

Importantly, Neuner notes that the tool is only capable of making things tougher for a USB keystroke attacker and that isn't a complete defense against the attack. Nonetheless it could help a user spot something amiss by slowing down the keystroke input enough for a user to observe it – assuming the user is looking at the screen when it happens.

"The tool is not a silver bullet against USB-based attacks or keystroke injection attacks, since an attacker with access to a user's machine (required for USB-based keystroke injection attacks) can do worse things if the machine is left unlocked," he explains.  

"The tool is meant to provide another layer of protection and to defend a user sitting in front of their unlocked machine by them seeing the attack happening. They are able to see the attack either because the keystrokes are delayed enough to circumvent the tool's logic or fast enough to be detected by it, ie, blocking the device by unbinding its driver and logging information to syslog."

SEE: Passwords belong in time capsules, not IT ecosystems

According to Google's GitHub page for the tool, the daemon blocks keystroke injection devices on Linux systems. It supports both monitoring and hardening aims and can be used in conjunction with other USB defenses, such as the open-source project USBGuard, which aims to block BadUSB attacks. 

"In monitor mode, information about a potentially attacking USB device is collected and logged to syslog. In hardening mode, the attacking USB device is ejected from the operating system by unbinding the driver," the page notes. 

Editorial standards