Chris's Wiki :: blog/sysadmin/PublicMachineSecurityProblems

The potential end of public clients at the university?

December 17, 2014

Recently, another department asked our campus-wide sysadmin mailing list for ideas on how to deal with keyloggers, after having found one. They soon clarified that they meant physical keyloggers, because that's what they'd found. As I read the ensuing discussion I had an increasing sinking feeling that the answer was basically 'you can't' (which was pretty much the consensus answer; no one had really good ideas and several people knew things that looked attractive but didn't fully work). And that makes me pretty unhappy, because it means that I'm not sure public clients are viable any more.

Here at the university there's long been a tradition and habit of various sorts of public client machines, ranging from workstations in computer labs in various departments to terminals in libraries. All of these uses depend crucially on the machines being at least non-malicious, where we can assure users that using the machine in front of them is not going to give them massive problems like compromised passwords and everything that ensues from that.

(A machine being non-malicious is different from it being secure, although secure machines are usually non-malicious as well. A secure machine is doing only what you think it should be, while a non-malicious machine is at least not screwing its user. A machine that does what the user wants instead of what you want is insecure but not hopefully not malicious (and if it is malicious, well, the user did it to themselves, which is admittedly not a great comfort).)

Keyloggers, whether software or physical, are one way to create malicious machines. Once upon a time they were hard to get, expensive, and limited. These days, well, not so much, based on some hardware projects I've heard of; I'm pretty sure you could build a relatively transparent USB keylogger with tens of megabytes of logging capacity as an undergrad final project with inexpensive off the shelf parts. Probably you can already buy fully functional ones for cheap on EBay. What was once a pretty rare and exclusive preserve is now available to anyone who is bored and sufficiently nasty to go fishing. As this incident illustrates, some number of our users probably will do so (and it's only going to get worse as this stuff gets easier to get and use).

If we can't feasibly keep public machines from being made malicious, it's hard to see how we can keep offering and operating them at all. I'm now far from convinced that this is possible in most settings. Pessimistically, it seems like we may have reached the era where it's much safer to tell people to bring their own laptops, tablets, or phones (which they often will anyways, and will prefer using).

(I'm not even convinced it's a good idea to have university provided machines in graduate student offices, many of which are shared and in practice are often open for people who look like they belong to stroll through and fiddle briefly with a desktop.)

PS: Note that keyloggers are on the easy scale of the damage you can do with nasty USB hardware. There's much worse possible, but of course people really want to be able to plug their own USB sticks and so on into your public machines.

Sidebar: Possible versus feasible here

I'm pretty sure that you could build a kiosk style hardware enclosure that would make a desktop's actual USB ports and so on completely inaccessible, so that people couldn't unplug the keyboard and plug in their keylogger. I'm equally confident that this would be a relatively costly piece of custom design and construction that would also consume a bunch of extra physical space (and the physical space needed for public machines is often a big limiting factor on how many seats you can fit in).

Comments on this page:

By zdw at 2014-12-18 09:19:00:

The key for USB is "relatively transparent" - these devices generally enumerate as another keyboard, rather than being passive electrical sniffers, and as a result would like be detectable if you audited the make/model of keyboards attached to devices via their USB make/model codes. Heck, you could monitor USB plug/unplugs events if you wanted to be really paranoid.

Also, requiring some kind of two factor auth deals with credential compromise, although you'd need some kind of additional device/list/SMS capable cell phone for every user to make that work.

It's also fairly likely that individual, privately owned machines could have spyware and similar installed on them, which 2-factor could also help with.

By cks at 2014-12-18 13:13:28:

Blocking unrecognized USB keyboard models has a number of problems at scale in a public machine environment, but the fundamental issue is that it only works until these things get a little bit smarter (if they aren't already). I can think of ways around this without having to go to passive sniffing, given programmable USB identifiers.

My overall reaction to two factor authentication is that this only protects users for logging in to our services. It still leaves them screwed if they use our machines to log into many services out there on the Internet and it still means that someone can snoop on every email they write, every Facebook update they post, every IM they send, and so on. My view is that that's far too much exposure. Certainly I don't think any users would use the machines if we said 'your login is totally safe but then we're reading literally everything you type'.

By Jeff Kaufman at 2014-12-19 16:26:00:

Laptops would work here, no? Can't replace the keyboard or mouse easily. A Chromebook would be ideal if people just need the web.

By Miksa at 2015-02-14 17:32:25:

The easiest way would be to connect the keyboard inside desktop computer. Run the cable through PCI slot or some other opening and connect it with USB/PCI bracket to the internal USB headers on the motherboard.

Written on 17 December 2014.

«	Does having a separate daemon manager help system resilience?

Our likely long road to working 10G-T on OmniOS