mhoyeInfosec Lazyweb, a real question: is it actually safe to plug a random usb peripheral into a win10 machine, assuming I’m not interesting to a nation-state? Or is that (still) the fast path to bad pain, even assuming zero user interaction.
cubeos@mhoye Random USB devices can pretend to be keyboards and Win10 by default accepts e.g. keypresses or mouse movements from new USB devices. Win-R invokes the Run command, so it's trivial to run some shell code.
Violet/Multi
Cassandrich@multisn8 @cubeos @mhoye This problem is trivially fixable, without breaking UX, by
(1) assuming if you're logged in you already have working input devices attached, and requiring confirmation of any newly-attached ones before they get used, and
(2) on login screen, warning if multiple keyboards are attached, and by default only leaving the one that was used to enter the login password enabled after login.
It's ridiculous that nobody is fixing it.
@dalias @multisn8 @mhoye It's actually fixed, enterprise admins can set a group policy controlling usb device instrallation. See https://learn.microsoft.com/en-us/windows/client-management/client-tools/manage-device-installation-with-group-policy I suspect somebody decided that the additional confirmation steps would confuse users and decided against shipping a confirmation step as a default.
@dalias @multisn8 This does not protect against impersonating a specific device, but one can block whole categories of devices such as HID-Keyboard. It's a bit tricky to ensure that there's a working keyboard left when this is applied. The typical issue this covers is "prevent people from plugging in random stuff", not attacker with resources and knowledge targets specific individual.