Hi there! This is a purely academical question out of curiosity: Is it
possible to disable all external USB interfaces without cutting the wire
on OpenBSD? You've heard stories of laptops/servers/routers with other
OSes being infected by some clever programms on USB sticks automatically
attaching to the running system without leaving obvious traces.
Assumption is that with OpenBSD and nothing like 'hotplug-diskmount'
installed this should not with be able, even with an unprivileged user
being logged in (with proper doas(1) rules applied). Nevertheless let us
assume some smart blackhat successfully finds a way to infect a running
OpenBSD system by attaching a USB device circumventing e.g. a full-disk
encryption. Or think of a desktop PC under the table where such a device
is not obviously visible. It may not help with Intel-like hardware bugs
but deactivated USB ports should be an extra hurdle for the casual
attacker. Of course any change should require physical access, 'root' and
a reboot (like with chflags(1)). I think disabling umass(4) at boot-time
or permanently might achieve s.th. like this - but what would be the side
effects to consider? KARL comes to my mind.
As the only OpenBSD system at hand is my laptop I do not dare to test by
disabling umass(4) as it is fully-encrypted with the key on a USB stick.
(Fiddling with the kernel on a production system seems to be a
second-class option anyway, right?) And if 'they' sneak into the system
e.g. via ugen(4)-attached devices... yes, I am aware that with enough
time, money and physical access 'they' will find a way, someday. There's
no safe computer - except not having one. Anyway - which other
ports/interfaces are at risk and could easily be disabled alike?
Bluetooth seems rather safe... ;-) Is there another smart way to do s.th.
like the described? I found nothing in the FAQ. Feasibility in practice
might be a matter of the level of paranoia ... or are blocked USB
interfaces nowadays a required precaution? Time for a BIG THANKYOU to the
developers for the most trustworthy OS out there! Best,STEFAN
