I disagree. I think this is patchable to a reasonable degree. I don't mean that it would be 100% secure, of course.
All you need is a security layer requiring user authorization for execution of code from any USB device. In addition to this you could add a setting to lock in a single USB keyboard. In other words, make the Hollywood movie scenario nearly impossible.
OK, why did I say "nearly impossible"? Because a knowledgeable embedded engineer could very easily build a device that self-identifies to look exactly like your keyboard. Your computer would not know them different.
Faced with that, the security layer would have to add a re-authorization state upon disconnection of the authorized keyboard.
Now you are vulnerable to reboot or a clever parallel wiring attack. The latter is the case of someone building hardware that can be wired into your authorized keyboard after taking it apart. The reboot vector could be mitigated by simply requiring the entry of a password in order to enable any execution/console commands to be accepted from the keyboard. With this even a fully authorized keyboard would not have execution rights of a whole host of command line commands until re-authorized by the user.
None of this is perfect. I just thought it up in five minutes. Absolute security isn't achievable without the kinds of systems and controls in place at high security facilities. However, I think it is possible to create an easy to use software layer that can stop a hacker with casual access to a system in a corporate setting. All you have to do is slow them down enough to make it less palatable, much like a home alarm system.
>All you need is a security layer requiring user authorization for execution of code from any USB device.
That won't help. You can still send keystrokes to the system, which means that BadUSB could have a step by step process, including downloading, installing and compiling anything it needs.
All you need is a security layer requiring user authorization for execution of code from any USB device. In addition to this you could add a setting to lock in a single USB keyboard. In other words, make the Hollywood movie scenario nearly impossible.
OK, why did I say "nearly impossible"? Because a knowledgeable embedded engineer could very easily build a device that self-identifies to look exactly like your keyboard. Your computer would not know them different.
Faced with that, the security layer would have to add a re-authorization state upon disconnection of the authorized keyboard.
Now you are vulnerable to reboot or a clever parallel wiring attack. The latter is the case of someone building hardware that can be wired into your authorized keyboard after taking it apart. The reboot vector could be mitigated by simply requiring the entry of a password in order to enable any execution/console commands to be accepted from the keyboard. With this even a fully authorized keyboard would not have execution rights of a whole host of command line commands until re-authorized by the user.
None of this is perfect. I just thought it up in five minutes. Absolute security isn't achievable without the kinds of systems and controls in place at high security facilities. However, I think it is possible to create an easy to use software layer that can stop a hacker with casual access to a system in a corporate setting. All you have to do is slow them down enough to make it less palatable, much like a home alarm system.