Linux Security

How to Protect Your USB Ports on Linux

Yusuf Limalia 07-09-2017

The Universal Serial Bus (USB) What Is USB Type-C? Ah, the USB plug. It is as ubiquitous now as it is notorious for never being able to be plugged in right the first time. Read More is the double-edged sword that revolutionized the way we interface with our devices. Its plug and play nature has made transferring data between devices simple. USB sticks are not without their faults though. They quickly became the medium for infecting entire networks with viruses and malware.


weird looking usb
Image Credit: Marek R. Swadzba via

Enter the USB Kill device, which can completely fry your USB port or destroy your motherboard. It achieves this by charging its capacitors from the USB port and surging the brutal voltage back to the port. This happens several times until unplugged, or the host dies.

Let’s take a look at how your can try and mitigate the risks from such devices.

The Basics

Before we get into the finer details there are some simple rules of thumb you can follow:

This list should cover most cases. However, USB device security can still be improved.


Protect Your BIOS

In the event you have a machine that must be left unattended, gaining access to said machine is relatively simple. All someone has to do is create a bootable USB drive and boot from the drive into a live environment. This will give them access to all unencrypted files. In the case of Windows, you can even blank out users’ passwords. Password-protecting your Basic Input Output System (BIOS) How to Enter the BIOS on Windows 10 (And Older Versions) To get into the BIOS, you usually press a specific key at the right time. Here's how to enter the BIOS on Windows 10. Read More means a password must be entered even before the boot options appear.

Consult your hardware manufacturers documentation on how to enter the BIOS. Generally it’s done by repeatedly tapping the Delete key as your computer is booting, but this varies between manufactures. The password setting should be under the Security section in your BIOS.

USBGuard Has Your Back

Do you need to leave a PC or server unattended? If so, you can prevent attacks with an aptly named utility, USBGuard. This is designed to protect against malicious USB devices also known as BadUSB Your USB Devices Aren't Safe Anymore, Thanks To BadUSB Read More . Examples include USB devices that can emulate a keyboard and issue commands of a logged in user. These devices can also spoof network cards and change a computer’s DNS settings to redirect traffic.

USBGuard essentially stops unauthorized USB devices by implementing basic blacklisting and whitelisting capabilities. Ideally you would not allow any USB devices except a select few that you trust. When you plug in a USB device or hub, USBGuard will scan the device first. It then looks sequentially at it’s configuration file to check if that device is allowed or rejected. The great thing about USBGuard is that it uses a feature that is implemented directly in the Linux kernel.


If you’re running Ubuntu 16.10 or later you can install USBGuard by typing:

sudo apt install usbguard

If you’re on one of the older *buntus, you can follow the instructions on GitHub [No Longer Available]. Our example will follow a simple allow which will demonstrate how to authorize a device with a specific id. To get up and running use:

usbguard generate-policy > rules.conf
nano rules.conf

Take a moment to review the policy that’s about to be added. This step will add and authorize everything that’s currently plugged into your machine. You can remove or comment out the lines for the devices you do not want to authorize.

sudo install -m 0600 -o root -g root rules.conf /etc/usbguard/rules.conf
sudo systemctl restart usbguard

Put It to the Test

By now, any device you connect to your machine will not function, even though it seems to have been detected. IPlug in a USB drive to verify this by running lsusb to list all USB devices connected to the system. Take note of the SanDisk id, we’ll need this later.


ubuntu lsusb

Although the device has been detected in Ubuntu, there is no sign of it being mounted How to Mount a USB Flash Device in Linux and Your Raspberry Pi Let's take a look at problems surrounding USB devices and SD cards with popular distros (we're using Ubuntu) and less widely-used distros, such as the Raspberry Pi's Raspbian Jessie operating system. Read More !

ubuntu finder

To add this device to the list of authorised devices, run the following:

sudo nano /etc/usbguard/rules.conf

Now add the SanDisk id to the rules.conf file to set it as one of the authorized devices.

ubuntu rules

All it takes now is a quick restart of the USBGuard service:

sudo systemctl restart usbguard

Now unplug, then reconnect the USB drive. USBGuard will check rules.conf, recognize the id as a permitted device, and allow it to be used.

ubuntu usb gui detected

Immediately your device becomes available for regular use. This was a simple method of just allowing the device by its id. To get really specific you might add a rule to rules.conf along these lines:

allow 0781:5151 name "SanDisk Corp. Cruzer Micro Flash Drive" serial "0001234567" via-port "1-2"
reject via-port "1-2"

The above rules will allow only a device matching that id, name, serial only on a specific port. The reject rule will not allow any other device plugged in to that port. The options are pretty much endless, but can be referred to online.

Physical Prophylactics

USBGuard probably isn’t going to protect you against the infamous USB Killer. So what can you do? If you do have control over your USB ports and still need to plug in some questionable USB drives some solutions are available. The price of a USB hub What Is a USB Hub? 3 Reasons Why You Need One Nearly all devices these days utilize USB ports in one way or another. Here are several reasons why you might want a USB hub. Read More relative to a new laptop is microscopic. One of the huge advantages of using such a seasoned technology is that it’s accessories are widely available and cheap. You could grab a good branded one and instead of plugging sketchy devices directly into your machine, plug it in via the USB hub. Should the USB drive be a USB Killer, it will fry the USB hub and your machine will be safe.

Another solution to your use case may be the USG. The device is a hardware firewall that sits between a suspect USB device and your machine. It is compatible with mice, keyboards and USB flash drives. It will protect you against BadUSB by filtering the malicious activity, and passing through the data you need.

usg ubuntu
Image Credit: Robert Fisk

Isn’t This Overkill?

Depending on the environment you work in, this may be the case. If you can afford not to plug in any device that you don’t have full control over and you are the only person with access to your machine, then this would be the best case. The silver lining is that in addition to the people trying to find ways of doing harm, there are people also thinking about ways to prevent that harm.

Have ever had any bad experiences with dodgy USB devices? How do you ensure you or your company have safe USB measures? Let us know in the comments below!

Image Credits: Frantisek Keclik/Shutterstock

Related topics: Computer Security, USB.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Costic
    September 8, 2017 at 3:50 pm

    Why would I want to enroll with a company that was already hacked?

  2. dragonmouth
    September 7, 2017 at 9:54 pm

    "Ask trusted people to send you files via the cloud."
    The cloud brings its own set of problems.

    "Don’t leave your computer unattended."
    Impossible to do with desktops in a work environment. Effectively, they are unattended for 16 out of 24 hours. You go out to lunch. For an hour your PC is unattended. Even in a secure environment anybody on the inside can stick a USB Killer in your PC. Hypothetically this can be prevented by having the room with the PC be only accessible by you. However, how many of us work in such security/isolation?!

    "Should the USB drive be a USB Killer, it will fry the USB hub and your machine will be safe."
    How so? Wouldn't the surge follow the electrical path through the hub, along the USB cable to the PC, and ZAP, there goes the motherboard?
    A USB hub or a USG can protect only port at a time. Of what use are they on a PC that has 4 or more USB ports?

    • Yusuf Limalia
      September 11, 2017 at 12:50 pm

      Thank you for your reply!

      1) I completely agree about the cloud having it's own set of problems. In fact many solutions will have caveats that need to be addressed and it's risks mitigated. I regularly deal with people that haven't quite grasped folder sharing on the cloud just yet and I can see why that can be difficult to some people.

      2) The unattended bit is, as you've mentioned, quite impossible in some cases. We're aiming more at people who might be on the go and in coffee shops for example.

      3) I believe a good USB hub will have it's own logic board and circuitry. I've seen a few posts of people claiming this works. The use case for this will be, someone gives you a USB stick which you need to get stuff off. You could plug it into the hub first and check if it for being a USB killer. If if is then your hub will be fried. If not, then you can use one of your other many USB ports. These measure are only used for untrusted devices.

      I hope that makes sense =)