Ask HN: Control 2 air-gapped computers with 1 mouse and keyboard

[WorldDev]

Hi all, I am trying to control 2 computers that are air-gapped, with 1 mouse and keyboard.

Using any standard usb switch or KVM breaks the air-gap, as malware can (and has been known to) spread via kvm and USB switches.

Here are the solutions I am exploring:

- Use a mouse and keyboard via bluetooth, using the switch inside the device to switch computer. For example the logitech MX mouse can switch from one computer to the other. However, does anyone know if it's a hard switch from one computer to the other, or if the mouse stays connected to both?

- Create link (via usb or serial) from one computer to the other, to use the keyboard and mouse from one on another. That breaks the airgap, but maybe there's a way to make the link simple and secure enough. I had a lot of great advice from another post here, but I think I need to explore other options as well.

- Use a mechanical usb switch that physically disconnect the a path when switching to the other. I search a while on the internet, and couldn't find a device like that. They all keep connected to both.

Does anyone have any advice?

[NitpickLawyer]

First, before you do anything you should check if you even should do this. Modern peripherals may have local storage (for drivers and such) and they may be visible (even automounted) by the OS. In that case your risk profile may not allow it (see stuxnet). Also be aware that sharing one keyboard will make you prone of brainfarting and muscle memory your credentials from one PC to the other. Depending on the reason behind airgapping, that may or may not be frowned upon.

Anyway, I use a "dumb" version of this setup, out of convenience. I have a dumb USB switch, with only one host connector. I use 2 cables, and have them tied together with a binder paperclip thingy. On the (rare for me) occasion I need to switch, I just unplug one cable and plug the other.

[WorldDev]

That's interesting, thanks for sharing.

> Modern peripherals may have local storage

Do you mean the flash that contains the code for the microcontroller?

> I have a dumb USB switch

I am not 100% sure I understood. Is the "dumb USB switch" the paperclip?

[NitpickLawyer]

No, dumb as in it only has one "host" connection, and many peripheral ports. So I put all my stuff there, but it can only be connected to one host at a time. So instead of a switch, I use the cables. Unplug one, and plug the other. Almost the same effort.

[WorldDev]

I see, you are unplugging and re-plugging, instead of just pressing a button. That makes sense. It feels like a usb mechanical switch should exist, but I guess it does not.

Another option that I looked at is whether I could use the switching capability on the device itself. For example the new Logitech MX 4 can switch between different computers. It also has a wireless connection, versus bluetooth connection. Do you have a sense whether switching with a device like that is enough of a separation?

[bigfatkitten]

There is a healthy market of commercial products that solve this problem for classified environments.

Among other things, secure KVMs create a protocol break between the keyboard/mouse/monitor and the connected machines to eliminate any of these back channels.

Take a look at the Security Target for Aten’s secure KVM product for an idea of the design considerations at play.

https://www.niap-ccevs.org/products/11222

[turtleyacht]

Previous context: Ask HN: Advice for creating a USB device linking 2 computers - https://news.ycombinator.com/item?id=45706169