Sandboxing the Seal One USB

= Sandboxing the Seal One USB =

The Seal One USB 3200 K is a security device that lets you authorize bank transactions. It has a built-in display and presents itself as a virtual CD-ROM drive with a small application that you need to run on your computer. This closed-source, proprietary application requires Internet access and should not be trusted. This article describes how you can sandbox it under Linux in order to reduce the risk to your privacy.

The manufacturer provides no documentation about technical aspects or sandboxing strategies, which I find disrespectful. Therefore, I had to do some research myself.

I am guessing that other Seal One USB models work in the same way. If you have more information, please drop me a line.

System Configuration (to do only once per computer)

 * Add a separate user account for the Seal One with the following command:     sudo useradd  --create-home   --groups cdrom   --shell /bin/bash   sealone
 * Membership of the 'cdrom' group seems to be necessary for the software to communicate with the USB device.
 * The new user has no password yet, so you cannot logon with this account in any way other than with sudo.


 * Make sure that the sealone account cannot access your home directory. By default on many systems, all accounts can access other user's home directories. You can test the new account like this:     sudo   --user=sealone   --set-home   bash -c "cd \$HOME && bash"      Now try to access some other user's home directory. It is probably a good idea that nodoby else can access sealone's home directory either. The following commands restrict such permissive home directory permissions:      chmod 0700 "$HOME"      sudo chmod 0700 ~sealone


 * Add an automount entry to /etc/fstab for the virtual CD-ROM drive with a fixed mount point like /mnt/SEALONE, so that the sealone user account can also access it. The easiest way is to use the GNOME Disks utility (gnome-disks). Look for menu item "Edit Mount Options...". You can choose other ways to identify the virtual CD-ROM, but the default by-id is probably fine. This is what gets added to fstab:    /dev/disk/by-id/usb-SEALONE_SecureSignToken-0:0 /mnt/SEALONE auto nosuid,nodev,nofail,noauto,x-gvfs-show 0 0

/home/some/path/Tools/RunInNewConsole/run-in-new-console.sh --console-title='SealOne' --console-icon=media-optical -- "cd / && sudo --set-home --user=sealone /mnt/SEALONE/SealOne --nogui"
 * Create a desktop launcher to run the SealOne application in text-only mode. In this example, I am using my run-in-new-console.sh script for convenience:
 * - We would normally use "sudo --login", but I could not make it work with the sudoers configuration shown below.
 * - We are doing "cd /" beforehand, so that the sealone user does not get access to the current directory. Somehow the current directory seems to escape access permissions in that sudo scenario.
 * You can add more such desktop shortcuts in order to rotate the screen (--rotate-display) or to change the zoom level (--toggle-display-zoom). For example:      cd / && sudo --set-home --user=sealone /mnt/SEALONE/SealOne --rotate-display Such shortcuts can only be used when the main application (the one with --nogui) is already running.


 * In order to prevent the sudo password prompt, add the following line to the sudoers configuration, or even better, to some new file inside /etc/sudoers.d (always edit such configuration files with "sudo visudo"):

%sudo ALL=(sealone) NOPASSWD: /mnt/SEALONE/SealOne *

Starting the Application
These are the user instructions in English:


 * 1) Connect the Seal One USB to the computer.


 * A CD-ROM icon is displayed on the USB device shortly afterwards.


 * 2) Wait until the virtual CD-ROM automatically opens or gets mounted.


 * Despite of the automount entry in /etc/fstab, some systems still do not automount it. It should however appear automatically as a new drive in the standard file manager, so just click on it to get it mounted. The mount location in the /etc/fstab entry should still take effect.


 * 3) Close any eventual window with the CD-ROM contents.


 * 4) Start the Seal One application only with the special desktop icon for that purpose that you created during the first installation steps above.


 * A text console will appear, but you do not need to interact with it. In fact, it shows no messages at all. You only have to interact with the USB device itself, when the bank's web interface tells you to look at it. The icon on the USB device will change to show a house, an arrow and a USB stick.


 * 5) When you are finished using the Seal One, simply close the window with the Seal One application.


 * Afterwards, disconnect the Seal One USB from your computer.

The same instructions in German:


 * 1) Den Seal One USB mit dem Rechner verbinden.


 * Kurz darauf wird auf dem USB-Gerät ein CD-ROM-Symbol angezeigt.


 * 2) Warten, bis die virtuelle CD-ROM automatisch geöffnet bzw. montiert wird.
 * Wenn das nicht passiert, das Gerät auf dem Dateimanager finden, und darauf klicken.


 * 3) Das eventuelle Fenster mit dem Inhalt der virtuellen CD-ROM schließen.


 * 4) Die Seal One Anwendung ausschließlich über das spezielle Symbol auf dem Schreibtisch dafür starten.


 * Das ist das Symbol, das Sie in den ersten Installationsschritten oben erstellt hatten.


 * Eine Text-Konsole wird sich öffnen, aber Sie müssen diese Konsole nicht verwenden. Da wird sowieso keine Meldung dargestellt. Sie müssen nur mit dem USB-Gerät selbst interagieren, wenn die Webschnittstelle der Bank Sie dazu auffordert. Das Symbol auf dem USB-Gerät ändert sich und zeigt jetzt ein Haus, einen Pfeil und einen USB-Stick an.


 * 5) Wenn Sie fertig mit dem Seal One USB sind, das Fenster der Anwendung einfach schließen.


 * Danach das Seal One USB Gerät vom Rechner trennen.

Other Notes I Kept

 * USB information for a Seal One USB 3200 K:


 * USB IDs: 219c:0010


 * Two devices come up: one USB mass storage, of type CD-ROM, and one human interface device (like a keyboard). The corresponding output from lsusb -t :

Bus 06.Port 1: Dev 1, Class=root_hub, Driver=uhci_hcd/2p, 12M |__ Port 1: Dev 5, If 0, Class=Mass Storage, Driver=usb-storage, 12M |__ Port 1: Dev 5, If 1, Class=Human Interface Device, Driver=usbhid, 12M


 * Notes about the Seal One software:
 * I have tested version 1.6.1.1 as of june 2019.
 * If you remove the USB stick, it will remain running on the background, whether or not it has been configured for autostart, prompting more concerns of privacy risks.
 * If the software is already running, the USB stick will not register itself as a virtual CD-ROM drive. However, if you start the software later on, the virtual CD-ROM drive will remain.
 * Sometimes the taskbar icon does not show up (when running in GUI mode), so that you cannot easily rotate or magnify the screen. Starting another instance of the same application does not make the menu or the welcome screen appear. You then have to manually kill the "SealOne" process, remove the USB stick, reconnect it and restart the software.
 * If option "Enable Seal One USB quickstart" is enabled, the application will add itself to the application autostart list. It then copies itself to directory $HOME/.sealone.
 * I guess the software can update the firmware on the USB stick, but I have yet to try that out. I could not find a "check for updates" option.


 * I initially tried just logging on with the sealone user account, using the "switch to user" option, but both Ubuntu MATE 18.04 and Xubuntu (Xfce) 18.04 have problems with the CD-ROM automounter if more than one user is logged on locally. The virtual CD-ROM gets mounted for one user, and the other one gets a strange prompt. Only one user, often the wrong one, can then access the CD-ROM. Therefore, I am now using the software's text mode inside a terminal window.


 * I wanted to use the guest user account for the sealone software, but Ubuntu has disabled it for quite some time now. Apparently, there are unresolved problems in some modern session managers with such guest accounts. Therefore, using an automatic guest account is no longer an option.