How to disable USB device

Whitelist or render inoperative any USB device to secure your personal belongings.

Disable particular USB device

I will disable cheap Samsung tablet, so it won't mount when connected.

Display USB devices before the device is connected.

$ lsusb
Bus 001 Device 002: ID 8087:8001 Intel Corp. 
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 003 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 002 Device 093: ID 0bda:5682 Realtek Semiconductor Corp. 
Bus 002 Device 003: ID 8087:0a2a Intel Corp. 
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

Display USB devices after device is connected.

$ lsusb
Bus 001 Device 002: ID 8087:8001 Intel Corp. 
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 003 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 002 Device 093: ID 0bda:5682 Realtek Semiconductor Corp. 
Bus 002 Device 003: ID 8087:0a2a Intel Corp. 
Bus 002 Device 029: ID 04e8:6860 Samsung Electronics Co., Ltd Galaxy (MTP)
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

Mentioned device can be identified by vendor id 0x04e8 Samsung Electronics Co., Ltd and product id 0x6860 Galaxy (MTP).

Identify device path to display more useful udev information.

$ idVendor="04e8"; idProduct="6860"; \
  find -L /sys/bus/usb/devices/ -maxdepth 2 -name idVendor -exec grep -l $idVendor {} \; | \
    while read line; do \
      location=$(dirname $line); \
      grep -q $idProduct $location/idProduct; 
      if [ "$?" -eq "0" ]; then \
        echo $location; 
      fi 
    done
/sys/bus/usb/devices/2-2

Use device path to display udev information.

$ udevadm info -a -p /sys/bus/usb/devices/2-2
Udevadm info starts with the device specified by the devpath and then
walks up the chain of parent devices. It prints for every device
found, all possible attributes in the udev rules key format.
A rule to match, can be composed by the attributes of the device
and the attributes from one single parent device.

  looking at device '/devices/pci0000:00/0000:00:14.0/usb2/2-2':
    KERNEL=="2-2"
    SUBSYSTEM=="usb"
    DRIVER=="usb"
    ATTR{authorized}=="0"
    ATTR{avoid_reset_quirk}=="0"
    ATTR{bConfigurationValue}==""
    ATTR{bDeviceClass}=="00"
    ATTR{bDeviceProtocol}=="01"
    ATTR{bDeviceSubClass}=="00"
    ATTR{bMaxPacketSize0}=="64"
    ATTR{bMaxPower}==""
    ATTR{bNumConfigurations}=="1"
    ATTR{bNumInterfaces}==""
    ATTR{bcdDevice}=="0400"
    ATTR{bmAttributes}==""
    ATTR{busnum}=="2"
    ATTR{configuration}==""
    ATTR{devnum}=="29"
    ATTR{devpath}=="2"
    ATTR{idProduct}=="6860"
    ATTR{idVendor}=="04e8"
    ATTR{ltm_capable}=="no"
    ATTR{manufacturer}=="SAMSUNG"
    ATTR{maxchild}=="0"
    ATTR{product}=="SAMSUNG_Android"
    ATTR{quirks}=="0x0"
    ATTR{removable}=="removable"
    ATTR{serial}=="3801a4eaab8a3400"
    ATTR{speed}=="480"
    ATTR{urbnum}=="32"
    ATTR{version}==" 2.00"

  looking at parent device '/devices/pci0000:00/0000:00:14.0/usb2':
    KERNELS=="usb2"
    SUBSYSTEMS=="usb"
    DRIVERS=="usb"
    ATTRS{authorized}=="1"
    ATTRS{authorized_default}=="1"
    ATTRS{avoid_reset_quirk}=="0"
    ATTRS{bConfigurationValue}=="1"
    ATTRS{bDeviceClass}=="09"
    ATTRS{bDeviceProtocol}=="01"
    ATTRS{bDeviceSubClass}=="00"
    ATTRS{bMaxPacketSize0}=="64"
    ATTRS{bMaxPower}=="0mA"
    ATTRS{bNumConfigurations}=="1"
    ATTRS{bNumInterfaces}==" 1"
    ATTRS{bcdDevice}=="0411"
    ATTRS{bmAttributes}=="e0"
    ATTRS{busnum}=="2"
    ATTRS{configuration}==""
    ATTRS{devnum}=="1"
    ATTRS{devpath}=="0"
    ATTRS{idProduct}=="0002"
    ATTRS{idVendor}=="1d6b"
    ATTRS{interface_authorized_default}=="1"
    ATTRS{ltm_capable}=="no"
    ATTRS{manufacturer}=="Linux 4.11.0-13-generic xhci-hcd"
    ATTRS{maxchild}=="11"
    ATTRS{product}=="xHCI Host Controller"
    ATTRS{quirks}=="0x0"
    ATTRS{removable}=="unknown"
    ATTRS{serial}=="0000:00:14.0"
    ATTRS{speed}=="480"
    ATTRS{urbnum}=="8014"
    ATTRS{version}==" 2.00"

  looking at parent device '/devices/pci0000:00/0000:00:14.0':
    KERNELS=="0000:00:14.0"
    SUBSYSTEMS=="pci"
    DRIVERS=="xhci_hcd"
    ATTRS{broken_parity_status}=="0"
    ATTRS{class}=="0x0c0330"
    ATTRS{consistent_dma_mask_bits}=="64"
    ATTRS{d3cold_allowed}=="1"
    ATTRS{device}=="0x9cb1"
    ATTRS{dma_mask_bits}=="64"
    ATTRS{driver_override}=="(null)"
    ATTRS{enable}=="1"
    ATTRS{irq}=="44"
    ATTRS{local_cpulist}=="0-3"
    ATTRS{local_cpus}=="f"
    ATTRS{msi_bus}=="1"
    ATTRS{numa_node}=="-1"
    ATTRS{revision}=="0x03"
    ATTRS{subsystem_device}=="0x0665"
    ATTRS{subsystem_vendor}=="0x1028"
    ATTRS{vendor}=="0x8086"

  looking at parent device '/devices/pci0000:00':
    KERNELS=="pci0000:00"
    SUBSYSTEMS==""
    DRIVERS==""

Create udev rule to deauthorize this device early on.

$ cat << EOF | sudo tee /etc/udev/rules.d/01-disable-samsung.rules
SUBSYSTEM=="usb", ACTION=="add", ATTR{removable}=="removable", ATTR{idVendor}=="04e8", ATTR{idProduct}=="6860", ATTR{authorized}="0"
EOF

This device will be unusable next time it is connected to the computer.

Whitelist USB devices

Display basic USB devices.

$ lsusb
lsusb 
Bus 001 Device 002: ID 8087:8001 Intel Corp. 
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 003 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 002 Device 093: ID 0bda:5682 Realtek Semiconductor Corp. 
Bus 002 Device 003: ID 8087:0a2a Intel Corp. 
Bus 002 Device 012: ID 045e:0745 Microsoft Corp. Nano Transceiver v1.0 for Bluetooth
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

Authorize these USB devices and their childrens, but only if device as a parent is not a hub.

$ cat << EOF | sudo tee /etc/udev/rules.d/01-usb-whitelist.rules
ACTION    != "add", GOTO = "usblist_rules_end"
SUBSYSTEM == "usb", GOTO = "usblist_usb_rules"
GOTO="usblist_rules_end"

LABEL="usblist_usb_rules"

# Bus 001 Device 002: ID 8087:8001 Intel Corp. 
ATTR{idVendor}  == "8087", ATTR{idProduct}  == "8001",                              GOTO = "usblist_rules_end"
ATTRS{idVendor} == "8087", ATTRS{idProduct} == "8001", ATTRS{bDeviceClass} != "09", GOTO = "usblist_rules_end"

# Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
ATTR{idVendor}  == "1d6b", ATTR{idProduct}  == "0002",                              GOTO = "usblist_rules_end"
ATTRS{idVendor} == "1d6b", ATTRS{idProduct} == "0002", ATTRS{bDeviceClass} != "09", GOTO = "usblist_rules_end"

# Bus 003 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
ATTR{idVendor}  == "1d6b", ATTR{idProduct}  == "0003",                              GOTO = "usblist_rules_end"
ATTRS{idVendor} == "1d6b", ATTRS{idProduct} == "0003", ATTRS{bDeviceClass} != "09", GOTO = "usblist_rules_end"

# Bus 002 Device 093: ID 0bda:5682 Realtek Semiconductor Corp. 
ATTR{idVendor}  == "0bda", ATTR{idProduct}  == "5682",                              GOTO = "usblist_rules_end"
ATTRS{idVendor} == "0bda", ATTRS{idProduct} == "5682", ATTRS{bDeviceClass} != "09", GOTO = "usblist_rules_end"

# Bus 002 Device 003: ID 8087:0a2a Intel Corp. 
ATTR{idVendor}  == "8087", ATTR{idProduct}  == "0a2a",                              GOTO = "usblist_rules_end"
ATTRS{idVendor} == "8087", ATTRS{idProduct} == "0a2a", ATTRS{bDeviceClass} != "09", GOTO = "usblist_rules_end"

# Bus 002 Device 012: ID 045e:0745 Microsoft Corp. Nano Transceiver v1.0 for Bluetooth
ATTR{idVendor}  == "045e", ATTR{idProduct}  == "0745",                              GOTO = "usblist_rules_end"
ATTRS{idVendor} == "045e", ATTRS{idProduct} == "0745", ATTRS{bDeviceClass} != "09", GOTO = "usblist_rules_end"

# Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
ATTR{idVendor}  == "1d6b", ATTR{idProduct}  == "0002",                              GOTO = "usblist_rules_end"
ATTRS{idVendor} == "1d6b", ATTRS{idProduct} == "0002", ATTRS{bDeviceClass} != "09", GOTO = "usblist_rules_end"

# Other USB devices - deauthorize
ATTR{authorized}="0"

LABEL="usblist_rules_end"
EOF

References

Authorizing (or not) your USB devices to connect to the system

USB Class Codes

About Milosz Galazka

Milosz is a Linux Foundation Certified Engineer working for a successful Polish company as a system administrator and a long time supporter of Free Software Foundation and Debian operating system.