[HN Gopher] Usbkill - anti-forensic tool to halt computer when n... ___________________________________________________________________ Usbkill - anti-forensic tool to halt computer when new USB device is connected Author : berkas1 Score : 327 points Date : 2020-08-06 09:39 UTC (13 hours ago) (HTM) web link (github.com) (TXT) w3m dump (github.com) | brian_herman wrote: | I thought this was https://usbkill.com/ I think maybe this would | be more effective in anti-forensic because it actually destroys | the computer? | csunbird wrote: | Gets the work done, somehow. | numlock86 wrote: | Obligatory $5 wrench comment: https://xkcd.com/538/ | | Something like this is probably good when you - as a person - are | not around when your hardware gets extracted from your place. But | then again, why would it be running openly and unattended in the | first place? | ex_amazon_sde wrote: | Can we please stop endlessly repeating this? Life is much more | complex than that. | | A small laptop, a phone or a tablet can be stolen from you | while powered on and unlocked by a simple thief that has no | intention, nor ability, to capture and torture you. | | The thief could then quickly hand the device to other people | that flash it and sell it in a different country. But first | they might extract any valuable data. | numlock86 wrote: | > Life is much more complex than that. | | > [...] a simple thief that has no intention, nor ability, to | capture and torture you | | By your comment I assume you live in a developed country | and/or are not within a regularly oppressed minority, which | of course, is a nice privilege. Sadly not everyone is that | lucky and torture over something simple as $1 online | transactions is pretty real. | Nasrudith wrote: | That isn't priveledge but a matter of the threat model to | protect against - stop with the irrelevant pseudomoralist | privledge shaming shit. | | If they wanted protection against that they would | recommended a gun or several mercenary bodyguards. Which | would require money and connections. But the topic isn't | "How to quickly kill or incapacitate three or more men with | only your barehands while having legal cover". | dividedbyzero wrote: | In many places, law enforcement will pressure but not torture | you to provide decryption keys, maybe imprison you for a while, | fine you, ... | | But that may be preferable than them knowing about all those | highly illegal nuclear doomsday space arms technology knowledge | deals you've brokered, or that collection of child porn, or | those detailed assassination plans, or whatever. Maybe the | authorities suspect something, maybe a SWAT team will snatch | your laptop, but if all evidence is in there and encrypted, you | may get off with a lot less than otherwise. | kwhitefoot wrote: | In the UK you might well be in prison for five years for | refusing to hand over the keys. | | https://www.schneier.com/blog/archives/2007/10/uk_police_can. | .. | | Not sure what the situation is now. | DanBC wrote: | Section 49 to force key disclosure should only happen if: | | + The person being given the notice has the key | | + Investigators need the key to prevent or detect crime | | + Disclosure is proportionate | | + They can't get the encrypted material by other means | | Not complying with the is a criminal offence. The maximum | sentence is 2 years, unless it's a case involving child | sexual exploitation or national security where the maximum | sentence is 5 years. | | There is a code of practice for use of these powers here: | https://www.gov.uk/government/publications/code-of- | practice-... | | I think that properly regulated key disclosure powers are | important. I'm not sure we're (the UK) are getting it right | with RIPA. I'd want to see stronger audit and oversight of | the S49 notices, and better advice given to people who are | served S49 notices. | | For example: I have no idea how many people are served S49 | notices, and I don't really know how to find out. I don't | know how many people have been imprisoned for not | disclosing keys; I don't know what sentences they've been | given; and I'm not clear on how to find that out. I feel | that it should be easier for citizens to have clear data | about these really intrusive powers. | | EDIT: I just found this page, and it seems like it's small | numbers of people. But still, it's a bit worrying. https:// | wiki.openrightsgroup.org/wiki/Regulation_of_Investig... | Jaruzel wrote: | > _Investigators need the key to prevent or detect crime_ | | That's a bit scary. 'Detect crime' could be pure | speculation on the polices' part. | | "We think you've done something bad, let us see the | contents of your phone. No we don't have any evidence | already as we're detecting the crime right now." | DanBC wrote: | I'm not sure that would be proportionate. | | It's not great, but it's better than before where this | kind of crime detection had much less regulation. | tupac_speedrap wrote: | Get out spook. | worewood wrote: | Hidden operating system is the way to go. Usbkill turns the | machine off, when asked you supply the public password. | londons_explore wrote: | Investigators will say "you sent this email to your dad | at 09:29 on Tuesday, yet it wasn't sent from your phone | or laptop according to device logs. You either have | another device you haven't given us, or you haven't | decrypted the right partition". | ta17711771 wrote: | You sent shit to your dad from the wrong | machine/partition. | R0b0t1 wrote: | "Prove it." | Nasrudith wrote: | Bootdrives with no cache are the perfect answer to this | through a lawywe."USB boot drive. There are no logs kept | to it. I'm not hiding anything, it is just good sense to | use a computer which doesn't persist any state limiting | any malware to session only in the very worst case." | tyingq wrote: | Veracrypt has a hidden volume feature where you give up a | distress key, and a hopefully plausible second volume is | decrypted instead of the real one. | giomasce wrote: | Also, you can decide to reveal your secret after having | discussed the matter with a lawyer. | berkas1 wrote: | This (link) is actually referred to as a Rubber-hose | cryptanalysis -> https://en.wikipedia.org/wiki/Rubber- | hose_cryptanalysis | gamblor956 wrote: | Destroying evidence is considered a crime on it's own. Use | something like this at your own legal risk, since it's usually | far easier to prove obstruction than it is to prove the | underlying crimes that were being investigated. | captainmuon wrote: | Interesting project, I'm sure this is useful for people at risk. | | Somewhat related, I'm wondering about the physical security of | computers. There is an attack where they open your PC, take out | the ram, and freeze it immediately so the bits don't decay and | they can extract your encryption keys. | | All BIOSes have an option for cassis intrusion detection, but | I've never seen a case that has the necessary cable. Has anybody | here set up a chassis intrusion kill switch that erases the | RAM/shuts down the PC etc. if the case is opened improperly? Can | you buy anything like this on the market? | alfiedotwtf wrote: | Back in the BBS days, there were textfile describing how to | wire your beige box to either turn on strong magnets or ignite | termite if a case was detected. | | ... I don't know of anyone actually implementing this though :) | geerlingguy wrote: | I would imagine that's thermite and not termite ;) | | If the latter, the server would probably be okay, and it | would take a very long time for the termites to damage the | surrounding room enough to be a security deterrent. | DoofusOfDeath wrote: | Probably just a debugging technique. | hinkley wrote: | Well, it certainly complicates debugging. | Teknoman117 wrote: | or a _bugging_ technique? | kibwen wrote: | Nah, it's termite. You're trying to destroy your logs, | right? | Fjolsvith wrote: | This was a plot device used in the TV series _Mr. Robot_ | Season 2, Episode 3, about 27 minutes in. | Nasrudith wrote: | I think in most cases the thermite trap would probably get | you into more trouble for ATF violations and not even help by | adding destruction of evidence and whatever they imagined was | on the drive unless you had some authority like security | clearence and classified documents or some sort of legal | pretext to justify uses of such flammable boobytraps. | codezero wrote: | It's funny when I think back, I was a teen in the 90s and did | plenty of questionable stuff online and w/ local BBS scene | (Kevin Mitnick was busted in Raleigh and many rumors existed | about his presence in the BBS scene, obviously fantasy | though!). | | Nobody I know who got arrested ever managed to destroy | anything. When I think about it, we all assumed the cops | would storm in when we were in the act of doing something | bad, probably like in the movies lol, when in practice, they | tend to pick you up when you are really off guard, duh. | | Very few people had automatic protections because like, our | parents would probably get mad if we burned down the house :) | | When it came to me, the FBI did knock on my front door, and I | managed to dd if=/dev/random of=/dev/hda | | I lost my entire BBS, all the custom code and ANSI I had for | it, among other ancient treasures that I'd probably still | have with my napster mp3s :) | | Of course they didn't come for me, there had been a flasher | in the neighborhood on halloween... | jandrese wrote: | The FBI was investigating a flasher? | codezero wrote: | I could be remembering incorrectly, but it may have been | reoccurring or not even really the FBI, but state police | or something and my parents said it was the FBI. | | I only saw people in suits with a black car outside | knocking on the door, also this was like 30 years ago so | don't twist my arm :) | luckylion wrote: | Some ideas have been tested, there was an entertaining talk a | few years back at DefCon: | https://www.youtube.com/watch?v=-bpX8YvNg6Y | [deleted] | asimpletune wrote: | Touch Bar MBP's are protected against this right? | [deleted] | osivertsson wrote: | I doubt there is a need to open the case for a sophisticated | attacker. If there is even the slightest opening for air you | can run camera optics and freeze spray tubes to RAM I would | imagine. | NovemberWhiskey wrote: | This is why security-sensitive devices are often encapsulated | and potted in epoxy or similar. | seanhunter wrote: | Here's details of this attack for people who want more details | https://citp.princeton.edu/our-work/memory/ | | If memory serves correctly they achieved the best results by | using a can of compressed air to freeze the ram in place before | removal. | | //Small edit to wording | close04 wrote: | Many of the measures that provide effective physical security | also make a device really unsuited for personal usage. Look | at HSMs for an example of this. And even they rely on being | stored in a physically secure room and protected from theft. | | It's a matter of being more determined than your attacker. | Imagine a device that will irretrievably brick itself if | tilted more than a certain angle, if left unpowered for more | than a certain time, etc. and that has to be under constant | guard. This seems almost incompatible with any kind of | personal use. And some measures may only work in one | instance, with the attacker planning for them the second time | they have an operation. | | Many attackers also don't have the same restrictions the | police has. In the Ulbricht case the police may have been | forced to use a device that copies the data with no human | intervention just to preserve the chain of evidence and not | have suspicions that the agent operating the laptop altered | it while installing additional software. An attacker | operating in the grey/dark area might just immobilize the | user, snip the wrist cable, and then retrieve the necessary | data either directly at the console or by siphoning it via | the network. Or the police may just start video recording in | great detail every step from the moment an agent touched the | laptop until the data was exfiltrated to remove suspicions of | tampering. | | But such a tool would be of great effect against an | undetermined, unsophisticated attacker committing a crime of | opportunity. | zzz61831 wrote: | Personal computers have an advantage here: it is acceptable | for them not to work when they are not directly used by | someone. It means they can be stored in safes when not used | and have all the encryption keys securely erased when not | used. For example, a screen locker could stop all the | processes and erase all the keys from registers and memory | assuming both disk and memory encryption. And the locker | itself could be triggered by some proximity sensor, RFID, | camera, whatever, not just input inactivity timeout. | close04 wrote: | Storing your personal computer in a safe when not using | it is probably the very definition of "almost | incompatible with any kind of personal use". And at this | point you just move the weak link from the device to the | safe's lock. HSM-like physical security is good for | making the device tamper proof and ensuring than no data | can be retrieved under any circumstances other than the | one accepted "regular use" way. | | Putting a regular device in a safe leaves it exposed to | someone unlocking the safe and compromising the device by | implanting a keylogger inside or even by putting a | replacement identical device there and waiting for the | user to type the boot password. | | As for methods of emergency clearing sensitive data from | memory while in operation, whatever method is employed | will work once. The next time the attacker is ready for | that particular method. For example the police might just | have to completely immobilize the suspect (and their | hands) and keep the laptop in the vicinity while the | "dead man's switch" is bypassed. | hinkley wrote: | > And even they rely on being stored in a physically secure | room and protected from theft. | | Not exactly. You don't want someone sneaking in and | misappropriating the HSM to authorize something bad. And if | you set the system up for unattended recovery from a power | failure, then in all likelihood someone walking off with | the server the HSM is in can use those keys indefinitely. | But there are options. | | Some HSMs have self-destruct mechanisms that attempt to | prevent physical access to the private key (ie by lapping | the chip). Some vendors (nCipher, IIRC) have a smart card | (a second HSM) that is required to authorize certain | activities, like signing, or key recovery. In fact they had | a byzantine generals solution that either had the key or a | password for the key split between n cards. In the latter | case you needed one of the original HSMs in order to clone | the key, so a movie plot where you kidnap the entire team | at a conference doesn't work. During initial setup the cert | would be generated on the first HSM and copied to the | others, having never seen daylight. | | That system was quite difficult to explain to users, and I | had to document it just so _I_ wouldn 't get confused and | trigger a reset of the evaluation hardware (at which point | all of our test artifacts have to be rebuilt). | | It might be more complicated to start WWIII than to protect | a signing certificate, but only just. | close04 wrote: | > Not exactly. You don't want someone sneaking in and | misappropriating the HSM to authorize something bad. | | I think we're talking about exactly the same thing :). | That's what I meant by "even they rely on being stored in | a physically secure room and protected from theft". | Despite all the hardening that is applied to the device, | it must always be kept secure and supervised. As an | example, this is what Safenet considers the intended | installation environment should be [0]. | | This can't be effectively applied to a personal computer. | | [0] http://cloudhsm-safenet-docs-5.3.s3-website-us- | east-1.amazon... | claudiawerner wrote: | Does anyone have pointers as to whether this is even possible | with DDR4 on modern machines? | aaron695 wrote: | I think the real question is has it ever been used in the | wild on any DDR? | | "In recent years, however, it has become increasingly | challenging to execute cold boot attacks or perform | physical memory forensics due to the introduction of DRAM | memory scramblers. Modern processors with DDR3 and DDR4 | DRAM scramble data by XOR'ing it with a pseudorandom number | before writing it to DRAM [5], [6]. These scramblers were | initially introduced to mitigate the effects excessive | current fluctuations on bus lines by ensuring bits on the | memory bus transition nearly 50% of the time" | | DDR4 is also yes in the lab - | | https://web.eecs.umich.edu/~misiker/resources/HPCA17-coldbo | o... | Asmod4n wrote: | Chenbro makes cases with intrusion detection, bought one nearly | 20 years ago and they still make similar ones: | http://www.chenbro.com/en-global/products/TowerServerChassis... | macNchz wrote: | I have a Lenovo M93P Tiny which came with a chassis intrusion | switch installed. It seems you can have it block | startup/require a password when the case is opened and notify | some central admin. I don't know what happens if you open the | case while it's running, though. | | I'm not sure if it's something they offer on current models, or | to individuals at all (I bought it used from a corporate IT | asset liquidator so it was likely originally purchased as part | of a bulk deal). Regardless it makes a great little Linux box! | R0b0t1 wrote: | That feature is fairly common but practically quite useless | and easy to circumvent if you can find the model information. | Even with PCI-DSS enclosure compliance you can get in if you | can take power tools to it. The assumption is power tools | would be too obvious to use in a typical installation. | destory-everyth wrote: | Work at a big bank , we won't procure laptops without this | and yes we will know when you have opened it and you won't be | able to boot it , I think something happens with bitlocker | also but not sure. | umvi wrote: | > Interesting project, I'm sure this is useful for people at | risk. | | Could you expound on what this means? In the USA/UK, people | most "at risk" of police kicking down the door seizing their | laptops/computers while they are still running are child | pornographers. | | Perhaps this can be used "for good" under oppressive regimes | (i.e. if you are a dissenting journalist) but then I think you | won't get a fair trial anyway and having a kill switch just | means more prison. | captainmuon wrote: | I know a shocking amount of innocent people who have been | target of surveilance and criminal investigations or who even | had their homes raided - in western european countries. | Thankfully the courts are still working as they should, and | all but one were fully acquitted. | | It can happen if you are a political activist in any fashion. | Nothing violent, just speaking out for rent control and | against gentrification can get you in trouble. Or hanging | around with the wrong people. | | When it happens, you want to leave them as little rope as | possible to hang you with. As I said, the courts still are | honest and they won't make up evidence, but they will take | everything they can find to make a case - and to learn about | your structures and networks while they are at it. | | You are right, that in real oppressive regimes all bets are | off. If they want to get you, they won't stop at their own | laws. But even then, these techniques are useful against | industrial espionage. If you are doing business in certain | countries, the "evil maid" is quite real... | toxik wrote: | This is a somewhat pessimistic outlook on humanity, first off | I would say that those who are most commonly at risk are | those with trade secrets. Patented tech and investment intel | for example. | | As for the dissenters, I'm sure they would appreciate their | co-conspirators remain secret. | umvi wrote: | > This is a somewhat pessimistic outlook on humanity, first | off I would say that those who are most commonly at risk | are those with trade secrets. Patented tech and investment | intel for example. | | Can you provide any evidence at all of police or "thugs" | (or anyone, really) kicking down doors to get at trade | secrets being a common problem? Because there are countless | news articles of police raids seizing computers to stop | child porn[0]. | | I speculate any tool billed as "anti-forensic" will be used | for immoral purposes more commonly than moral purposes. | | [0] https://en.wikipedia.org/wiki/Jared_Fogle#Child_pornogr | aphy_... | Teknoman117 wrote: | It is an _absolute certainty_ that any tool to improve | privacy and security is going to be used by malicious | actors. | | That does not mean it should be banned. Knives are used | for many things from cutting food and opening boxes to | killing people. Nitrate based fertilizers can be used for | vastly improving crop yields but can also be used for | bombs. Encryption can be used to protect your sensitive | personal data from criminals and prying eyes, but can | also be used by the criminals themselves to hide their | activities. | | No state (even if it was the most ethically illuminated | utopia) has the power to protect every person in every | place at every time. Banning defensive tools is asinine | as rarely does it mean that a criminal won't use them | against you. | toxik wrote: | The threat model in corporate espionage is absolutely one | of theft of property. It's a lot easier to steal | somebody's laptop than to hack it. | Nasrudith wrote: | That is a dangerously naive viewpoint - trusting that the | only instances are the ones they proudly brag about? When | they have been caught not even allocating all of the | funds for Child Pornography prevention they have been | allocated while using "the children" as an excuse to | undermine cryptography? | | It is doubly foolish to believe that the police are the | only users of forensic software when there is credit card | theft and multmillion dollar ransomware rings out there. | Robbing a bank by force or by heist is foregone jail but | snatching a laptop from a banker? Far more petty in risk | and disguised as mere property theft as opposed to the | data theft. | pjc50 wrote: | _Suspected_ child pornographers. There was some concern that | the door kicking had gone too far on too little evidence once | it reached Cliff Richard. | _kbh_ wrote: | Memory encryption technologies such as AMD's Secure Encrypted | Memory (SME). Would be your best bet to combat this, along with | other anti-evil maid protections. | | https://en.wikichip.org/wiki/x86/sme#Overview | https://www.qubes-os.org/doc/anti-evil-maid/ | captainmuon wrote: | There are also things like TRESOR [1] which keep all | encryption keys inside the CPU. I'm not sure what the current | state of the art is. | | There are so many possible evil maid attacks that I think it | would be useful to add a pysical layer, just in case. | | [1] https://en.wikipedia.org/wiki/TRESOR | fortran77 wrote: | Agreed; but this USBKill is a good protection for ordinary city | police, or even a grab-and-run crime at a coffeeshop (with a | usb key attached to your wrist with a cord). | [deleted] | jokoon wrote: | I dont understand. Is USB just always insecure because of | hardware? | raziel2p wrote: | Yes, but that's unrelated. The idea here is that if a USB | device is connected to your machine, it's an indicator that | your machine is compromised. Mouse jigglers that stop your lock | screen from activating are very common when confiscating | machines: https://www.cru- | inc.com/products/wiebetech/mouse_jiggler_mj-... | | And of course, depending on the OS, it's possible to craft a | USB stick that copies files to a remote server as soon as it's | plugged in. | netsec_burn wrote: | An alternative approach may be to check idVendor and | idProduct (lsusb) to see if either matches a mouse jiggler | supplier or product. | jki275 wrote: | Those can be easily spoofed. I don't know if current mouse | jigglers in use have a specific Id or not, but there's no | reason they would have to have a recognizable Id. | DarkWiiPlayer wrote: | Not sure if a blacklist-aproach is the most reasonable | solution when you're in a situation that you have to worry | about these things in the first place. | sasaf5 wrote: | Once I have seen a coworker improvising one of these by | placing a second (optical) mouse on top of a mechanical | wristwatch. | vinay427 wrote: | Hmm, this is actually rather nifty, although one issue I | see is it will only last a few days at most. I don't know | how long people who confiscate laptops normally need to run | mouse jigglers. | daffy wrote: | > depending on the OS, it's possible to craft a USB stick | that copies files to a remote server as soon as it's plugged | in. | | Is this possible with Linux? | michaelt wrote: | You can get a 'USB rubber ducky' [1] which emulates both a | USB memory stick and a USB keyboard, allowing you to script | keystrokes for the keyboard [2] | | So it can do anything a newly plugged in keyboard can do. | Which, if the user is already logged in, makes grabbing the | user's files easy. | | [1] https://shop.hak5.org/collections/usb-rubber- | ducky/products/... [2] https://github.com/hak5darren/USB- | Rubber-Ducky/wiki/Payloads | daffy wrote: | This will only work, I suppose, if the attacker knows | beforehand a keychord that will focus a terminal. | DarkWiiPlayer wrote: | on most desktop linux distros: <windows>terminal<enter> | is enough | jonathanstrange wrote: | Hehehe...on my machine that selects "Emacs (Terminal)". | Good luck with those key combos... | kryptiskt wrote: | Yes, the device can present itself as both a keyboard and | storage device and send the copy commands via keystrokes. | unionpivo wrote: | yes. Mouse jiggers pretend to be regular mice an keyboard. | maeln wrote: | Yes and no. The idea is to emulate a keyboard and mouse. | You then use OS shortcuts to, for example, start a terminal | and type command in it. So it can work with Linux but, | because of the diversity of Distribution, DE, etc, it is | more difficult to be sure of the shortcuts that you can | use, whereas on windows or mac, they will usually always be | the same (for exemple, Windows+R on windows to launch a | launcher, and then type cmd.exe). | pfundstein wrote: | In a similar vein, there's antijiggler[1] which only locks the PC | when a new device is connected. | | [1] http://www.codefromthe70s.org/antijiggler.aspx | raziel2p wrote: | Seems like a lot of code for what should be, on Linux anyway, a | simple udev rule? | | echo 'RUN+=/root/usb-changed.sh' > /etc/udev/rules.d/usb- | changed.rules | | Then just put whatever you want to be ran in /root/usb- | changed.sh. | darkwater wrote: | I think you would at least add an allowlist of safe (i.e. owned | by you) USB ids you don't want to shut your pc/laptop down if | connected | kawsper wrote: | Your script can have the allowlist so you don't have to | fiddle with udev everytime you introduce or retire USB- | devices. | darkwater wrote: | But then it's not a oneliner anymore, and the original | project starts to make sense. | loa_in_ wrote: | It doesn't warrant to make a product that replaces a | dedicated feature of the system. To whitelist in usbkill | you have to do more than one line too. | zelon88 wrote: | I really like this concept. | | That's why I've made similar projects. One to detect when USB | storage devices get attached to domain workstations, and email | the administrator with device and user info..... | https://github.com/zelon88/Workstation_USB_Monitor | | And one which detects USB HID devices, confirms them, and | notifies the administrator..... | https://github.com/zelon88/Rubber_Ducky_Defender | 0xdeadb00f wrote: | A hotplugd script can be used to mimic this on OpenBSD | blue52 wrote: | Amazing work of art, bravo. | el_oni wrote: | I attended a talk by GSK and there was part of the talk about | security. They don't allow usb devices to be plugged into their | analysis computers. But every year they get an intern that tries | to charge their phone from the PC USB. | | Something like this, that doesnt halt the computer but shows a | warning on screen and logs information would perhaps be a | solution to their problem. Although in the case of industrial | espionage maybe locking the system would be worth it... | lozf wrote: | At a former gig for a post-production facility we used CoSoSys | EndpointProtector to restrict USB access to workstations. Works | as described in your second paragraph, (logs and warning) admin | can then allow approved devices remotely if necessary. | SV_BubbleTime wrote: | I worked for a car mfg that had that on all their laptops. It | was annoying and I'm 99% certain no one ever checked up on | the alerts and instead was just logging in case there was an | issue later. | Benmcdonald__ wrote: | How does this work for usb typec? When I plug in my power cable | will my computer shutdown? | deadbunny wrote: | It lists the ability to whitelist devices in the article. | AnotherGoodName wrote: | And does it work for things that look exactly like USBC but are | actually Thunderbolt? (with all its direct memory access via | DMA and all of that nastiness). | | See the Apple combo USBC/Thunderbolt ports. | waldfee wrote: | If you are paranoid about something like this happening, just use | https://www.qubes-os.org/. all usb devices are jailed in a non- | networked vm by default. | | In general, if what you do warrants that level of paranoia, qubes | will help you massively. | | Micah Lee held a great overview talk at HOPE 2018: | https://www.youtube.com/watch?v=f4U8YbXKwog | kawsper wrote: | How does that work with input devices like keyboard and mouse? | waldfee wrote: | generally it is advised to use ps2 input (like most laptop's | integrated keyboard and touchpad). | | details on using usb keyboard and mouse here: | https://www.qubes-os.org/doc/usb-qubes/ | czechdeveloper wrote: | I don't think it solves same problem. | waldfee wrote: | it does not solve the same problem, correct. it's still a | great tool if your threat model warrants it. | gjs278 wrote: | great but it has nothing to do with disabling a physical | server | portpecos wrote: | Can you give an example of a threat model that would | warrant it? | smogcutter wrote: | You're a journalist. Source gives you a usb drive full of | documents. Source is in reality hostile/compromised, so | is the usb drive. | bra4you wrote: | I saw this solved with a USB stick on a keychain and the computer | shuts down when the stick is removed. Does anybody still have the | link? | | Ah. Found it: | https://tech.michaelaltfield.net/2020/01/02/buskill-laptop-k... | sn_master wrote: | "immediately terminates the connection" | | Reminds me of some old Firewalls that would actively poll active | connections, and when one is made that violates their rules, | "immediately" terminate it. Often times, an attacker can embed a | lot in just a single URL in the query string (stolen passwords | etc) that would be done in < 5ms, faster than the firewall can | act (if not even faster than the polling interval itself), | specially if there is plenty of rules and active connections | and/or the machine is slow (e.g playing games). | | That's like choosing to not have a door on your house, because | you know you can run fast and shoot the thief when they enter. | | Maybe its not as bad for hardware due to the inherit latencies | involved, but I am always skeptic about things that use polling | vs sitting in the middle at the kernel before a USB connection is | allowed to happen to the OS in the first place. | | The default (aka the one that nobody will change) connection- | polling interval for this thing is 250ms, which doesn't seem too | small for me for many conceivable attack scenarios. | | For Mac, it runs this: | | os.system("killall Finder ; killall loginwindow ; halt -q") | | This won't prevent windows from reopening after a reboot. | | A possible exploit for this could be the USB pretending to be a | keyboard, opening an exploit website or an app with malicious | argument values, then you immediately shutdown the Mac, reboot | manually and boom, the website/app opens up and the machine gets | owned anyway post-reboot! | | Also, lack of Windows support is upsetting, considering there | isn't much code change required to do so. | | The "melt" feature is one I really like and respect the thought | they put to make it. | bausano_michael wrote: | I think it's aimed at scenarios in which the attacker is not | aware of this utility running. Otherwise they could just kill | it before inserting the USB. | sn_master wrote: | Well, for attack vectors like Mouse Jiggler (I have one, very | cheap on Amazon) or polymorphic USB devices, it would work if | the attack is unaware of the utility's existence. For | polymorphics specifically, I checked the code, and it does | indeed validate the Ids of the devices, not just their count. | | For others, even if the attacker is unaware of the utility, | those shortcomings are still serious enough (e.g. rapid | keyboard typing). | raxxorrax wrote: | > In case the police or other thugs come busting in | | I like this wording. | | Disclaimer: Not a comment on current political happenings. | | But seriously, the use case of disallowing USB sticks on devices | is unnecessary hard to configure. Just an option to disallow | certain device classes would be appreciated. | daraps wrote: | I just disable all hotplugging support in my OS. Anything | plugged into the machine must be manually mounted, enabled, | etc. This works really great for me as it's rare that anything | is attached to this machine other than the charger. | InsomniacL wrote: | how would you authenticate the USB stick that is allowed | though? Without some sort of authentication mechanism an | attacked could clone the device id of an allowed device. better | than nothing though! :) | the8472 wrote: | There's the USB Authentication Protocol where devices | identify themselves through digital signatures. But i don't | know whether each device has a unique ID or its one cert for | the whole production series. | mschuster91 wrote: | > But seriously, the use case of disallowing USB sticks on | devices is unnecessary hard to configure. | | This will not help against hardware that exploits bugs in the | USB stack of the operating system. | | Assuming the threat model is police or secret service seizing | one's server, it is feasible that the attackers also have | knowledge of the running OS (IIRC one can distinguish between | Windows, Linux and xBSD by simply looking at TCP fingerprints) | and thus can use a targeted exploit. | agumonkey wrote: | typical social pattern: - nothing - | hard work to make something easy to use - hard work to | make something easy to control - control | microcolonel wrote: | This is fairly straightforward with udev, a couple lines of | config should be sufficient. | pnutjam wrote: | any directions? | bartvk wrote: | This guide is pretty good: | http://reactivated.net/writing_udev_rules.html | | Some ten-odd years ago, I wrote how to create udev rules to | execute a command after connecting a particular USB device: | | https://www.vankuik.nl/2008-12-19_Linux_USB_device_handling | lizardmancan wrote: | not as easy but more fun to ruin the usb device. | | if they use mousewiggling the screensaver could use other | triggers/patterns to keep the box on. say 1 google search per 15 | min minimum. randomly moving the mouse seems a good reason to | shut down. | nialv7 wrote: | What's stopping the forensic people from just spoofing the USB | device IDs? | deadbunny wrote: | How do they get the IDs? | nialv7 wrote: | They could just look around and see what USB devices you own. | USB vendor/product IDs are not secret. | topspin wrote: | Nothing. And that's not the problem this program is intended to | solve. | nialv7 wrote: | It is. The program tries to prevent use of unauthorized USB | devices, yet it uses the easily spoofed USB device IDs to | authenticate them. | topspin wrote: | It isn't. The problem this program solves is thwarting a | naive attempt to alter the state of the USB bus. The design | assumes the attacker is not aware of the consequences of | adding or removing devices and has no reason to employ | spoofed devices or any other Ever Greater Adversary | Regression techniques you can imagine. | [deleted] | codethief wrote: | From going through the discussion I'm getting the impression that | the only feasible attack vector provided by USB is by emulating a | keyboard like a USB Rubber Ducky. Is this really the case? | | For instance, if my laptop is locked (with a proper[0][1] lock | screen like xscreensaver) and that lock screen is capturing all | keyboard input and magic SysRq keys[2] are disabled, too, is | there really no way an attacker could use a USB device to hack my | laptop? | | Similarly, if my laptop is _not_ locked but comes with unusual | key bindings (maybe even a different keyboard layout), what are | the chances of me getting hacked with a USB device? (Let 's | assume that the attacker manages to secretly plug in said USB | device but doesn't want to access my unlocked laptop directly - | maybe because we're in an open office and people are watching.) | | My impression had always been that USB devices are dangerous | beyond simple keyboard emulation but I might be wrong. | | [0] https://www.jwz.org/blog/2015/04/i-told-you-so-again/ | | [1] https://www.jwz.org/xscreensaver/toolkits.html | | [2] https://en.wikipedia.org/wiki/Magic_SysRq_key | boring_twenties wrote: | > [0] https://www.jwz.org/blog/2015/04/i-told-you-so-again/ | | Sorry for the digression, but WTF is this guy doing? Looks like | he redirects all requests that have HN as the referrer to a | picture of a testicle. Copy-pasting the link (i.e., dropping | the referrer) seems to work, though. | busterarm wrote: | Besides keyloggers, another reason people want this is because | law enforcement has USB keepalive devices that will simulate | mouse movement/keypresses to keep your computer from going to | sleep. | | They do this to make sure your computer stays on and your RAM | doesn't get powered off, which will allow them to read any | decrypted data in memory whether or not your data is encrypted | on disk. | | When they raid you, they come with massive UPS devices that | they plug your computers into to give them as long a window as | possible to get your data. | isatty wrote: | How will they replug my single PSU workstation to their UPS'? | jefftk wrote: | Use insulated tools and a steady hand to cut into the power | cord and splice in the UPS. The UPS is configured to match | phase with the power that's already in the cord. | bsdz wrote: | .. or get a HotPlug https://www.cru- | inc.com/products/wiebetech/hotplug_field_kit... | | Just discovered this now myself. The same company sells | mouse jigglers. | busterarm wrote: | Which is why if you want to defend against the easy | versions of these and make people have to do work, only | plug your desktop PCs into standalone outputs not on a | surge protector. | | Yes, it won't defend against cord cutting. | | Edit: A more interesting defense I think would be to | modify a surge protector for this specifically to defeat | HotPlug. Only put your computer on a specific outlet and | wire it so that if any other outlets complete circuit to | kill power to the whole thing. | jefftk wrote: | HotPlug is one of the turnkey versions of this, yes | Ericson2314 wrote: | And now, we've come full circle to plug-and-stop-playing. | reallymental wrote: | "Tip: Additionally, you may use a cord to attach a USB key to | your wrist. Then insert the key into your computer and start | usbkill." | | This line particularly caught my eye. I wonder what's the | percentage of people (I'm presuming people working in security or | those who are trying to avoid detection) go to this extreme? | | Is is even extreme? | berkas1 wrote: | I don't think that wrist-key is an extreme (never seen it | actually, but I still think this solution is a cautious one). | | For me an extreme measure would be to modify my motherboard in | a way that I could connect RAM to my wrist and tear it away | when necessary. | nkrisc wrote: | Now that would be interesting: have your RAM strapped to your | wrist and connected to your Mobo by a breakaway cable. | | Bonus points if they cut it when the tackle you because they | thought it was a deadman switch, like mentioned in the link. | baq wrote: | not a security expert but a commonly heard phrase is 'depends | on your threat model' :) | moritonal wrote: | "To prevent Ulbricht from encrypting or deleting files on the | laptop he was using to run the site as he was arrested, two | agents pretended to be quarreling lovers. When they had | sufficiently distracted him, according to Joshuah Bearman of | Wired, a third agent grabbed the laptop while Ulbricht was | distracted by the apparent lovers' fight and handed it to agent | Thomas Kiernan. Kiernan then inserted a flash drive in one of | the laptop's USB ports, with software that copied key files." | | https://en.wikipedia.org/wiki/Ross_Ulbricht | daffy wrote: | > Kiernan then inserted a flash drive in one of the laptop's | USB ports, with software that copied key files. | | How exactly does this work? Is there a sort of software that | runs automatically when you insert the stick, or did he have | to click on it? | sumtechguy wrote: | You can present yourself as a standard file system or some | device you know has a known exploit in the driver on the | other side. Then on the USB 'drive' side you have a full | out arm CPU. It can issue commands too as it is connected | to the serial bus. Many USB drives already have small | embedded CPU in them. | R0b0t1 wrote: | >Many USB drives already have small embedded CPU in them. | | For most common hardware this is just an 8051 variant | that sets up the USB and DMA peripherals. It's easy | enough to get something more powerful, but I am doubtful | you'd want to reuse consumer hardware. | sumtechguy wrote: | The 8051 is a decently capable CPU (it is the cpu at the | heart of the furby toy). At one point they built whole | computer ecosystems around it. Remember the point here is | to take over the computer not have a full out modern OS. | They USB manufactures use them because they work well on | low power and are decently cheap and small. Now most usb | sticks do not do much more than like you say. But that | would not stop someone from reflashing the firmware in it | who is making one of these things. The use case here is | different than what most people would use it for. | Sometimes you will see an older ARM design too. | klyrs wrote: | Speculation: It's possible to produce keyboard and mouse | inputs, and also present as a storage device -- autorun | isn't even necessary (though spurious inputs would be quite | visible to somebody using the computer and something like a | mirrored mouse, custom keyboard layout / shortcuts could | foil this) | daffy wrote: | That would only work on a known operating system and | window manager with known keyboard shortcuts, unless a | terminal is already focused. | InitialLastName wrote: | One of Atmel's USB-capable microcontrollers had a HID | Keyboard example program that when you pressed a button | (on a Windows host) would start Notepad (via the run | command) and type "Hello, I'm an Atmel SAMXXXX". | | Great bit of example code, but opens a world of | possibilities for what you could do with, say, a HID + | Mass Storage composite device. | janekm wrote: | In theory, you could fingerprint the host OS first and | then run the appropriate commands (of course more tricky | with more custom Linux setups, does CTRL+ALT+Fn still | work to get to a text console?): | https://www.cise.ufl.edu/~butler/pubs/sadfe11.pdf | daffy wrote: | Yeah, I was thinking of custom window-manager setups. You | can usually get a tty console by ctrl-meta-f1 etc., but | that wouldn't help, since you'd have to enter a password. | I suppose an advanced version could try different | combinations and test each by entering a command that | would be detected by the stick. | Jaruzel wrote: | On Windows, it's just 'Win+R 'CMD' [Enter]' and you have | a terminal/console. Presumably, if the agents were | monitoring the perp properly, they would know what OS | they would be targeting. | | I type the above SO often every day, it should be on my | gravestone. :D | TedDoesntTalk wrote: | On Windows, autorun.inf. This technique has been around | since at least the 90s when CD-ROM drives were introduced | to PCs... it is how a newly inserted CD (and later usb | disk) can automatically execute software on insertion: | | https://www.instructables.com/id/Autorun-anything-off-of- | a-u... | pfundstein wrote: | Autorun has been disabled by default for a long time | (with good reason). And it has never worked with USB | drives, only ones which emulated a CD drive such as U3 | USB drives. | noisem4ker wrote: | Autorun attempts results in a prompt since Vista. | | Apparently, autorun from USB volumes was enabled for XP | SP2: | | https://support.microsoft.com/en-us/help/967715/how-to- | disab... | | >Before Windows XP SP2, AutoPlay was disabled by default | on removable drives, such as the floppy disk drive (but | not the CD drive), and on network drives. Starting with | Windows XP SP2, AutoPlay is enabled for removable drives. | This includes ZIP drives and some USB mass storage | devices. | anonymfus wrote: | Autorun and AutoPlay are different things. AutoPlay is | what asks you if you want to open media in File Explorer | or some other application. | derefr wrote: | I've always been surprised that autorun wasn't re-enabled | when app stores / code signing was introduced. If | Microsoft or Apple is willing to sign an installer saying | that it's something safe to install, isn't that proof | enough to let it run when you insert the USB key it's on? | | I know this isn't really very relevant for the specific | combination of _installers_ and _physical media_ any | more, since it 's rare for anyone to be _trying_ to | install something off a CD /DVD/USB these days (other | than a new OS, of course.) | | But I could see the use case for physical media doing | something _other_ than running an installer (e.g. DRMed | disks launching the equivalent of a FUSE server to mount | the "rest" of the disk); or for non-physical media (e.g. | macOS DMG disk images) being able to autorun their | embedded installer. Either way, the code signing that the | platforms are _already doing_ would be enough to make | these safe, no? | toast0 wrote: | Windows code signing does not include a step where | Microsoft inspects the code. The developer gets a | certificate from a commercial CA and signs the code. If | the certificate is an EV certificate, that's basically | it. If it's a regular certificate, Windows does a | callback to Microsoft that seems to just be a popularity | check --- if the certificate has been used a lot, then | the prompts go away. | | At best, Windows code signing lets you know who signed it | and that that person was able to pay a CA some money, not | that it's safe to run. | derefr wrote: | Regular developer code-signing, yes. But I'm talking | about the code-signing that's done _by Microsoft_ (rather | than by your own Microsoft-signed cert) on the Microsoft | Store backend; or the code-signing that 's manually done | _by Microsoft_ when a third party submits a driver | package to them for inclusion as a Windows update. | fortran77 wrote: | Microsoft limited autorun about two decades ago, and | finally got rid of it completely in 2011. | | https://www.theregister.com/2011/02/08/microsoft_windows_ | aut... | | You should try Windows 10! It's very good. At least give | it a whirl so you can have accurate facts to what it | does, and not spread FUD about it. | pfundstein wrote: | Maybe rubber-ducky style keyboard emulation? | emiliobumachar wrote: | How about a bluetooth dongle in your pocket? Less visible, and | unless there hostiles know about it, they will separate you | from the computer. | | A phone could work. An apparent car key would be better. Best | would be a piece of clothing, like a belt. | paledot wrote: | That would work great for half an hour, until your Bluetooth | connection drops for no reason, the dongle pairs with your | car or phone instead, decides it's a headset now, or one of | the hundred other things that inevitably go wrong with | Bluetooth. | sumtechguy wrote: | hehe, Do not think like an engineer in this case. Think | like someone who only has to get it right once but can try | 100 times. So even if you have a flake connection. Just so | long as it works that 'one time'. You are good. | nullc wrote: | There are bluetooth low energy key fobs that work for this. | atum47 wrote: | I've made a video about disabling the USB to prevent rubber ducky | attacks a long time ago. | | never thought about shutting down the computer. | | https://youtu.be/RtRsBTGZUgc | M5x7wI3CmbEem10 wrote: | does encryption offer any benefit if you're using a cloud syncing | solution? ___________________________________________________________________ (page generated 2020-08-06 23:00 UTC)