
Usbkill – anti-forensic tool to halt computer when new USB device is connected - berkas1
https://github.com/hephaest0s/usbkill
======
waldfee
If you are paranoid about something like this happening, just use
[https://www.qubes-os.org/](https://www.qubes-os.org/). all usb devices are
jailed in a non-networked vm by default.

In general, if what you do warrants that level of paranoia, qubes will help
you massively.

Micah Lee held a great overview talk at HOPE 2018:
[https://www.youtube.com/watch?v=f4U8YbXKwog](https://www.youtube.com/watch?v=f4U8YbXKwog)

~~~
czechdeveloper
I don't think it solves same problem.

~~~
waldfee
it does not solve the same problem, correct. it's still a great tool if your
threat model warrants it.

~~~
portpecos
Can you give an example of a threat model that would warrant it?

~~~
smogcutter
You’re a journalist. Source gives you a usb drive full of documents. Source is
in reality hostile/compromised, so is the usb drive.

------
captainmuon
Interesting project, I'm sure this is useful for people at risk.

Somewhat related, I'm wondering about the physical security of computers.
There is an attack where they open your PC, take out the ram, and freeze it
immediately so the bits don't decay and they can extract your encryption keys.

All BIOSes have an option for cassis intrusion detection, but I've never seen
a case that has the necessary cable. Has anybody here set up a chassis
intrusion kill switch that erases the RAM/shuts down the PC etc. if the case
is opened improperly? Can you buy anything like this on the market?

~~~
alfiedotwtf
Back in the BBS days, there were textfile describing how to wire your beige
box to either turn on strong magnets or ignite termite if a case was detected.

... I don’t know of anyone actually implementing this though :)

~~~
geerlingguy
I would imagine that's thermite and not termite ;)

If the latter, the server would probably be okay, and it would take a very
long time for the termites to damage the surrounding room enough to be a
security deterrent.

~~~
DoofusOfDeath
Probably just a debugging technique.

~~~
hinkley
Well, it certainly complicates debugging.

------
raxxorrax
> In case the police or other thugs come busting in

I like this wording.

Disclaimer: Not a comment on current political happenings.

But seriously, the use case of disallowing USB sticks on devices is
unnecessary hard to configure. Just an option to disallow certain device
classes would be appreciated.

~~~
InsomniacL
how would you authenticate the USB stick that is allowed though? Without some
sort of authentication mechanism an attacked could clone the device id of an
allowed device. better than nothing though! :)

~~~
the8472
There's the USB Authentication Protocol where devices identify themselves
through digital signatures. But i don't know whether each device has a unique
ID or its one cert for the whole production series.

------
zelon88
I really like this concept.

That's why I've made similar projects. One to detect when USB storage devices
get attached to domain workstations, and email the administrator with device
and user info.....
[https://github.com/zelon88/Workstation_USB_Monitor](https://github.com/zelon88/Workstation_USB_Monitor)

And one which detects USB HID devices, confirms them, and notifies the
administrator.....
[https://github.com/zelon88/Rubber_Ducky_Defender](https://github.com/zelon88/Rubber_Ducky_Defender)

------
sn_master
"immediately terminates the connection"

Reminds me of some old Firewalls that would actively poll active connections,
and when one is made that violates their rules, "immediately" terminate it.
Often times, an attacker can embed a lot in just a single URL in the query
string (stolen passwords etc) that would be done in < 5ms, faster than the
firewall can act (if not even faster than the polling interval itself),
specially if there is plenty of rules and active connections and/or the
machine is slow (e.g playing games).

That's like choosing to not have a door on your house, because you know you
can run fast and shoot the thief when they enter.

Maybe its not as bad for hardware due to the inherit latencies involved, but I
am always skeptic about things that use polling vs sitting in the middle at
the kernel before a USB connection is allowed to happen to the OS in the first
place.

The default (aka the one that nobody will change) connection-polling interval
for this thing is 250ms, which doesn't seem too small for me for many
conceivable attack scenarios.

For Mac, it runs this:

os.system("killall Finder ; killall loginwindow ; halt -q")

This won't prevent windows from reopening after a reboot.

A possible exploit for this could be the USB pretending to be a keyboard,
opening an exploit website or an app with malicious argument values, then you
immediately shutdown the Mac, reboot manually and boom, the website/app opens
up and the machine gets owned anyway post-reboot!

Also, lack of Windows support is upsetting, considering there isn't much code
change required to do so.

The "melt" feature is one I really like and respect the thought they put to
make it.

~~~
bausano_michael
I think it's aimed at scenarios in which the attacker is not aware of this
utility running. Otherwise they could just kill it before inserting the USB.

~~~
sn_master
Well, for attack vectors like Mouse Jiggler (I have one, very cheap on Amazon)
or polymorphic USB devices, it would work if the attack is unaware of the
utility's existence. For polymorphics specifically, I checked the code, and it
does indeed validate the Ids of the devices, not just their count.

For others, even if the attacker is unaware of the utility, those shortcomings
are still serious enough (e.g. rapid keyboard typing).

------
el_oni
I attended a talk by GSK and there was part of the talk about security. They
don't allow usb devices to be plugged into their analysis computers. But every
year they get an intern that tries to charge their phone from the PC USB.

Something like this, that doesnt halt the computer but shows a warning on
screen and logs information would perhaps be a solution to their problem.
Although in the case of industrial espionage maybe locking the system would be
worth it...

~~~
lozf
At a former gig for a post-production facility we used CoSoSys
EndpointProtector to restrict USB access to workstations. Works as described
in your second paragraph, (logs and warning) admin can then allow approved
devices remotely if necessary.

~~~
SV_BubbleTime
I worked for a car mfg that had that on all their laptops. It was annoying and
I’m 99% certain no one ever checked up on the alerts and instead was just
logging in case there was an issue later.

------
raziel2p
Seems like a lot of code for what should be, on Linux anyway, a simple udev
rule?

echo 'RUN+=/root/usb-changed.sh' > /etc/udev/rules.d/usb-changed.rules

Then just put whatever you want to be ran in /root/usb-changed.sh.

~~~
darkwater
I think you would at least add an allowlist of safe (i.e. owned by you) USB
ids you don't want to shut your pc/laptop down if connected

~~~
kawsper
Your script can have the allowlist so you don't have to fiddle with udev
everytime you introduce or retire USB-devices.

~~~
darkwater
But then it's not a oneliner anymore, and the original project starts to make
sense.

~~~
loa_in_
It doesn't warrant to make a product that replaces a dedicated feature of the
system. To whitelist in usbkill you have to do more than one line too.

------
reallymental
"Tip: Additionally, you may use a cord to attach a USB key to your wrist. Then
insert the key into your computer and start usbkill."

This line particularly caught my eye. I wonder what's the percentage of people
(I'm presuming people working in security or those who are trying to avoid
detection) go to this extreme?

Is is even extreme?

~~~
emiliobumachar
How about a bluetooth dongle in your pocket? Less visible, and unless there
hostiles know about it, they will separate you from the computer.

A phone could work. An apparent car key would be better. Best would be a piece
of clothing, like a belt.

~~~
paledot
That would work great for half an hour, until your Bluetooth connection drops
for no reason, the dongle pairs with your car or phone instead, decides it's a
headset now, or one of the hundred other things that inevitably go wrong with
Bluetooth.

~~~
sumtechguy
hehe, Do not think like an engineer in this case. Think like someone who only
has to get it right once but can try 100 times. So even if you have a flake
connection. Just so long as it works that 'one time'. You are good.

------
pfundstein
In a similar vein, there's antijiggler[1] which only locks the PC when a new
device is connected.

[1]
[http://www.codefromthe70s.org/antijiggler.aspx](http://www.codefromthe70s.org/antijiggler.aspx)

------
brian_herman
I thought this was [https://usbkill.com/](https://usbkill.com/) I think maybe
this would be more effective in anti-forensic because it actually destroys the
computer?

~~~
csunbird
Gets the work done, somehow.

------
codethief
From going through the discussion I'm getting the impression that the only
feasible attack vector provided by USB is by emulating a keyboard like a USB
Rubber Ducky. Is this really the case?

For instance, if my laptop is locked (with a proper[0][1] lock screen like
xscreensaver) and that lock screen is capturing all keyboard input and magic
SysRq keys[2] are disabled, too, is there really no way an attacker could use
a USB device to hack my laptop?

Similarly, if my laptop is _not_ locked but comes with unusual key bindings
(maybe even a different keyboard layout), what are the chances of me getting
hacked with a USB device? (Let's assume that the attacker manages to secretly
plug in said USB device but doesn't want to access my unlocked laptop directly
– maybe because we're in an open office and people are watching.)

My impression had always been that USB devices are dangerous beyond simple
keyboard emulation but I might be wrong.

[0] [https://www.jwz.org/blog/2015/04/i-told-you-so-
again/](https://www.jwz.org/blog/2015/04/i-told-you-so-again/)

[1]
[https://www.jwz.org/xscreensaver/toolkits.html](https://www.jwz.org/xscreensaver/toolkits.html)

[2]
[https://en.wikipedia.org/wiki/Magic_SysRq_key](https://en.wikipedia.org/wiki/Magic_SysRq_key)

~~~
boring_twenties
> [0] [https://www.jwz.org/blog/2015/04/i-told-you-so-
> again/](https://www.jwz.org/blog/2015/04/i-told-you-so-again/)

Sorry for the digression, but WTF is this guy doing? Looks like he redirects
all requests that have HN as the referrer to a picture of a testicle. Copy-
pasting the link (i.e., dropping the referrer) seems to work, though.

~~~
nitrogen
That's exactly what he's doing. I can't remember why he hates HN though, but
it's been that way for a really long time.

~~~
boring_twenties
What a little asshole!

------
jokoon
I dont understand. Is USB just always insecure because of hardware?

~~~
raziel2p
Yes, but that's unrelated. The idea here is that if a USB device is connected
to your machine, it's an indicator that your machine is compromised. Mouse
jigglers that stop your lock screen from activating are very common when
confiscating machines: [https://www.cru-
inc.com/products/wiebetech/mouse_jiggler_mj-...](https://www.cru-
inc.com/products/wiebetech/mouse_jiggler_mj-3/)

And of course, depending on the OS, it's possible to craft a USB stick that
copies files to a remote server as soon as it's plugged in.

~~~
daffy
> depending on the OS, it's possible to craft a USB stick that copies files to
> a remote server as soon as it's plugged in.

Is this possible with Linux?

~~~
michaelt
You can get a 'USB rubber ducky' [1] which emulates both a USB memory stick
and a USB keyboard, allowing you to script keystrokes for the keyboard [2]

So it can do anything a newly plugged in keyboard can do. Which, if the user
is already logged in, makes grabbing the user's files easy.

[1] [https://shop.hak5.org/collections/usb-rubber-
ducky/products/...](https://shop.hak5.org/collections/usb-rubber-
ducky/products/usb-rubber-ducky-deluxe) [2]
[https://github.com/hak5darren/USB-Rubber-
Ducky/wiki/Payloads](https://github.com/hak5darren/USB-Rubber-
Ducky/wiki/Payloads)

~~~
daffy
This will only work, I suppose, if the attacker knows beforehand a keychord
that will focus a terminal.

~~~
DarkWiiPlayer
on most desktop linux distros: <windows>terminal<enter> is enough

~~~
jonathanstrange
Hehehe...on my machine that selects "Emacs (Terminal)". Good luck with those
key combos...

------
Ericson2314
And now, we've come full circle to plug-and-stop-playing.

------
0xdeadb00f
A hotplugd script can be used to mimic this on OpenBSD

------
bra4you
I saw this solved with a USB stick on a keychain and the computer shuts down
when the stick is removed. Does anybody still have the link?

Ah. Found it: [https://tech.michaelaltfield.net/2020/01/02/buskill-
laptop-k...](https://tech.michaelaltfield.net/2020/01/02/buskill-laptop-kill-
cord-dead-man-switch/)

------
Benmcdonald__
How does this work for usb typec? When I plug in my power cable will my
computer shutdown?

~~~
AnotherGoodName
And does it work for things that look exactly like USBC but are actually
Thunderbolt? (with all its direct memory access via DMA and all of that
nastiness).

See the Apple combo USBC/Thunderbolt ports.

------
stjohnswarts
Everyone should also install a hard power off on the front of their computer
and always have encrypted drives. Unrecognized USB storage in my computer also
is instant off. Might corrupt my files someday, but it's worth the risk.

------
atum47
I've made a video about disabling the USB to prevent rubber ducky attacks a
long time ago.

never thought about shutting down the computer.

[https://youtu.be/RtRsBTGZUgc](https://youtu.be/RtRsBTGZUgc)

------
nialv7
What's stopping the forensic people from just spoofing the USB device IDs?

~~~
topspin
Nothing. And that's not the problem this program is intended to solve.

~~~
nialv7
It is. The program tries to prevent use of unauthorized USB devices, yet it
uses the easily spoofed USB device IDs to authenticate them.

~~~
topspin
It isn't. The problem this program solves is thwarting a naive attempt to
alter the state of the USB bus. The design assumes the attacker is not aware
of the consequences of adding or removing devices and has no reason to employ
spoofed devices or any other Ever Greater Adversary Regression techniques you
can imagine.

~~~
nialv7
After they got bitten but tools like this usbkill once, ID spoofing will just
become the standard practice, and it will be made so easy to do they don't
even need to think.

------
gamblor956
Destroying evidence is considered a crime on it's own. Use something like this
at your own legal risk, since it's usually far easier to prove obstruction
than it is to prove the underlying crimes that were being investigated.

~~~
refurb
Any relevant case law here? I mean, clearly destroying evidence (e.g.
shredding documents) is one thing but I assume it’s harder to prove when it’s
a byproduct of computer security?

Apple phones can be wiped with 10 invalid password attempts, but the cops
already know it. If it’s a piece of custom software that erases a computer
after 2 attempts, can the prosecution really claim it was pure evidence
destruction?

I honestly don’t know, but I’m curious.

------
M5x7wI3CmbEem10
does encryption offer any benefit if you’re using a cloud syncing solution?

------
lizardmancan
not as easy but more fun to ruin the usb device.

if they use mousewiggling the screensaver could use other triggers/patterns to
keep the box on. say 1 google search per 15 min minimum. randomly moving the
mouse seems a good reason to shut down.

------
numlock86
Obligatory $5 wrench comment: [https://xkcd.com/538/](https://xkcd.com/538/)

Something like this is probably good when you - as a person - are not around
when your hardware gets extracted from your place. But then again, why would
it be running openly and unattended in the first place?

~~~
dividedbyzero
In many places, law enforcement will pressure but not torture you to provide
decryption keys, maybe imprison you for a while, fine you, ...

But that may be preferable than them knowing about all those highly illegal
nuclear doomsday space arms technology knowledge deals you've brokered, or
that collection of child porn, or those detailed assassination plans, or
whatever. Maybe the authorities suspect something, maybe a SWAT team will
snatch your laptop, but if all evidence is in there and encrypted, you may get
off with a lot less than otherwise.

~~~
kwhitefoot
In the UK you might well be in prison for five years for refusing to hand over
the keys.

[https://www.schneier.com/blog/archives/2007/10/uk_police_can...](https://www.schneier.com/blog/archives/2007/10/uk_police_can_n.html)

Not sure what the situation is now.

~~~
DanBC
Section 49 to force key disclosure should only happen if:

\+ The person being given the notice has the key

\+ Investigators need the key to prevent or detect crime

\+ Disclosure is proportionate

\+ They can't get the encrypted material by other means

Not complying with the is a criminal offence. The maximum sentence is 2 years,
unless it's a case involving child sexual exploitation or national security
where the maximum sentence is 5 years.

There is a code of practice for use of these powers here:
[https://www.gov.uk/government/publications/code-of-
practice-...](https://www.gov.uk/government/publications/code-of-practice-for-
investigation-of-protected-electronic-information)

I think that properly regulated key disclosure powers are important. I'm not
sure we're (the UK) are getting it right with RIPA. I'd want to see stronger
audit and oversight of the S49 notices, and better advice given to people who
are served S49 notices.

For example: I have no idea how many people are served S49 notices, and I
don't really know how to find out. I don't know how many people have been
imprisoned for not disclosing keys; I don't know what sentences they've been
given; and I'm not clear on how to find that out. I feel that it should be
easier for citizens to have clear data about these really intrusive powers.

EDIT: I just found this page, and it seems like it's small numbers of people.
But still, it's a bit worrying.
[https://wiki.openrightsgroup.org/wiki/Regulation_of_Investig...](https://wiki.openrightsgroup.org/wiki/Regulation_of_Investigatory_Powers_Act_2000/Part_III#Cases)

~~~
Jaruzel
> _Investigators need the key to prevent or detect crime_

That's a bit scary. 'Detect crime' could be pure speculation on the polices'
part.

"We think you've done something bad, let us see the contents of your phone. No
we don't have any evidence already as we're detecting the crime right now."

~~~
DanBC
I'm not sure that would be proportionate.

It's not great, but it's better than before where this kind of crime detection
had much less regulation.

~~~
tupac_speedrap
Get out spook.

