Hacker News new | past | comments | ask | show | jobs | submit login
Usbkill – anti-forensic tool to halt computer when new USB device is connected (github.com/hephaest0s)
385 points by berkas1 on Aug 6, 2020 | hide | past | favorite | 188 comments

If you are paranoid about something like this happening, just use https://www.qubes-os.org/. all usb devices are jailed in a non-networked vm by default.

In general, if what you do warrants that level of paranoia, qubes will help you massively.

Micah Lee held a great overview talk at HOPE 2018: https://www.youtube.com/watch?v=f4U8YbXKwog

I don't think it solves same problem.

it does not solve the same problem, correct. it's still a great tool if your threat model warrants it.

Can you give an example of a threat model that would warrant it?

You’re a journalist. Source gives you a usb drive full of documents. Source is in reality hostile/compromised, so is the usb drive.

How does that work with input devices like keyboard and mouse?

generally it is advised to use ps2 input (like most laptop's integrated keyboard and touchpad).

details on using usb keyboard and mouse here: https://www.qubes-os.org/doc/usb-qubes/

Interesting project, I'm sure this is useful for people at risk.

Somewhat related, I'm wondering about the physical security of computers. There is an attack where they open your PC, take out the ram, and freeze it immediately so the bits don't decay and they can extract your encryption keys.

All BIOSes have an option for cassis intrusion detection, but I've never seen a case that has the necessary cable. Has anybody here set up a chassis intrusion kill switch that erases the RAM/shuts down the PC etc. if the case is opened improperly? Can you buy anything like this on the market?

Memory encryption technologies such as AMD's Secure Encrypted Memory (SME). Would be your best bet to combat this, along with other anti-evil maid protections.

https://en.wikichip.org/wiki/x86/sme#Overview https://www.qubes-os.org/doc/anti-evil-maid/

There are also things like TRESOR [1] which keep all encryption keys inside the CPU. I'm not sure what the current state of the art is.

There are so many possible evil maid attacks that I think it would be useful to add a pysical layer, just in case.

[1] https://en.wikipedia.org/wiki/TRESOR

TRESOR is a great project but pretty seperate to SME imo. TESOR implements SME but its implemented effectively in software, making it less secure and a lot slower. The great thing about SME on AMD CPUs is that I believe (at least on the newer Zen cores) it effectively can run at the speed of the memory, so you have no performance loss.

I think SEV is newer form of this.

Secure Encrypted Virtualisation uses SEM, but it is not a newer version of it. SEV allows someone to run encrypted VMs that not even the host can read the memory, by leveraging per VMs keys in the AMD PSP that encrypt the VMs pages using SEM.

It would be interesting to leverage SEM to run a version of qubes where not only are the VMs isolated by the Xen hypervisor but are also separately encrypted using the PSP.

Here's details of this attack for people who want more details https://citp.princeton.edu/our-work/memory/

If memory serves correctly they achieved the best results by using a can of compressed air to freeze the ram in place before removal.

//Small edit to wording

Many of the measures that provide effective physical security also make a device really unsuited for personal usage. Look at HSMs for an example of this. And even they rely on being stored in a physically secure room and protected from theft.

It's a matter of being more determined than your attacker. Imagine a device that will irretrievably brick itself if tilted more than a certain angle, if left unpowered for more than a certain time, etc. and that has to be under constant guard. This seems almost incompatible with any kind of personal use. And some measures may only work in one instance, with the attacker planning for them the second time they have an operation.

Many attackers also don't have the same restrictions the police has. In the Ulbricht case the police may have been forced to use a device that copies the data with no human intervention just to preserve the chain of evidence and not have suspicions that the agent operating the laptop altered it while installing additional software. An attacker operating in the grey/dark area might just immobilize the user, snip the wrist cable, and then retrieve the necessary data either directly at the console or by siphoning it via the network. Or the police may just start video recording in great detail every step from the moment an agent touched the laptop until the data was exfiltrated to remove suspicions of tampering.

But such a tool would be of great effect against an undetermined, unsophisticated attacker committing a crime of opportunity.

Personal computers have an advantage here: it is acceptable for them not to work when they are not directly used by someone. It means they can be stored in safes when not used and have all the encryption keys securely erased when not used. For example, a screen locker could stop all the processes and erase all the keys from registers and memory assuming both disk and memory encryption. And the locker itself could be triggered by some proximity sensor, RFID, camera, whatever, not just input inactivity timeout.

Storing your personal computer in a safe when not using it is probably the very definition of "almost incompatible with any kind of personal use". And at this point you just move the weak link from the device to the safe's lock. HSM-like physical security is good for making the device tamper proof and ensuring than no data can be retrieved under any circumstances other than the one accepted "regular use" way.

Putting a regular device in a safe leaves it exposed to someone unlocking the safe and compromising the device by implanting a keylogger inside or even by putting a replacement identical device there and waiting for the user to type the boot password.

As for methods of emergency clearing sensitive data from memory while in operation, whatever method is employed will work once. The next time the attacker is ready for that particular method. For example the police might just have to completely immobilize the suspect (and their hands) and keep the laptop in the vicinity while the "dead man's switch" is bypassed.

> And even they rely on being stored in a physically secure room and protected from theft.

Not exactly. You don't want someone sneaking in and misappropriating the HSM to authorize something bad. And if you set the system up for unattended recovery from a power failure, then in all likelihood someone walking off with the server the HSM is in can use those keys indefinitely. But there are options.

Some HSMs have self-destruct mechanisms that attempt to prevent physical access to the private key (ie by lapping the chip). Some vendors (nCipher, IIRC) have a smart card (a second HSM) that is required to authorize certain activities, like signing, or key recovery. In fact they had a byzantine generals solution that either had the key or a password for the key split between n cards. In the latter case you needed one of the original HSMs in order to clone the key, so a movie plot where you kidnap the entire team at a conference doesn't work. During initial setup the cert would be generated on the first HSM and copied to the others, having never seen daylight.

That system was quite difficult to explain to users, and I had to document it just so I wouldn't get confused and trigger a reset of the evaluation hardware (at which point all of our test artifacts have to be rebuilt).

It might be more complicated to start WWIII than to protect a signing certificate, but only just.

> Not exactly. You don't want someone sneaking in and misappropriating the HSM to authorize something bad.

I think we're talking about exactly the same thing :). That's what I meant by "even they rely on being stored in a physically secure room and protected from theft". Despite all the hardening that is applied to the device, it must always be kept secure and supervised. As an example, this is what Safenet considers the intended installation environment should be [0].

This can't be effectively applied to a personal computer.

[0] http://cloudhsm-safenet-docs-5.3.s3-website-us-east-1.amazon...

As I was trying to say, there are ways to make that less of an issue by moving other factors off-site. You can configure (some) HSM cards not to be available on boot, requiring a human to come in and reactivate them with a password or a fob that they bring with them, and leaves with them.

Then your biggest problem is people thinking that stealing the cards will get them anything. Which, they're not entirely wrong, because those things are damned expensive. So you need a 'kinda' secure facility.

Again, the issue is that any hardware that will start up for you without any action on your part will likely start up for anybody else, too. Your laziness will probably win out...

Does anyone have pointers as to whether this is even possible with DDR4 on modern machines?

I think the real question is has it ever been used in the wild on any DDR?

"In recent years, however, it has become increasingly challenging to execute cold boot attacks or perform physical memory forensics due to the introduction of DRAM memory scramblers. Modern processors with DDR3 and DDR4 DRAM scramble data by XOR’ing it with a pseudorandom number before writing it to DRAM [5], [6]. These scramblers were initially introduced to mitigate the effects excessive current fluctuations on bus lines by ensuring bits on the memory bus transition nearly 50% of the time"

DDR4 is also yes in the lab -


I have a Lenovo M93P Tiny which came with a chassis intrusion switch installed. It seems you can have it block startup/require a password when the case is opened and notify some central admin. I don’t know what happens if you open the case while it’s running, though.

I’m not sure if it’s something they offer on current models, or to individuals at all (I bought it used from a corporate IT asset liquidator so it was likely originally purchased as part of a bulk deal). Regardless it makes a great little Linux box!

Work at a big bank , we won’t procure laptops without this and yes we will know when you have opened it and you won’t be able to boot it , I think something happens with bitlocker also but not sure.

Could you give examples of laptops with this feature? I never knew chassis intrusion sensors were a thing on laptops.

Also, does it still work if you open the machine with the power disconnected and battery removed?

I'm pretty sure most thinkpads have case intrustion detection. It's callled "Bottom Cover Tamper Access Detection" in BIOS.

That feature is fairly common but practically quite useless and easy to circumvent if you can find the model information. Even with PCI-DSS enclosure compliance you can get in if you can take power tools to it. The assumption is power tools would be too obvious to use in a typical installation.

Back in the BBS days, there were textfile describing how to wire your beige box to either turn on strong magnets or ignite termite if a case was detected.

... I don’t know of anyone actually implementing this though :)

I would imagine that's thermite and not termite ;)

If the latter, the server would probably be okay, and it would take a very long time for the termites to damage the surrounding room enough to be a security deterrent.

Nah, it's termite. You're trying to destroy your logs, right?

Ha! Very nice :)

Probably just a debugging technique.

Well, it certainly complicates debugging.

or a bugging technique?

Sorry that was a typo. Haha!

It's funny when I think back, I was a teen in the 90s and did plenty of questionable stuff online and w/ local BBS scene (Kevin Mitnick was busted in Raleigh and many rumors existed about his presence in the BBS scene, obviously fantasy though!).

Nobody I know who got arrested ever managed to destroy anything. When I think about it, we all assumed the cops would storm in when we were in the act of doing something bad, probably like in the movies lol, when in practice, they tend to pick you up when you are really off guard, duh.

Very few people had automatic protections because like, our parents would probably get mad if we burned down the house :)

When it came to me, the FBI did knock on my front door, and I managed to dd if=/dev/random of=/dev/hda

I lost my entire BBS, all the custom code and ANSI I had for it, among other ancient treasures that I'd probably still have with my napster mp3s :)

Of course they didn't come for me, there had been a flasher in the neighborhood on halloween...

Hehe, yeah :)

When I was a teen, I somehow got a modem number at NASA, and I stupidly gave it to a friend. He tried to brute force it, but he got door knocked. He quickly formatted his disks, but it wasn’t even the cops haha!

This is how you earn tampering with evidence charges, up to 20 years felony.

Well, keep this in mind: I knew quite a few people who got interviewed with, and arrested by authorities. Everyone under the age of 18 in the 90s got a slap on the wrist because they hadn't got too good at punishing those kinds of crimes. I think the worst I saw was $1200 paid over 12 months to AT&T.

After 18, you're done, even if they can't think of a good charge, they'll make them up, which is exactly what they did back then, cross state commerce was a blanket thing to grab folks.

I stopped doing anything questionable well before I turned 18.

Eh, it's worth it, depending on what you're doing. I'd much rather get in trouble for a hard drive full of zeroes, than them knowing what was on it beforehand.

Today, you should encrypt everything, and cut power before physical access is obtained. Will that count as "tampering"? I was just turning off my computer. No, I do not remember the key.

Looking back, federal authorities really only came when they had the evidence they needed already, and local authorities were way too far behind to know what was going on (in the 90s).

In practice, the only real protection we had (those of us in my social group) was that we were minors, and lucky that laws hadn't caught up yet.

Surely it has to be actual evidence before you "tamper" with it.

If I delete a file on my computer today that would be potentially "evidence" if seized, and the police come knocking tomorrow, I haven't committed a crime by using my personal computer in the past.

I do not suggest that you test this theory. Your optimism seems wholly unwarranted here, knowing what we know about the federal prosecutors.

The FBI was investigating a flasher?

I could be remembering incorrectly, but it may have been reoccurring or not even really the FBI, but state police or something and my parents said it was the FBI.

I only saw people in suits with a black car outside knocking on the door, also this was like 30 years ago so don't twist my arm :)

This was a plot device used in the TV series Mr. Robot Season 2, Episode 3, about 27 minutes in.

Some ideas have been tested, there was an entertaining talk a few years back at DefCon: https://www.youtube.com/watch?v=-bpX8YvNg6Y

DEF CON 23 - Zoz - And That's How I Lost My Other Eye...Explorations in Data Destruction https://www.youtube.com/watch?v=-bpX8YvNg6Y

Hacking with Ramzy.. 14 years old now!


I think in most cases the thermite trap would probably get you into more trouble for ATF violations and not even help by adding destruction of evidence and whatever they imagined was on the drive unless you had some authority like security clearence and classified documents or some sort of legal pretext to justify uses of such flammable boobytraps.

I doubt there is a need to open the case for a sophisticated attacker. If there is even the slightest opening for air you can run camera optics and freeze spray tubes to RAM I would imagine.

This is why security-sensitive devices are often encapsulated and potted in epoxy or similar.

Chenbro makes cases with intrusion detection, bought one nearly 20 years ago and they still make similar ones: http://www.chenbro.com/en-global/products/TowerServerChassis...

Agreed; but this USBKill is a good protection for ordinary city police, or even a grab-and-run crime at a coffeeshop (with a usb key attached to your wrist with a cord).

Touch Bar MBP's are protected against this right?

> Interesting project, I'm sure this is useful for people at risk.

Could you expound on what this means? In the USA/UK, people most "at risk" of police kicking down the door seizing their laptops/computers while they are still running are child pornographers.

Perhaps this can be used "for good" under oppressive regimes (i.e. if you are a dissenting journalist) but then I think you won't get a fair trial anyway and having a kill switch just means more prison.

I know a shocking amount of innocent people who have been target of surveilance and criminal investigations or who even had their homes raided - in western european countries. Thankfully the courts are still working as they should, and all but one were fully acquitted.

It can happen if you are a political activist in any fashion. Nothing violent, just speaking out for rent control and against gentrification can get you in trouble. Or hanging around with the wrong people.

When it happens, you want to leave them as little rope as possible to hang you with. As I said, the courts still are honest and they won't make up evidence, but they will take everything they can find to make a case - and to learn about your structures and networks while they are at it.

You are right, that in real oppressive regimes all bets are off. If they want to get you, they won't stop at their own laws. But even then, these techniques are useful against industrial espionage. If you are doing business in certain countries, the "evil maid" is quite real...

This is a somewhat pessimistic outlook on humanity, first off I would say that those who are most commonly at risk are those with trade secrets. Patented tech and investment intel for example.

As for the dissenters, I’m sure they would appreciate their co-conspirators remain secret.

> This is a somewhat pessimistic outlook on humanity, first off I would say that those who are most commonly at risk are those with trade secrets. Patented tech and investment intel for example.

Can you provide any evidence at all of police or "thugs" (or anyone, really) kicking down doors to get at trade secrets being a common problem? Because there are countless news articles of police raids seizing computers to stop child porn[0].

I speculate any tool billed as "anti-forensic" will be used for immoral purposes more commonly than moral purposes.

[0] https://en.wikipedia.org/wiki/Jared_Fogle#Child_pornography_...

It is an absolute certainty that any tool to improve privacy and security is going to be used by malicious actors.

That does not mean it should be banned. Knives are used for many things from cutting food and opening boxes to killing people. Nitrate based fertilizers can be used for vastly improving crop yields but can also be used for bombs. Encryption can be used to protect your sensitive personal data from criminals and prying eyes, but can also be used by the criminals themselves to hide their activities.

No state (even if it was the most ethically illuminated utopia) has the power to protect every person in every place at every time. Banning defensive tools is asinine as rarely does it mean that a criminal won't use them against you.

That is a dangerously naive viewpoint - trusting that the only instances are the ones they proudly brag about? When they have been caught not even allocating all of the funds for Child Pornography prevention they have been allocated while using "the children" as an excuse to undermine cryptography?

It is doubly foolish to believe that the police are the only users of forensic software when there is credit card theft and multmillion dollar ransomware rings out there. Robbing a bank by force or by heist is foregone jail but snatching a laptop from a banker? Far more petty in risk and disguised as mere property theft as opposed to the data theft.

The threat model in corporate espionage is absolutely one of theft of property. It’s a lot easier to steal somebody’s laptop than to hack it.

Suspected child pornographers. There was some concern that the door kicking had gone too far on too little evidence once it reached Cliff Richard.

> In case the police or other thugs come busting in

I like this wording.

Disclaimer: Not a comment on current political happenings.

But seriously, the use case of disallowing USB sticks on devices is unnecessary hard to configure. Just an option to disallow certain device classes would be appreciated.

I just disable all hotplugging support in my OS. Anything plugged into the machine must be manually mounted, enabled, etc. This works really great for me as it's rare that anything is attached to this machine other than the charger.

> But seriously, the use case of disallowing USB sticks on devices is unnecessary hard to configure.

This will not help against hardware that exploits bugs in the USB stack of the operating system.

Assuming the threat model is police or secret service seizing one's server, it is feasible that the attackers also have knowledge of the running OS (IIRC one can distinguish between Windows, Linux and xBSD by simply looking at TCP fingerprints) and thus can use a targeted exploit.

how would you authenticate the USB stick that is allowed though? Without some sort of authentication mechanism an attacked could clone the device id of an allowed device. better than nothing though! :)

There's the USB Authentication Protocol where devices identify themselves through digital signatures. But i don't know whether each device has a unique ID or its one cert for the whole production series.

This is fairly straightforward with udev, a couple lines of config should be sufficient.

any directions?

This guide is pretty good: http://reactivated.net/writing_udev_rules.html

Some ten-odd years ago, I wrote how to create udev rules to execute a command after connecting a particular USB device:


I think it would end up something like

    SUBSYSTEM=="block", SUBSYSTEMS=="usb", OPTIONS+="ignore_device"
But don't quote me on that

typical social pattern:

    - nothing 
    - hard work to make something easy to use
    - hard work to make something easy to control
    - control

I really like this concept.

That's why I've made similar projects. One to detect when USB storage devices get attached to domain workstations, and email the administrator with device and user info..... https://github.com/zelon88/Workstation_USB_Monitor

And one which detects USB HID devices, confirms them, and notifies the administrator..... https://github.com/zelon88/Rubber_Ducky_Defender

"immediately terminates the connection"

Reminds me of some old Firewalls that would actively poll active connections, and when one is made that violates their rules, "immediately" terminate it. Often times, an attacker can embed a lot in just a single URL in the query string (stolen passwords etc) that would be done in < 5ms, faster than the firewall can act (if not even faster than the polling interval itself), specially if there is plenty of rules and active connections and/or the machine is slow (e.g playing games).

That's like choosing to not have a door on your house, because you know you can run fast and shoot the thief when they enter.

Maybe its not as bad for hardware due to the inherit latencies involved, but I am always skeptic about things that use polling vs sitting in the middle at the kernel before a USB connection is allowed to happen to the OS in the first place.

The default (aka the one that nobody will change) connection-polling interval for this thing is 250ms, which doesn't seem too small for me for many conceivable attack scenarios.

For Mac, it runs this:

os.system("killall Finder ; killall loginwindow ; halt -q")

This won't prevent windows from reopening after a reboot.

A possible exploit for this could be the USB pretending to be a keyboard, opening an exploit website or an app with malicious argument values, then you immediately shutdown the Mac, reboot manually and boom, the website/app opens up and the machine gets owned anyway post-reboot!

Also, lack of Windows support is upsetting, considering there isn't much code change required to do so.

The "melt" feature is one I really like and respect the thought they put to make it.

I think it's aimed at scenarios in which the attacker is not aware of this utility running. Otherwise they could just kill it before inserting the USB.

Well, for attack vectors like Mouse Jiggler (I have one, very cheap on Amazon) or polymorphic USB devices, it would work if the attack is unaware of the utility's existence. For polymorphics specifically, I checked the code, and it does indeed validate the Ids of the devices, not just their count.

For others, even if the attacker is unaware of the utility, those shortcomings are still serious enough (e.g. rapid keyboard typing).

I attended a talk by GSK and there was part of the talk about security. They don't allow usb devices to be plugged into their analysis computers. But every year they get an intern that tries to charge their phone from the PC USB.

Something like this, that doesnt halt the computer but shows a warning on screen and logs information would perhaps be a solution to their problem. Although in the case of industrial espionage maybe locking the system would be worth it...

At a former gig for a post-production facility we used CoSoSys EndpointProtector to restrict USB access to workstations. Works as described in your second paragraph, (logs and warning) admin can then allow approved devices remotely if necessary.

I worked for a car mfg that had that on all their laptops. It was annoying and I’m 99% certain no one ever checked up on the alerts and instead was just logging in case there was an issue later.

Seems like a lot of code for what should be, on Linux anyway, a simple udev rule?

echo 'RUN+=/root/usb-changed.sh' > /etc/udev/rules.d/usb-changed.rules

Then just put whatever you want to be ran in /root/usb-changed.sh.

I think you would at least add an allowlist of safe (i.e. owned by you) USB ids you don't want to shut your pc/laptop down if connected

Your script can have the allowlist so you don't have to fiddle with udev everytime you introduce or retire USB-devices.

But then it's not a oneliner anymore, and the original project starts to make sense.

It doesn't warrant to make a product that replaces a dedicated feature of the system. To whitelist in usbkill you have to do more than one line too.

"Tip: Additionally, you may use a cord to attach a USB key to your wrist. Then insert the key into your computer and start usbkill."

This line particularly caught my eye. I wonder what's the percentage of people (I'm presuming people working in security or those who are trying to avoid detection) go to this extreme?

Is is even extreme?

"To prevent Ulbricht from encrypting or deleting files on the laptop he was using to run the site as he was arrested, two agents pretended to be quarreling lovers. When they had sufficiently distracted him, according to Joshuah Bearman of Wired, a third agent grabbed the laptop while Ulbricht was distracted by the apparent lovers' fight and handed it to agent Thomas Kiernan. Kiernan then inserted a flash drive in one of the laptop's USB ports, with software that copied key files."


> Kiernan then inserted a flash drive in one of the laptop's USB ports, with software that copied key files.

How exactly does this work? Is there a sort of software that runs automatically when you insert the stick, or did he have to click on it?

Speculation: It's possible to produce keyboard and mouse inputs, and also present as a storage device -- autorun isn't even necessary (though spurious inputs would be quite visible to somebody using the computer and something like a mirrored mouse, custom keyboard layout / shortcuts could foil this)

That would only work on a known operating system and window manager with known keyboard shortcuts, unless a terminal is already focused.

In theory, you could fingerprint the host OS first and then run the appropriate commands (of course more tricky with more custom Linux setups, does CTRL+ALT+Fn still work to get to a text console?): https://www.cise.ufl.edu/~butler/pubs/sadfe11.pdf

Yeah, I was thinking of custom window-manager setups. You can usually get a tty console by ctrl-meta-f1 etc., but that wouldn't help, since you'd have to enter a password. I suppose an advanced version could try different combinations and test each by entering a command that would be detected by the stick.

One of Atmel's USB-capable microcontrollers had a HID Keyboard example program that when you pressed a button (on a Windows host) would start Notepad (via the run command) and type "Hello, I'm an Atmel SAMXXXX".

Great bit of example code, but opens a world of possibilities for what you could do with, say, a HID + Mass Storage composite device.

On Windows, it's just 'Win+R 'CMD' [Enter]' and you have a terminal/console. Presumably, if the agents were monitoring the perp properly, they would know what OS they would be targeting.

I type the above SO often every day, it should be on my gravestone. :D

You can present yourself as a standard file system or some device you know has a known exploit in the driver on the other side. Then on the USB 'drive' side you have a full out arm CPU. It can issue commands too as it is connected to the serial bus. Many USB drives already have small embedded CPU in them.

>Many USB drives already have small embedded CPU in them.

For most common hardware this is just an 8051 variant that sets up the USB and DMA peripherals. It's easy enough to get something more powerful, but I am doubtful you'd want to reuse consumer hardware.

The 8051 is a decently capable CPU (it is the cpu at the heart of the furby toy). At one point they built whole computer ecosystems around it. Remember the point here is to take over the computer not have a full out modern OS. They USB manufactures use them because they work well on low power and are decently cheap and small. Now most usb sticks do not do much more than like you say. But that would not stop someone from reflashing the firmware in it who is making one of these things. The use case here is different than what most people would use it for. Sometimes you will see an older ARM design too.

Mfrs use them because they are not patent encumbered. There are some fairly high power 8051 clones, true. But in most applications they are barely sufficient.

In this case any kind of MCU is making life harder than it needs to be.

On Windows, autorun.inf. This technique has been around since at least the 90s when CD-ROM drives were introduced to PCs... it is how a newly inserted CD (and later usb disk) can automatically execute software on insertion:


Autorun has been disabled by default for a long time (with good reason). And it has never worked with USB drives, only ones which emulated a CD drive such as U3 USB drives.

Autorun attempts results in a prompt since Vista.

Apparently, autorun from USB volumes was enabled for XP SP2:


>Before Windows XP SP2, AutoPlay was disabled by default on removable drives, such as the floppy disk drive (but not the CD drive), and on network drives. Starting with Windows XP SP2, AutoPlay is enabled for removable drives. This includes ZIP drives and some USB mass storage devices.

Autorun and AutoPlay are different things. AutoPlay is what asks you if you want to open media in File Explorer or some other application.

I've always been surprised that autorun wasn't re-enabled when app stores / code signing was introduced. If Microsoft or Apple is willing to sign an installer saying that it's something safe to install, isn't that proof enough to let it run when you insert the USB key it's on?

I know this isn't really very relevant for the specific combination of installers and physical media any more, since it's rare for anyone to be trying to install something off a CD/DVD/USB these days (other than a new OS, of course.)

But I could see the use case for physical media doing something other than running an installer (e.g. DRMed disks launching the equivalent of a FUSE server to mount the "rest" of the disk); or for non-physical media (e.g. macOS DMG disk images) being able to autorun their embedded installer. Either way, the code signing that the platforms are already doing would be enough to make these safe, no?

Windows code signing does not include a step where Microsoft inspects the code. The developer gets a certificate from a commercial CA and signs the code. If the certificate is an EV certificate, that's basically it. If it's a regular certificate, Windows does a callback to Microsoft that seems to just be a popularity check --- if the certificate has been used a lot, then the prompts go away.

At best, Windows code signing lets you know who signed it and that that person was able to pay a CA some money, not that it's safe to run.

Regular developer code-signing, yes. But I'm talking about the code-signing that's done by Microsoft (rather than by your own Microsoft-signed cert) on the Microsoft Store backend; or the code-signing that's manually done by Microsoft when a third party submits a driver package to them for inclusion as a Windows update.

Microsoft limited autorun about two decades ago, and finally got rid of it completely in 2011.


You should try Windows 10! It's very good. At least give it a whirl so you can have accurate facts to what it does, and not spread FUD about it.

Maybe rubber-ducky style keyboard emulation?

not a security expert but a commonly heard phrase is 'depends on your threat model' :)

I don't think that wrist-key is an extreme (never seen it actually, but I still think this solution is a cautious one).

For me an extreme measure would be to modify my motherboard in a way that I could connect RAM to my wrist and tear it away when necessary.

Now that would be interesting: have your RAM strapped to your wrist and connected to your Mobo by a breakaway cable.

Bonus points if they cut it when the tackle you because they thought it was a deadman switch, like mentioned in the link.

How about a bluetooth dongle in your pocket? Less visible, and unless there hostiles know about it, they will separate you from the computer.

A phone could work. An apparent car key would be better. Best would be a piece of clothing, like a belt.

That would work great for half an hour, until your Bluetooth connection drops for no reason, the dongle pairs with your car or phone instead, decides it's a headset now, or one of the hundred other things that inevitably go wrong with Bluetooth.

hehe, Do not think like an engineer in this case. Think like someone who only has to get it right once but can try 100 times. So even if you have a flake connection. Just so long as it works that 'one time'. You are good.

There are bluetooth low energy key fobs that work for this.

In a similar vein, there's antijiggler[1] which only locks the PC when a new device is connected.

[1] http://www.codefromthe70s.org/antijiggler.aspx

I thought this was https://usbkill.com/ I think maybe this would be more effective in anti-forensic because it actually destroys the computer?

Gets the work done, somehow.

From going through the discussion I'm getting the impression that the only feasible attack vector provided by USB is by emulating a keyboard like a USB Rubber Ducky. Is this really the case?

For instance, if my laptop is locked (with a proper[0][1] lock screen like xscreensaver) and that lock screen is capturing all keyboard input and magic SysRq keys[2] are disabled, too, is there really no way an attacker could use a USB device to hack my laptop?

Similarly, if my laptop is not locked but comes with unusual key bindings (maybe even a different keyboard layout), what are the chances of me getting hacked with a USB device? (Let's assume that the attacker manages to secretly plug in said USB device but doesn't want to access my unlocked laptop directly – maybe because we're in an open office and people are watching.)

My impression had always been that USB devices are dangerous beyond simple keyboard emulation but I might be wrong.

[0] https://www.jwz.org/blog/2015/04/i-told-you-so-again/

[1] https://www.jwz.org/xscreensaver/toolkits.html

[2] https://en.wikipedia.org/wiki/Magic_SysRq_key

Besides keyloggers, another reason people want this is because law enforcement has USB keepalive devices that will simulate mouse movement/keypresses to keep your computer from going to sleep.

They do this to make sure your computer stays on and your RAM doesn't get powered off, which will allow them to read any decrypted data in memory whether or not your data is encrypted on disk.

When they raid you, they come with massive UPS devices that they plug your computers into to give them as long a window as possible to get your data.

How will they replug my single PSU workstation to their UPS’?

Use insulated tools and a steady hand to cut into the power cord and splice in the UPS. The UPS is configured to match phase with the power that's already in the cord.

.. or get a HotPlug https://www.cru-inc.com/products/wiebetech/hotplug_field_kit...

Just discovered this now myself. The same company sells mouse jigglers.

Which is why if you want to defend against the easy versions of these and make people have to do work, only plug your desktop PCs into standalone outputs not on a surge protector.

Yes, it won't defend against cord cutting.

Edit: A more interesting defense I think would be to modify a surge protector for this specifically to defeat HotPlug. Only put your computer on a specific outlet and wire it so that if any other outlets complete circuit to kill power to the whole thing.

Plugging into the wall doesn't defend against hotplug nor make it meaningfully more difficult: https://youtu.be/erq4TO_a3z8?t=236

Oh wow, that's interesting.

Definitely would go with my modified surge protector plan then.

HotPlug is one of the turnkey versions of this, yes

> [0] https://www.jwz.org/blog/2015/04/i-told-you-so-again/

Sorry for the digression, but WTF is this guy doing? Looks like he redirects all requests that have HN as the referrer to a picture of a testicle. Copy-pasting the link (i.e., dropping the referrer) seems to work, though.

That's exactly what he's doing. I can't remember why he hates HN though, but it's been that way for a really long time.

What a little asshole!

Oh wow, I wasn't aware of that. Sorry about that.

Not your fault at all, I'd never expect such childish behavior from a website either.

I dont understand. Is USB just always insecure because of hardware?

Yes, but that's unrelated. The idea here is that if a USB device is connected to your machine, it's an indicator that your machine is compromised. Mouse jigglers that stop your lock screen from activating are very common when confiscating machines: https://www.cru-inc.com/products/wiebetech/mouse_jiggler_mj-...

And of course, depending on the OS, it's possible to craft a USB stick that copies files to a remote server as soon as it's plugged in.

Once I have seen a coworker improvising one of these by placing a second (optical) mouse on top of a mechanical wristwatch.

Hmm, this is actually rather nifty, although one issue I see is it will only last a few days at most. I don't know how long people who confiscate laptops normally need to run mouse jigglers.

Battery operated mechanical wrist watches last years!

I believe you're thinking of an analog (usually quartz) watch, not a mechanical analog watch which doesn't have a battery.


Should have known better than to wonder into a conversation about watches.

I know nothing!

> depending on the OS, it's possible to craft a USB stick that copies files to a remote server as soon as it's plugged in.

Is this possible with Linux?

You can get a 'USB rubber ducky' [1] which emulates both a USB memory stick and a USB keyboard, allowing you to script keystrokes for the keyboard [2]

So it can do anything a newly plugged in keyboard can do. Which, if the user is already logged in, makes grabbing the user's files easy.

[1] https://shop.hak5.org/collections/usb-rubber-ducky/products/... [2] https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payloads

This will only work, I suppose, if the attacker knows beforehand a keychord that will focus a terminal.

on most desktop linux distros: <windows>terminal<enter> is enough

Hehehe...on my machine that selects "Emacs (Terminal)". Good luck with those key combos...

Yes and no. The idea is to emulate a keyboard and mouse. You then use OS shortcuts to, for example, start a terminal and type command in it. So it can work with Linux but, because of the diversity of Distribution, DE, etc, it is more difficult to be sure of the shortcuts that you can use, whereas on windows or mac, they will usually always be the same (for exemple, Windows+R on windows to launch a launcher, and then type cmd.exe).

Yes, the device can present itself as both a keyboard and storage device and send the copy commands via keystrokes.

yes. Mouse jiggers pretend to be regular mice an keyboard.

An alternative approach may be to check idVendor and idProduct (lsusb) to see if either matches a mouse jiggler supplier or product.

Not sure if a blacklist-aproach is the most reasonable solution when you're in a situation that you have to worry about these things in the first place.

Those can be easily spoofed. I don’t know if current mouse jigglers in use have a specific Id or not, but there’s no reason they would have to have a recognizable Id.

And now, we've come full circle to plug-and-stop-playing.

A hotplugd script can be used to mimic this on OpenBSD

I saw this solved with a USB stick on a keychain and the computer shuts down when the stick is removed. Does anybody still have the link?

Ah. Found it: https://tech.michaelaltfield.net/2020/01/02/buskill-laptop-k...

How does this work for usb typec? When I plug in my power cable will my computer shutdown?

And does it work for things that look exactly like USBC but are actually Thunderbolt? (with all its direct memory access via DMA and all of that nastiness).

See the Apple combo USBC/Thunderbolt ports.

It lists the ability to whitelist devices in the article.

Everyone should also install a hard power off on the front of their computer and always have encrypted drives. Unrecognized USB storage in my computer also is instant off. Might corrupt my files someday, but it's worth the risk.

I've made a video about disabling the USB to prevent rubber ducky attacks a long time ago.

never thought about shutting down the computer.


What's stopping the forensic people from just spoofing the USB device IDs?

Nothing. And that's not the problem this program is intended to solve.

It is. The program tries to prevent use of unauthorized USB devices, yet it uses the easily spoofed USB device IDs to authenticate them.

It isn't. The problem this program solves is thwarting a naive attempt to alter the state of the USB bus. The design assumes the attacker is not aware of the consequences of adding or removing devices and has no reason to employ spoofed devices or any other Ever Greater Adversary Regression techniques you can imagine.

After they got bitten but tools like this usbkill once, ID spoofing will just become the standard practice, and it will be made so easy to do they don't even need to think.

How do they get the IDs?

They could just look around and see what USB devices you own. USB vendor/product IDs are not secret.

No doubt if the govt got burned by one of these, they’d pretty quickly approach it differently.

Security through (counter-measure) obscurity.

Destroying evidence is considered a crime on it's own. Use something like this at your own legal risk, since it's usually far easier to prove obstruction than it is to prove the underlying crimes that were being investigated.

Any relevant case law here? I mean, clearly destroying evidence (e.g. shredding documents) is one thing but I assume it’s harder to prove when it’s a byproduct of computer security?

Apple phones can be wiped with 10 invalid password attempts, but the cops already know it. If it’s a piece of custom software that erases a computer after 2 attempts, can the prosecution really claim it was pure evidence destruction?

I honestly don’t know, but I’m curious.

does encryption offer any benefit if you’re using a cloud syncing solution?

not as easy but more fun to ruin the usb device.

if they use mousewiggling the screensaver could use other triggers/patterns to keep the box on. say 1 google search per 15 min minimum. randomly moving the mouse seems a good reason to shut down.

Obligatory $5 wrench comment: https://xkcd.com/538/

Something like this is probably good when you - as a person - are not around when your hardware gets extracted from your place. But then again, why would it be running openly and unattended in the first place?

Can we please stop endlessly repeating this? Life is much more complex than that.

A small laptop, a phone or a tablet can be stolen from you while powered on and unlocked by a simple thief that has no intention, nor ability, to capture and torture you.

The thief could then quickly hand the device to other people that flash it and sell it in a different country. But first they might extract any valuable data.

> Life is much more complex than that.

> [...] a simple thief that has no intention, nor ability, to capture and torture you

By your comment I assume you live in a developed country and/or are not within a regularly oppressed minority, which of course, is a nice privilege. Sadly not everyone is that lucky and torture over something simple as $1 online transactions is pretty real.

That isn't priveledge but a matter of the threat model to protect against - stop with the irrelevant pseudomoralist privledge shaming shit.

If they wanted protection against that they would recommended a gun or several mercenary bodyguards. Which would require money and connections. But the topic isn't "How to quickly kill or incapacitate three or more men with only your barehands while having legal cover".

In many places, law enforcement will pressure but not torture you to provide decryption keys, maybe imprison you for a while, fine you, ...

But that may be preferable than them knowing about all those highly illegal nuclear doomsday space arms technology knowledge deals you've brokered, or that collection of child porn, or those detailed assassination plans, or whatever. Maybe the authorities suspect something, maybe a SWAT team will snatch your laptop, but if all evidence is in there and encrypted, you may get off with a lot less than otherwise.

In the UK you might well be in prison for five years for refusing to hand over the keys.


Not sure what the situation is now.

Section 49 to force key disclosure should only happen if:

+ The person being given the notice has the key

+ Investigators need the key to prevent or detect crime

+ Disclosure is proportionate

+ They can't get the encrypted material by other means

Not complying with the is a criminal offence. The maximum sentence is 2 years, unless it's a case involving child sexual exploitation or national security where the maximum sentence is 5 years.

There is a code of practice for use of these powers here: https://www.gov.uk/government/publications/code-of-practice-...

I think that properly regulated key disclosure powers are important. I'm not sure we're (the UK) are getting it right with RIPA. I'd want to see stronger audit and oversight of the S49 notices, and better advice given to people who are served S49 notices.

For example: I have no idea how many people are served S49 notices, and I don't really know how to find out. I don't know how many people have been imprisoned for not disclosing keys; I don't know what sentences they've been given; and I'm not clear on how to find that out. I feel that it should be easier for citizens to have clear data about these really intrusive powers.

EDIT: I just found this page, and it seems like it's small numbers of people. But still, it's a bit worrying. https://wiki.openrightsgroup.org/wiki/Regulation_of_Investig...

> Investigators need the key to prevent or detect crime

That's a bit scary. 'Detect crime' could be pure speculation on the polices' part.

"We think you've done something bad, let us see the contents of your phone. No we don't have any evidence already as we're detecting the crime right now."

Maybe I’m wrong, but I’m going to assume that the UK requires at least some evidence (reviewed by a judge) of a crime being committed or is about to be committed before they can throw you in jail for not giving the code to your phone.

I'm not sure that would be proportionate.

It's not great, but it's better than before where this kind of crime detection had much less regulation.

Get out spook.

Hidden operating system is the way to go. Usbkill turns the machine off, when asked you supply the public password.

Investigators will say "you sent this email to your dad at 09:29 on Tuesday, yet it wasn't sent from your phone or laptop according to device logs. You either have another device you haven't given us, or you haven't decrypted the right partition".

Bootdrives with no cache are the perfect answer to this through a lawywe."USB boot drive. There are no logs kept to it. I'm not hiding anything, it is just good sense to use a computer which doesn't persist any state limiting any malware to session only in the very worst case."

You sent shit to your dad from the wrong machine/partition.

"Prove it."

Veracrypt has a hidden volume feature where you give up a distress key, and a hopefully plausible second volume is decrypted instead of the real one.

Also, you can decide to reveal your secret after having discussed the matter with a lawyer.

This (link) is actually referred to as a Rubber-hose cryptanalysis -> https://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact