If you are paranoid about something like this happening, just use https://www.qubes-os.org/. all usb devices are jailed in a non-networked vm by default.
In general, if what you do warrants that level of paranoia, qubes will help you massively.
Interesting project, I'm sure this is useful for people at risk.
Somewhat related, I'm wondering about the physical security of computers. There is an attack where they open your PC, take out the ram, and freeze it immediately so the bits don't decay and they can extract your encryption keys.
All BIOSes have an option for cassis intrusion detection, but I've never seen a case that has the necessary cable. Has anybody here set up a chassis intrusion kill switch that erases the RAM/shuts down the PC etc. if the case is opened improperly? Can you buy anything like this on the market?
Memory encryption technologies such as AMD's Secure Encrypted Memory (SME). Would be your best bet to combat this, along with other anti-evil maid protections.
TRESOR is a great project but pretty seperate to SME imo. TESOR implements SME but its implemented effectively in software, making it less secure and a lot slower. The great thing about SME on AMD CPUs is that I believe (at least on the newer Zen cores) it effectively can run at the speed of the memory, so you have no performance loss.
Secure Encrypted Virtualisation uses SEM, but it is not a newer version of it. SEV allows someone to run encrypted VMs that not even the host can read the memory, by leveraging per VMs keys in the AMD PSP that encrypt the VMs pages using SEM.
It would be interesting to leverage SEM to run a version of qubes where not only are the VMs isolated by the Xen hypervisor but are also separately encrypted using the PSP.
Many of the measures that provide effective physical security also make a device really unsuited for personal usage. Look at HSMs for an example of this. And even they rely on being stored in a physically secure room and protected from theft.
It's a matter of being more determined than your attacker. Imagine a device that will irretrievably brick itself if tilted more than a certain angle, if left unpowered for more than a certain time, etc. and that has to be under constant guard. This seems almost incompatible with any kind of personal use. And some measures may only work in one instance, with the attacker planning for them the second time they have an operation.
Many attackers also don't have the same restrictions the police has. In the Ulbricht case the police may have been forced to use a device that copies the data with no human intervention just to preserve the chain of evidence and not have suspicions that the agent operating the laptop altered it while installing additional software. An attacker operating in the grey/dark area might just immobilize the user, snip the wrist cable, and then retrieve the necessary data either directly at the console or by siphoning it via the network. Or the police may just start video recording in great detail every step from the moment an agent touched the laptop until the data was exfiltrated to remove suspicions of tampering.
But such a tool would be of great effect against an undetermined, unsophisticated attacker committing a crime of opportunity.
Personal computers have an advantage here: it is acceptable for them not to work when they are not directly used by someone. It means they can be stored in safes when not used and have all the encryption keys securely erased when not used. For example, a screen locker could stop all the processes and erase all the keys from registers and memory assuming both disk and memory encryption. And the locker itself could be triggered by some proximity sensor, RFID, camera, whatever, not just input inactivity timeout.
Storing your personal computer in a safe when not using it is probably the very definition of "almost incompatible with any kind of personal use". And at this point you just move the weak link from the device to the safe's lock. HSM-like physical security is good for making the device tamper proof and ensuring than no data can be retrieved under any circumstances other than the one accepted "regular use" way.
Putting a regular device in a safe leaves it exposed to someone unlocking the safe and compromising the device by implanting a keylogger inside or even by putting a replacement identical device there and waiting for the user to type the boot password.
As for methods of emergency clearing sensitive data from memory while in operation, whatever method is employed will work once. The next time the attacker is ready for that particular method. For example the police might just have to completely immobilize the suspect (and their hands) and keep the laptop in the vicinity while the "dead man's switch" is bypassed.
> And even they rely on being stored in a physically secure room and protected from theft.
Not exactly. You don't want someone sneaking in and misappropriating the HSM to authorize something bad. And if you set the system up for unattended recovery from a power failure, then in all likelihood someone walking off with the server the HSM is in can use those keys indefinitely. But there are options.
Some HSMs have self-destruct mechanisms that attempt to prevent physical access to the private key (ie by lapping the chip). Some vendors (nCipher, IIRC) have a smart card (a second HSM) that is required to authorize certain activities, like signing, or key recovery. In fact they had a byzantine generals solution that either had the key or a password for the key split between n cards. In the latter case you needed one of the original HSMs in order to clone the key, so a movie plot where you kidnap the entire team at a conference doesn't work. During initial setup the cert would be generated on the first HSM and copied to the others, having never seen daylight.
That system was quite difficult to explain to users, and I had to document it just so I wouldn't get confused and trigger a reset of the evaluation hardware (at which point all of our test artifacts have to be rebuilt).
It might be more complicated to start WWIII than to protect a signing certificate, but only just.
> Not exactly. You don't want someone sneaking in and misappropriating the HSM to authorize something bad.
I think we're talking about exactly the same thing :). That's what I meant by "even they rely on being stored in a physically secure room and protected from theft". Despite all the hardening that is applied to the device, it must always be kept secure and supervised. As an example, this is what Safenet considers the intended installation environment should be [0].
This can't be effectively applied to a personal computer.
As I was trying to say, there are ways to make that less of an issue by moving other factors off-site. You can configure (some) HSM cards not to be available on boot, requiring a human to come in and reactivate them with a password or a fob that they bring with them, and leaves with them.
Then your biggest problem is people thinking that stealing the cards will get them anything. Which, they're not entirely wrong, because those things are damned expensive. So you need a 'kinda' secure facility.
Again, the issue is that any hardware that will start up for you without any action on your part will likely start up for anybody else, too. Your laziness will probably win out...
I think the real question is has it ever been used in the wild on any DDR?
"In recent years, however, it has become increasingly challenging to execute cold boot attacks or perform physical memory forensics due to the introduction of DRAM memory scramblers. Modern processors with DDR3 and DDR4 DRAM scramble data by XOR’ing it with a pseudorandom number before writing it to DRAM [5], [6]. These scramblers were initially introduced to mitigate the effects excessive current fluctuations on bus lines by ensuring bits on the memory bus transition nearly 50% of the time"
I have a Lenovo M93P Tiny which came with a chassis intrusion switch installed. It seems you can have it block startup/require a password when the case is opened and notify some central admin. I don’t know what happens if you open the case while it’s running, though.
I’m not sure if it’s something they offer on current models, or to individuals at all (I bought it used from a corporate IT asset liquidator so it was likely originally purchased as part of a bulk deal). Regardless it makes a great little Linux box!
Work at a big bank , we won’t procure laptops without this and yes we will know when you have opened it and you won’t be able to boot it , I think something happens with bitlocker also but not sure.
That feature is fairly common but practically quite useless and easy to circumvent if you can find the model information. Even with PCI-DSS enclosure compliance you can get in if you can take power tools to it. The assumption is power tools would be too obvious to use in a typical installation.
Back in the BBS days, there were textfile describing how to wire your beige box to either turn on strong magnets or ignite termite if a case was detected.
... I don’t know of anyone actually implementing this though :)
I would imagine that's thermite and not termite ;)
If the latter, the server would probably be okay, and it would take a very long time for the termites to damage the surrounding room enough to be a security deterrent.
It's funny when I think back, I was a teen in the 90s and did plenty of questionable stuff online and w/ local BBS scene (Kevin Mitnick was busted in Raleigh and many rumors existed about his presence in the BBS scene, obviously fantasy though!).
Nobody I know who got arrested ever managed to destroy anything. When I think about it, we all assumed the cops would storm in when we were in the act of doing something bad, probably like in the movies lol, when in practice, they tend to pick you up when you are really off guard, duh.
Very few people had automatic protections because like, our parents would probably get mad if we burned down the house :)
When it came to me, the FBI did knock on my front door, and I managed to dd if=/dev/random of=/dev/hda
I lost my entire BBS, all the custom code and ANSI I had for it, among other ancient treasures that I'd probably still have with my napster mp3s :)
Of course they didn't come for me, there had been a flasher in the neighborhood on halloween...
When I was a teen, I somehow got a modem number at NASA, and I stupidly gave it to a friend. He tried to brute force it, but he got door knocked. He quickly formatted his disks, but it wasn’t even the cops haha!
Well, keep this in mind: I knew quite a few people who got interviewed with, and arrested by authorities. Everyone under the age of 18 in the 90s got a slap on the wrist because they hadn't got too good at punishing those kinds of crimes. I think the worst I saw was $1200 paid over 12 months to AT&T.
After 18, you're done, even if they can't think of a good charge, they'll make them up, which is exactly what they did back then, cross state commerce was a blanket thing to grab folks.
I stopped doing anything questionable well before I turned 18.
Eh, it's worth it, depending on what you're doing. I'd much rather get in trouble for a hard drive full of zeroes, than them knowing what was on it beforehand.
Today, you should encrypt everything, and cut power before physical access is obtained. Will that count as "tampering"? I was just turning off my computer. No, I do not remember the key.
Looking back, federal authorities really only came when they had the evidence they needed already, and local authorities were way too far behind to know what was going on (in the 90s).
In practice, the only real protection we had (those of us in my social group) was that we were minors, and lucky that laws hadn't caught up yet.
Surely it has to be actual evidence before you "tamper" with it.
If I delete a file on my computer today that would be potentially "evidence" if seized, and the police come knocking tomorrow, I haven't committed a crime by using my personal computer in the past.
I could be remembering incorrectly, but it may have been reoccurring or not even really the FBI, but state police or something and my parents said it was the FBI.
I only saw people in suits with a black car outside knocking on the door, also this was like 30 years ago so don't twist my arm :)
I think in most cases the thermite trap would probably get you into more trouble for ATF violations and not even help by adding destruction of evidence and whatever they imagined was on the drive unless you had some authority like security clearence and classified documents or some sort of legal pretext to justify uses of such flammable boobytraps.
I doubt there is a need to open the case for a sophisticated attacker. If there is even the slightest opening for air you can run camera optics and freeze spray tubes to RAM I would imagine.
Agreed; but this USBKill is a good protection for ordinary city police, or even a grab-and-run crime at a coffeeshop (with a usb key attached to your wrist with a cord).
> Interesting project, I'm sure this is useful for people at risk.
Could you expound on what this means? In the USA/UK, people most "at risk" of police kicking down the door seizing their laptops/computers while they are still running are child pornographers.
Perhaps this can be used "for good" under oppressive regimes (i.e. if you are a dissenting journalist) but then I think you won't get a fair trial anyway and having a kill switch just means more prison.
I know a shocking amount of innocent people who have been target of surveilance and criminal investigations or who even had their homes raided - in western european countries. Thankfully the courts are still working as they should, and all but one were fully acquitted.
It can happen if you are a political activist in any fashion. Nothing violent, just speaking out for rent control and against gentrification can get you in trouble. Or hanging around with the wrong people.
When it happens, you want to leave them as little rope as possible to hang you with. As I said, the courts still are honest and they won't make up evidence, but they will take everything they can find to make a case - and to learn about your structures and networks while they are at it.
You are right, that in real oppressive regimes all bets are off. If they want to get you, they won't stop at their own laws. But even then, these techniques are useful against industrial espionage. If you are doing business in certain countries, the "evil maid" is quite real...
This is a somewhat pessimistic outlook on humanity, first off I would say that those who are most commonly at risk are those with trade secrets. Patented tech and investment intel for example.
As for the dissenters, I’m sure they would appreciate their co-conspirators remain secret.
> This is a somewhat pessimistic outlook on humanity, first off I would say that those who are most commonly at risk are those with trade secrets. Patented tech and investment intel for example.
Can you provide any evidence at all of police or "thugs" (or anyone, really) kicking down doors to get at trade secrets being a common problem? Because there are countless news articles of police raids seizing computers to stop child porn[0].
I speculate any tool billed as "anti-forensic" will be used for immoral purposes more commonly than moral purposes.
It is an absolute certainty that any tool to improve privacy and security is going to be used by malicious actors.
That does not mean it should be banned. Knives are used for many things from cutting food and opening boxes to killing people. Nitrate based fertilizers can be used for vastly improving crop yields but can also be used for bombs. Encryption can be used to protect your sensitive personal data from criminals and prying eyes, but can also be used by the criminals themselves to hide their activities.
No state (even if it was the most ethically illuminated utopia) has the power to protect every person in every place at every time. Banning defensive tools is asinine as rarely does it mean that a criminal won't use them against you.
That is a dangerously naive viewpoint - trusting that the only instances are the ones they proudly brag about? When they have been caught not even allocating all of the funds for Child Pornography prevention they have been allocated while using "the children" as an excuse to undermine cryptography?
It is doubly foolish to believe that the police are the only users of forensic software when there is credit card theft and multmillion dollar ransomware rings out there. Robbing a bank by force or by heist is foregone jail but snatching a laptop from a banker? Far more petty in risk and disguised as mere property theft as opposed to the data theft.
> In case the police or other thugs come busting in
I like this wording.
Disclaimer: Not a comment on current political happenings.
But seriously, the use case of disallowing USB sticks on devices is unnecessary hard to configure. Just an option to disallow certain device classes would be appreciated.
I just disable all hotplugging support in my OS. Anything plugged into the machine must be manually mounted, enabled, etc. This works really great for me as it's rare that anything is attached to this machine other than the charger.
> But seriously, the use case of disallowing USB sticks on devices is unnecessary hard to configure.
This will not help against hardware that exploits bugs in the USB stack of the operating system.
Assuming the threat model is police or secret service seizing one's server, it is feasible that the attackers also have knowledge of the running OS (IIRC one can distinguish between Windows, Linux and xBSD by simply looking at TCP fingerprints) and thus can use a targeted exploit.
how would you authenticate the USB stick that is allowed though?
Without some sort of authentication mechanism an attacked could clone the device id of an allowed device.
better than nothing though! :)
There's the USB Authentication Protocol where devices identify themselves through digital signatures. But i don't know whether each device has a unique ID or its one cert for the whole production series.
That's why I've made similar projects. One to detect when USB storage devices get attached to domain workstations, and email the administrator with device and user info..... https://github.com/zelon88/Workstation_USB_Monitor
Reminds me of some old Firewalls that would actively poll active connections, and when one is made that violates their rules, "immediately" terminate it. Often times, an attacker can embed a lot in just a single URL in the query string (stolen passwords etc) that would be done in < 5ms, faster than the firewall can act (if not even faster than the polling interval itself), specially if there is plenty of rules and active connections and/or the machine is slow (e.g playing games).
That's like choosing to not have a door on your house, because you know you can run fast and shoot the thief when they enter.
Maybe its not as bad for hardware due to the inherit latencies involved, but I am always skeptic about things that use polling vs sitting in the middle at the kernel before a USB connection is allowed to happen to the OS in the first place.
The default (aka the one that nobody will change) connection-polling interval for this thing is 250ms, which doesn't seem too small for me for many conceivable attack scenarios.
For Mac, it runs this:
os.system("killall Finder ; killall loginwindow ; halt -q")
This won't prevent windows from reopening after a reboot.
A possible exploit for this could be the USB pretending to be a keyboard, opening an exploit website or an app with malicious argument values, then you immediately shutdown the Mac, reboot manually and boom, the website/app opens up and the machine gets owned anyway post-reboot!
Also, lack of Windows support is upsetting, considering there isn't much code change required to do so.
The "melt" feature is one I really like and respect the thought they put to make it.
I think it's aimed at scenarios in which the attacker is not aware of this utility running. Otherwise they could just kill it before inserting the USB.
Well, for attack vectors like Mouse Jiggler (I have one, very cheap on Amazon) or polymorphic USB devices, it would work if the attack is unaware of the utility's existence. For polymorphics specifically, I checked the code, and it does indeed validate the Ids of the devices, not just their count.
For others, even if the attacker is unaware of the utility, those shortcomings are still serious enough (e.g. rapid keyboard typing).
I attended a talk by GSK and there was part of the talk about security. They don't allow usb devices to be plugged into their analysis computers. But every year they get an intern that tries to charge their phone from the PC USB.
Something like this, that doesnt halt the computer but shows a warning on screen and logs information would perhaps be a solution to their problem. Although in the case of industrial espionage maybe locking the system would be worth it...
At a former gig for a post-production facility we used CoSoSys EndpointProtector to restrict USB access to workstations. Works as described in your second paragraph, (logs and warning) admin can then allow approved devices remotely if necessary.
I worked for a car mfg that had that on all their laptops. It was annoying and I’m 99% certain no one ever checked up on the alerts and instead was just logging in case there was an issue later.
"Tip: Additionally, you may use a cord to attach a USB key to your wrist. Then insert the key into your computer and start usbkill."
This line particularly caught my eye. I wonder what's the percentage of people (I'm presuming people working in security or those who are trying to avoid detection) go to this extreme?
"To prevent Ulbricht from encrypting or deleting files on the laptop he was using to run the site as he was arrested, two agents pretended to be quarreling lovers. When they had sufficiently distracted him, according to Joshuah Bearman of Wired, a third agent grabbed the laptop while Ulbricht was distracted by the apparent lovers' fight and handed it to agent Thomas Kiernan. Kiernan then inserted a flash drive in one of the laptop's USB ports, with software that copied key files."
Speculation: It's possible to produce keyboard and mouse inputs, and also present as a storage device -- autorun isn't even necessary (though spurious inputs would be quite visible to somebody using the computer and something like a mirrored mouse, custom keyboard layout / shortcuts could foil this)
In theory, you could fingerprint the host OS first and then run the appropriate commands (of course more tricky with more custom Linux setups, does CTRL+ALT+Fn still work to get to a text console?): https://www.cise.ufl.edu/~butler/pubs/sadfe11.pdf
Yeah, I was thinking of custom window-manager setups. You can usually get a tty console by ctrl-meta-f1 etc., but that wouldn't help, since you'd have to enter a password. I suppose an advanced version could try different combinations and test each by entering a command that would be detected by the stick.
One of Atmel's USB-capable microcontrollers had a HID Keyboard example program that when you pressed a button (on a Windows host) would start Notepad (via the run command) and type "Hello, I'm an Atmel SAMXXXX".
Great bit of example code, but opens a world of possibilities for what you could do with, say, a HID + Mass Storage composite device.
On Windows, it's just 'Win+R 'CMD' [Enter]' and you have a terminal/console. Presumably, if the agents were monitoring the perp properly, they would know what OS they would be targeting.
I type the above SO often every day, it should be on my gravestone. :D
You can present yourself as a standard file system or some device you know has a known exploit in the driver on the other side. Then on the USB 'drive' side you have a full out arm CPU. It can issue commands too as it is connected to the serial bus. Many USB drives already have small embedded CPU in them.
>Many USB drives already have small embedded CPU in them.
For most common hardware this is just an 8051 variant that sets up the USB and DMA peripherals. It's easy enough to get something more powerful, but I am doubtful you'd want to reuse consumer hardware.
The 8051 is a decently capable CPU (it is the cpu at the heart of the furby toy). At one point they built whole computer ecosystems around it. Remember the point here is to take over the computer not have a full out modern OS. They USB manufactures use them because they work well on low power and are decently cheap and small. Now most usb sticks do not do much more than like you say. But that would not stop someone from reflashing the firmware in it who is making one of these things. The use case here is different than what most people would use it for. Sometimes you will see an older ARM design too.
Mfrs use them because they are not patent encumbered. There are some fairly high power 8051 clones, true. But in most applications they are barely sufficient.
In this case any kind of MCU is making life harder than it needs to be.
On Windows, autorun.inf. This technique has been around since at least the 90s when CD-ROM drives were introduced to PCs... it is how a newly inserted CD (and later usb disk) can automatically execute software on insertion:
Autorun has been disabled by default for a long time (with good reason). And it has never worked with USB drives, only ones which emulated a CD drive such as U3 USB drives.
>Before Windows XP SP2, AutoPlay was disabled by default on removable drives, such as the floppy disk drive (but not the CD drive), and on network drives. Starting with Windows XP SP2, AutoPlay is enabled for removable drives. This includes ZIP drives and some USB mass storage devices.
I've always been surprised that autorun wasn't re-enabled when app stores / code signing was introduced. If Microsoft or Apple is willing to sign an installer saying that it's something safe to install, isn't that proof enough to let it run when you insert the USB key it's on?
I know this isn't really very relevant for the specific combination of installers and physical media any more, since it's rare for anyone to be trying to install something off a CD/DVD/USB these days (other than a new OS, of course.)
But I could see the use case for physical media doing something other than running an installer (e.g. DRMed disks launching the equivalent of a FUSE server to mount the "rest" of the disk); or for non-physical media (e.g. macOS DMG disk images) being able to autorun their embedded installer. Either way, the code signing that the platforms are already doing would be enough to make these safe, no?
Windows code signing does not include a step where Microsoft inspects the code. The developer gets a certificate from a commercial CA and signs the code. If the certificate is an EV certificate, that's basically it. If it's a regular certificate, Windows does a callback to Microsoft that seems to just be a popularity check --- if the certificate has been used a lot, then the prompts go away.
At best, Windows code signing lets you know who signed it and that that person was able to pay a CA some money, not that it's safe to run.
Regular developer code-signing, yes. But I'm talking about the code-signing that's done by Microsoft (rather than by your own Microsoft-signed cert) on the Microsoft Store backend; or the code-signing that's manually done by Microsoft when a third party submits a driver package to them for inclusion as a Windows update.
That would work great for half an hour, until your Bluetooth connection drops for no reason, the dongle pairs with your car or phone instead, decides it's a headset now, or one of the hundred other things that inevitably go wrong with Bluetooth.
hehe, Do not think like an engineer in this case. Think like someone who only has to get it right once but can try 100 times. So even if you have a flake connection. Just so long as it works that 'one time'. You are good.
From going through the discussion I'm getting the impression that the only feasible attack vector provided by USB is by emulating a keyboard like a USB Rubber Ducky. Is this really the case?
For instance, if my laptop is locked (with a proper[0][1] lock screen like xscreensaver) and that lock screen is capturing all keyboard input and magic SysRq keys[2] are disabled, too, is there really no way an attacker could use a USB device to hack my laptop?
Similarly, if my laptop is not locked but comes with unusual key bindings (maybe even a different keyboard layout), what are the chances of me getting hacked with a USB device? (Let's assume that the attacker manages to secretly plug in said USB device but doesn't want to access my unlocked laptop directly – maybe because we're in an open office and people are watching.)
My impression had always been that USB devices are dangerous beyond simple keyboard emulation but I might be wrong.
Besides keyloggers, another reason people want this is because law enforcement has USB keepalive devices that will simulate mouse movement/keypresses to keep your computer from going to sleep.
They do this to make sure your computer stays on and your RAM doesn't get powered off, which will allow them to read any decrypted data in memory whether or not your data is encrypted on disk.
When they raid you, they come with massive UPS devices that they plug your computers into to give them as long a window as possible to get your data.
Use insulated tools and a steady hand to cut into the power cord and splice in the UPS. The UPS is configured to match phase with the power that's already in the cord.
Which is why if you want to defend against the easy versions of these and make people have to do work, only plug your desktop PCs into standalone outputs not on a surge protector.
Yes, it won't defend against cord cutting.
Edit: A more interesting defense I think would be to modify a surge protector for this specifically to defeat HotPlug. Only put your computer on a specific outlet and wire it so that if any other outlets complete circuit to kill power to the whole thing.
Sorry for the digression, but WTF is this guy doing? Looks like he redirects all requests that have HN as the referrer to a picture of a testicle. Copy-pasting the link (i.e., dropping the referrer) seems to work, though.
Yes, but that's unrelated. The idea here is that if a USB device is connected to your machine, it's an indicator that your machine is compromised. Mouse jigglers that stop your lock screen from activating are very common when confiscating machines: https://www.cru-inc.com/products/wiebetech/mouse_jiggler_mj-...
And of course, depending on the OS, it's possible to craft a USB stick that copies files to a remote server as soon as it's plugged in.
Hmm, this is actually rather nifty, although one issue I see is it will only last a few days at most. I don't know how long people who confiscate laptops normally need to run mouse jigglers.
Yes and no. The idea is to emulate a keyboard and mouse. You then use OS shortcuts to, for example, start a terminal and type command in it. So it can work with Linux but, because of the diversity of Distribution, DE, etc, it is more difficult to be sure of the shortcuts that you can use, whereas on windows or mac, they will usually always be the same (for exemple, Windows+R on windows to launch a launcher, and then type cmd.exe).
Not sure if a blacklist-aproach is the most reasonable solution when you're in a situation that you have to worry about these things in the first place.
Those can be easily spoofed. I don’t know if current mouse jigglers in use have a specific Id or not, but there’s no reason they would have to have a recognizable Id.
And does it work for things that look exactly like USBC but are actually Thunderbolt? (with all its direct memory access via DMA and all of that nastiness).
Everyone should also install a hard power off on the front of their computer and always have encrypted drives. Unrecognized USB storage in my computer also is instant off. Might corrupt my files someday, but it's worth the risk.
It isn't. The problem this program solves is thwarting a naive attempt to alter the state of the USB bus. The design assumes the attacker is not aware of the consequences of adding or removing devices and has no reason to employ spoofed devices or any other Ever Greater Adversary Regression techniques you can imagine.
After they got bitten but tools like this usbkill once, ID spoofing will just become the standard practice, and it will be made so easy to do they don't even need to think.
Destroying evidence is considered a crime on it's own. Use something like this at your own legal risk, since it's usually far easier to prove obstruction than it is to prove the underlying crimes that were being investigated.
Any relevant case law here? I mean, clearly destroying evidence (e.g. shredding documents) is one thing but I assume it’s harder to prove when it’s a byproduct of computer security?
Apple phones can be wiped with 10 invalid password attempts, but the cops already know it. If it’s a piece of custom software that erases a computer after 2 attempts, can the prosecution really claim it was pure evidence destruction?
if they use mousewiggling the screensaver could use other triggers/patterns to keep the box on. say 1 google search per 15 min minimum. randomly moving the mouse seems a good reason to shut down.
Something like this is probably good when you - as a person - are not around when your hardware gets extracted from your place. But then again, why would it be running openly and unattended in the first place?
Can we please stop endlessly repeating this? Life is much more complex than that.
A small laptop, a phone or a tablet can be stolen from you while powered on and unlocked by a simple thief that has no intention, nor ability, to capture and torture you.
The thief could then quickly hand the device to other people that flash it and sell it in a different country. But first they might extract any valuable data.
> [...] a simple thief that has no intention, nor ability, to capture and torture you
By your comment I assume you live in a developed country and/or are not within a regularly oppressed minority, which of course, is a nice privilege. Sadly not everyone is that lucky and torture over something simple as $1 online transactions is pretty real.
That isn't priveledge but a matter of the threat model to protect against - stop with the irrelevant pseudomoralist privledge shaming shit.
If they wanted protection against that they would recommended a gun or several mercenary bodyguards. Which would require money and connections. But the topic isn't "How to quickly kill or incapacitate three or more men with only your barehands while having legal cover".
In many places, law enforcement will pressure but not torture you to provide decryption keys, maybe imprison you for a while, fine you, ...
But that may be preferable than them knowing about all those highly illegal nuclear doomsday space arms technology knowledge deals you've brokered, or that collection of child porn, or those detailed assassination plans, or whatever. Maybe the authorities suspect something, maybe a SWAT team will snatch your laptop, but if all evidence is in there and encrypted, you may get off with a lot less than otherwise.
Section 49 to force key disclosure should only happen if:
+ The person being given the notice has the key
+ Investigators need the key to prevent or detect crime
+ Disclosure is proportionate
+ They can't get the encrypted material by other means
Not complying with the is a criminal offence. The maximum sentence is 2 years, unless it's a case involving child sexual exploitation or national security where the maximum sentence is 5 years.
I think that properly regulated key disclosure powers are important. I'm not sure we're (the UK) are getting it right with RIPA. I'd want to see stronger audit and oversight of the S49 notices, and better advice given to people who are served S49 notices.
For example: I have no idea how many people are served S49 notices, and I don't really know how to find out. I don't know how many people have been imprisoned for not disclosing keys; I don't know what sentences they've been given; and I'm not clear on how to find that out. I feel that it should be easier for citizens to have clear data about these really intrusive powers.
> Investigators need the key to prevent or detect crime
That's a bit scary. 'Detect crime' could be pure speculation on the polices' part.
"We think you've done something bad, let us see the contents of your phone. No we don't have any evidence already as we're detecting the crime right now."
Maybe I’m wrong, but I’m going to assume that the UK requires at least some evidence (reviewed by a judge) of a crime being committed or is about to be committed before they can throw you in jail for not giving the code to your phone.
Investigators will say "you sent this email to your dad at 09:29 on Tuesday, yet it wasn't sent from your phone or laptop according to device logs. You either have another device you haven't given us, or you haven't decrypted the right partition".
Bootdrives with no cache are the perfect answer to this through a lawywe."USB boot drive. There are no logs kept to it. I'm not hiding anything, it is just good sense to use a computer which doesn't persist any state limiting any malware to session only in the very worst case."
In general, if what you do warrants that level of paranoia, qubes will help you massively.
Micah Lee held a great overview talk at HOPE 2018: https://www.youtube.com/watch?v=f4U8YbXKwog
details on using usb keyboard and mouse here: https://www.qubes-os.org/doc/usb-qubes/
Somewhat related, I'm wondering about the physical security of computers. There is an attack where they open your PC, take out the ram, and freeze it immediately so the bits don't decay and they can extract your encryption keys.
All BIOSes have an option for cassis intrusion detection, but I've never seen a case that has the necessary cable. Has anybody here set up a chassis intrusion kill switch that erases the RAM/shuts down the PC etc. if the case is opened improperly? Can you buy anything like this on the market?
https://en.wikichip.org/wiki/x86/sme#Overview https://www.qubes-os.org/doc/anti-evil-maid/
There are so many possible evil maid attacks that I think it would be useful to add a pysical layer, just in case.
[1] https://en.wikipedia.org/wiki/TRESOR
It would be interesting to leverage SEM to run a version of qubes where not only are the VMs isolated by the Xen hypervisor but are also separately encrypted using the PSP.
If memory serves correctly they achieved the best results by using a can of compressed air to freeze the ram in place before removal.
//Small edit to wording
It's a matter of being more determined than your attacker. Imagine a device that will irretrievably brick itself if tilted more than a certain angle, if left unpowered for more than a certain time, etc. and that has to be under constant guard. This seems almost incompatible with any kind of personal use. And some measures may only work in one instance, with the attacker planning for them the second time they have an operation.
Many attackers also don't have the same restrictions the police has. In the Ulbricht case the police may have been forced to use a device that copies the data with no human intervention just to preserve the chain of evidence and not have suspicions that the agent operating the laptop altered it while installing additional software. An attacker operating in the grey/dark area might just immobilize the user, snip the wrist cable, and then retrieve the necessary data either directly at the console or by siphoning it via the network. Or the police may just start video recording in great detail every step from the moment an agent touched the laptop until the data was exfiltrated to remove suspicions of tampering.
But such a tool would be of great effect against an undetermined, unsophisticated attacker committing a crime of opportunity.
Putting a regular device in a safe leaves it exposed to someone unlocking the safe and compromising the device by implanting a keylogger inside or even by putting a replacement identical device there and waiting for the user to type the boot password.
As for methods of emergency clearing sensitive data from memory while in operation, whatever method is employed will work once. The next time the attacker is ready for that particular method. For example the police might just have to completely immobilize the suspect (and their hands) and keep the laptop in the vicinity while the "dead man's switch" is bypassed.
Not exactly. You don't want someone sneaking in and misappropriating the HSM to authorize something bad. And if you set the system up for unattended recovery from a power failure, then in all likelihood someone walking off with the server the HSM is in can use those keys indefinitely. But there are options.
Some HSMs have self-destruct mechanisms that attempt to prevent physical access to the private key (ie by lapping the chip). Some vendors (nCipher, IIRC) have a smart card (a second HSM) that is required to authorize certain activities, like signing, or key recovery. In fact they had a byzantine generals solution that either had the key or a password for the key split between n cards. In the latter case you needed one of the original HSMs in order to clone the key, so a movie plot where you kidnap the entire team at a conference doesn't work. During initial setup the cert would be generated on the first HSM and copied to the others, having never seen daylight.
That system was quite difficult to explain to users, and I had to document it just so I wouldn't get confused and trigger a reset of the evaluation hardware (at which point all of our test artifacts have to be rebuilt).
It might be more complicated to start WWIII than to protect a signing certificate, but only just.
I think we're talking about exactly the same thing :). That's what I meant by "even they rely on being stored in a physically secure room and protected from theft". Despite all the hardening that is applied to the device, it must always be kept secure and supervised. As an example, this is what Safenet considers the intended installation environment should be [0].
This can't be effectively applied to a personal computer.
[0] http://cloudhsm-safenet-docs-5.3.s3-website-us-east-1.amazon...
Then your biggest problem is people thinking that stealing the cards will get them anything. Which, they're not entirely wrong, because those things are damned expensive. So you need a 'kinda' secure facility.
Again, the issue is that any hardware that will start up for you without any action on your part will likely start up for anybody else, too. Your laziness will probably win out...
"In recent years, however, it has become increasingly challenging to execute cold boot attacks or perform physical memory forensics due to the introduction of DRAM memory scramblers. Modern processors with DDR3 and DDR4 DRAM scramble data by XOR’ing it with a pseudorandom number before writing it to DRAM [5], [6]. These scramblers were initially introduced to mitigate the effects excessive current fluctuations on bus lines by ensuring bits on the memory bus transition nearly 50% of the time"
DDR4 is also yes in the lab -
https://web.eecs.umich.edu/~misiker/resources/HPCA17-coldboo...
I’m not sure if it’s something they offer on current models, or to individuals at all (I bought it used from a corporate IT asset liquidator so it was likely originally purchased as part of a bulk deal). Regardless it makes a great little Linux box!
Also, does it still work if you open the machine with the power disconnected and battery removed?
... I don’t know of anyone actually implementing this though :)
If the latter, the server would probably be okay, and it would take a very long time for the termites to damage the surrounding room enough to be a security deterrent.
Nobody I know who got arrested ever managed to destroy anything. When I think about it, we all assumed the cops would storm in when we were in the act of doing something bad, probably like in the movies lol, when in practice, they tend to pick you up when you are really off guard, duh.
Very few people had automatic protections because like, our parents would probably get mad if we burned down the house :)
When it came to me, the FBI did knock on my front door, and I managed to dd if=/dev/random of=/dev/hda
I lost my entire BBS, all the custom code and ANSI I had for it, among other ancient treasures that I'd probably still have with my napster mp3s :)
Of course they didn't come for me, there had been a flasher in the neighborhood on halloween...
When I was a teen, I somehow got a modem number at NASA, and I stupidly gave it to a friend. He tried to brute force it, but he got door knocked. He quickly formatted his disks, but it wasn’t even the cops haha!
After 18, you're done, even if they can't think of a good charge, they'll make them up, which is exactly what they did back then, cross state commerce was a blanket thing to grab folks.
I stopped doing anything questionable well before I turned 18.
Today, you should encrypt everything, and cut power before physical access is obtained. Will that count as "tampering"? I was just turning off my computer. No, I do not remember the key.
In practice, the only real protection we had (those of us in my social group) was that we were minors, and lucky that laws hadn't caught up yet.
If I delete a file on my computer today that would be potentially "evidence" if seized, and the police come knocking tomorrow, I haven't committed a crime by using my personal computer in the past.
I only saw people in suits with a black car outside knocking on the door, also this was like 30 years ago so don't twist my arm :)
https://www.youtube.com/watch?v=-hNQ280Zkk4
Could you expound on what this means? In the USA/UK, people most "at risk" of police kicking down the door seizing their laptops/computers while they are still running are child pornographers.
Perhaps this can be used "for good" under oppressive regimes (i.e. if you are a dissenting journalist) but then I think you won't get a fair trial anyway and having a kill switch just means more prison.
It can happen if you are a political activist in any fashion. Nothing violent, just speaking out for rent control and against gentrification can get you in trouble. Or hanging around with the wrong people.
When it happens, you want to leave them as little rope as possible to hang you with. As I said, the courts still are honest and they won't make up evidence, but they will take everything they can find to make a case - and to learn about your structures and networks while they are at it.
You are right, that in real oppressive regimes all bets are off. If they want to get you, they won't stop at their own laws. But even then, these techniques are useful against industrial espionage. If you are doing business in certain countries, the "evil maid" is quite real...
As for the dissenters, I’m sure they would appreciate their co-conspirators remain secret.
Can you provide any evidence at all of police or "thugs" (or anyone, really) kicking down doors to get at trade secrets being a common problem? Because there are countless news articles of police raids seizing computers to stop child porn[0].
I speculate any tool billed as "anti-forensic" will be used for immoral purposes more commonly than moral purposes.
[0] https://en.wikipedia.org/wiki/Jared_Fogle#Child_pornography_...
That does not mean it should be banned. Knives are used for many things from cutting food and opening boxes to killing people. Nitrate based fertilizers can be used for vastly improving crop yields but can also be used for bombs. Encryption can be used to protect your sensitive personal data from criminals and prying eyes, but can also be used by the criminals themselves to hide their activities.
No state (even if it was the most ethically illuminated utopia) has the power to protect every person in every place at every time. Banning defensive tools is asinine as rarely does it mean that a criminal won't use them against you.
It is doubly foolish to believe that the police are the only users of forensic software when there is credit card theft and multmillion dollar ransomware rings out there. Robbing a bank by force or by heist is foregone jail but snatching a laptop from a banker? Far more petty in risk and disguised as mere property theft as opposed to the data theft.
I like this wording.
Disclaimer: Not a comment on current political happenings.
But seriously, the use case of disallowing USB sticks on devices is unnecessary hard to configure. Just an option to disallow certain device classes would be appreciated.
This will not help against hardware that exploits bugs in the USB stack of the operating system.
Assuming the threat model is police or secret service seizing one's server, it is feasible that the attackers also have knowledge of the running OS (IIRC one can distinguish between Windows, Linux and xBSD by simply looking at TCP fingerprints) and thus can use a targeted exploit.
Some ten-odd years ago, I wrote how to create udev rules to execute a command after connecting a particular USB device:
https://www.vankuik.nl/2008-12-19_Linux_USB_device_handling
That's why I've made similar projects. One to detect when USB storage devices get attached to domain workstations, and email the administrator with device and user info..... https://github.com/zelon88/Workstation_USB_Monitor
And one which detects USB HID devices, confirms them, and notifies the administrator..... https://github.com/zelon88/Rubber_Ducky_Defender
Reminds me of some old Firewalls that would actively poll active connections, and when one is made that violates their rules, "immediately" terminate it. Often times, an attacker can embed a lot in just a single URL in the query string (stolen passwords etc) that would be done in < 5ms, faster than the firewall can act (if not even faster than the polling interval itself), specially if there is plenty of rules and active connections and/or the machine is slow (e.g playing games).
That's like choosing to not have a door on your house, because you know you can run fast and shoot the thief when they enter.
Maybe its not as bad for hardware due to the inherit latencies involved, but I am always skeptic about things that use polling vs sitting in the middle at the kernel before a USB connection is allowed to happen to the OS in the first place.
The default (aka the one that nobody will change) connection-polling interval for this thing is 250ms, which doesn't seem too small for me for many conceivable attack scenarios.
For Mac, it runs this:
os.system("killall Finder ; killall loginwindow ; halt -q")
This won't prevent windows from reopening after a reboot.
A possible exploit for this could be the USB pretending to be a keyboard, opening an exploit website or an app with malicious argument values, then you immediately shutdown the Mac, reboot manually and boom, the website/app opens up and the machine gets owned anyway post-reboot!
Also, lack of Windows support is upsetting, considering there isn't much code change required to do so.
The "melt" feature is one I really like and respect the thought they put to make it.
For others, even if the attacker is unaware of the utility, those shortcomings are still serious enough (e.g. rapid keyboard typing).
Something like this, that doesnt halt the computer but shows a warning on screen and logs information would perhaps be a solution to their problem. Although in the case of industrial espionage maybe locking the system would be worth it...
echo 'RUN+=/root/usb-changed.sh' > /etc/udev/rules.d/usb-changed.rules
Then just put whatever you want to be ran in /root/usb-changed.sh.
This line particularly caught my eye. I wonder what's the percentage of people (I'm presuming people working in security or those who are trying to avoid detection) go to this extreme?
Is is even extreme?
https://en.wikipedia.org/wiki/Ross_Ulbricht
How exactly does this work? Is there a sort of software that runs automatically when you insert the stick, or did he have to click on it?
Great bit of example code, but opens a world of possibilities for what you could do with, say, a HID + Mass Storage composite device.
I type the above SO often every day, it should be on my gravestone. :D
For most common hardware this is just an 8051 variant that sets up the USB and DMA peripherals. It's easy enough to get something more powerful, but I am doubtful you'd want to reuse consumer hardware.
In this case any kind of MCU is making life harder than it needs to be.
https://www.instructables.com/id/Autorun-anything-off-of-a-u...
Apparently, autorun from USB volumes was enabled for XP SP2:
https://support.microsoft.com/en-us/help/967715/how-to-disab...
>Before Windows XP SP2, AutoPlay was disabled by default on removable drives, such as the floppy disk drive (but not the CD drive), and on network drives. Starting with Windows XP SP2, AutoPlay is enabled for removable drives. This includes ZIP drives and some USB mass storage devices.
I know this isn't really very relevant for the specific combination of installers and physical media any more, since it's rare for anyone to be trying to install something off a CD/DVD/USB these days (other than a new OS, of course.)
But I could see the use case for physical media doing something other than running an installer (e.g. DRMed disks launching the equivalent of a FUSE server to mount the "rest" of the disk); or for non-physical media (e.g. macOS DMG disk images) being able to autorun their embedded installer. Either way, the code signing that the platforms are already doing would be enough to make these safe, no?
At best, Windows code signing lets you know who signed it and that that person was able to pay a CA some money, not that it's safe to run.
https://www.theregister.com/2011/02/08/microsoft_windows_aut...
You should try Windows 10! It's very good. At least give it a whirl so you can have accurate facts to what it does, and not spread FUD about it.
For me an extreme measure would be to modify my motherboard in a way that I could connect RAM to my wrist and tear it away when necessary.
Bonus points if they cut it when the tackle you because they thought it was a deadman switch, like mentioned in the link.
A phone could work. An apparent car key would be better. Best would be a piece of clothing, like a belt.
[1] http://www.codefromthe70s.org/antijiggler.aspx
For instance, if my laptop is locked (with a proper[0][1] lock screen like xscreensaver) and that lock screen is capturing all keyboard input and magic SysRq keys[2] are disabled, too, is there really no way an attacker could use a USB device to hack my laptop?
Similarly, if my laptop is not locked but comes with unusual key bindings (maybe even a different keyboard layout), what are the chances of me getting hacked with a USB device? (Let's assume that the attacker manages to secretly plug in said USB device but doesn't want to access my unlocked laptop directly – maybe because we're in an open office and people are watching.)
My impression had always been that USB devices are dangerous beyond simple keyboard emulation but I might be wrong.
[0] https://www.jwz.org/blog/2015/04/i-told-you-so-again/
[1] https://www.jwz.org/xscreensaver/toolkits.html
[2] https://en.wikipedia.org/wiki/Magic_SysRq_key
They do this to make sure your computer stays on and your RAM doesn't get powered off, which will allow them to read any decrypted data in memory whether or not your data is encrypted on disk.
When they raid you, they come with massive UPS devices that they plug your computers into to give them as long a window as possible to get your data.
Just discovered this now myself. The same company sells mouse jigglers.
Yes, it won't defend against cord cutting.
Edit: A more interesting defense I think would be to modify a surge protector for this specifically to defeat HotPlug. Only put your computer on a specific outlet and wire it so that if any other outlets complete circuit to kill power to the whole thing.
Definitely would go with my modified surge protector plan then.
Sorry for the digression, but WTF is this guy doing? Looks like he redirects all requests that have HN as the referrer to a picture of a testicle. Copy-pasting the link (i.e., dropping the referrer) seems to work, though.
And of course, depending on the OS, it's possible to craft a USB stick that copies files to a remote server as soon as it's plugged in.
https://en.wikipedia.org/wiki/Mechanical_watch
I know nothing!
Is this possible with Linux?
So it can do anything a newly plugged in keyboard can do. Which, if the user is already logged in, makes grabbing the user's files easy.
[1] https://shop.hak5.org/collections/usb-rubber-ducky/products/... [2] https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payloads
Ah. Found it: https://tech.michaelaltfield.net/2020/01/02/buskill-laptop-k...
See the Apple combo USBC/Thunderbolt ports.
never thought about shutting down the computer.
https://youtu.be/RtRsBTGZUgc
Security through (counter-measure) obscurity.
Apple phones can be wiped with 10 invalid password attempts, but the cops already know it. If it’s a piece of custom software that erases a computer after 2 attempts, can the prosecution really claim it was pure evidence destruction?
I honestly don’t know, but I’m curious.
if they use mousewiggling the screensaver could use other triggers/patterns to keep the box on. say 1 google search per 15 min minimum. randomly moving the mouse seems a good reason to shut down.
Something like this is probably good when you - as a person - are not around when your hardware gets extracted from your place. But then again, why would it be running openly and unattended in the first place?
A small laptop, a phone or a tablet can be stolen from you while powered on and unlocked by a simple thief that has no intention, nor ability, to capture and torture you.
The thief could then quickly hand the device to other people that flash it and sell it in a different country. But first they might extract any valuable data.
> [...] a simple thief that has no intention, nor ability, to capture and torture you
By your comment I assume you live in a developed country and/or are not within a regularly oppressed minority, which of course, is a nice privilege. Sadly not everyone is that lucky and torture over something simple as $1 online transactions is pretty real.
If they wanted protection against that they would recommended a gun or several mercenary bodyguards. Which would require money and connections. But the topic isn't "How to quickly kill or incapacitate three or more men with only your barehands while having legal cover".
But that may be preferable than them knowing about all those highly illegal nuclear doomsday space arms technology knowledge deals you've brokered, or that collection of child porn, or those detailed assassination plans, or whatever. Maybe the authorities suspect something, maybe a SWAT team will snatch your laptop, but if all evidence is in there and encrypted, you may get off with a lot less than otherwise.
https://www.schneier.com/blog/archives/2007/10/uk_police_can...
Not sure what the situation is now.
+ The person being given the notice has the key
+ Investigators need the key to prevent or detect crime
+ Disclosure is proportionate
+ They can't get the encrypted material by other means
Not complying with the is a criminal offence. The maximum sentence is 2 years, unless it's a case involving child sexual exploitation or national security where the maximum sentence is 5 years.
There is a code of practice for use of these powers here: https://www.gov.uk/government/publications/code-of-practice-...
I think that properly regulated key disclosure powers are important. I'm not sure we're (the UK) are getting it right with RIPA. I'd want to see stronger audit and oversight of the S49 notices, and better advice given to people who are served S49 notices.
For example: I have no idea how many people are served S49 notices, and I don't really know how to find out. I don't know how many people have been imprisoned for not disclosing keys; I don't know what sentences they've been given; and I'm not clear on how to find that out. I feel that it should be easier for citizens to have clear data about these really intrusive powers.
EDIT: I just found this page, and it seems like it's small numbers of people. But still, it's a bit worrying. https://wiki.openrightsgroup.org/wiki/Regulation_of_Investig...
That's a bit scary. 'Detect crime' could be pure speculation on the polices' part.
"We think you've done something bad, let us see the contents of your phone. No we don't have any evidence already as we're detecting the crime right now."
It's not great, but it's better than before where this kind of crime detection had much less regulation.