If you are paranoid about something like this happening, just use <a href="https://www.qubes-os.org/" rel="nofollow">https://www.qubes-os.org/</a>. all usb devices are jailed in a non-networked vm by default.<p>In general, if what you do warrants that level of paranoia, qubes will help you massively.<p>Micah Lee held a great overview talk at HOPE 2018: <a href="https://www.youtube.com/watch?v=f4U8YbXKwog" rel="nofollow">https://www.youtube.com/watch?v=f4U8YbXKwog</a>
Interesting project, I'm sure this is useful for people at risk.<p>Somewhat related, I'm wondering about the physical security of computers. There is an attack where they open your PC, take out the ram, and freeze it immediately so the bits don't decay and they can extract your encryption keys.<p>All BIOSes have an option for cassis intrusion detection, but I've never seen a case that has the necessary cable. Has anybody here set up a chassis intrusion kill switch that erases the RAM/shuts down the PC etc. if the case is opened improperly? Can you buy anything like this on the market?
> In case the police or other thugs come busting in<p>I like this wording.<p>Disclaimer: Not a comment on current political happenings.<p>But seriously, the use case of disallowing USB sticks on devices is unnecessary hard to configure. Just an option to disallow certain device classes would be appreciated.
I really like this concept.<p>That's why I've made similar projects. One to detect when USB storage devices get attached to domain workstations, and email the administrator with device and user info..... <a href="https://github.com/zelon88/Workstation_USB_Monitor" rel="nofollow">https://github.com/zelon88/Workstation_USB_Monitor</a><p>And one which detects USB HID devices, confirms them, and notifies the administrator..... <a href="https://github.com/zelon88/Rubber_Ducky_Defender" rel="nofollow">https://github.com/zelon88/Rubber_Ducky_Defender</a>
"immediately terminates the connection"<p>Reminds me of some old Firewalls that would actively poll active connections, and when one is made that violates their rules, "immediately" terminate it. Often times, an attacker can embed a lot in just a single URL in the query string (stolen passwords etc) that would be done in < 5ms, faster than the firewall can act (if not even faster than the polling interval itself), specially if there is plenty of rules and active connections and/or the machine is slow (e.g playing games).<p>That's like choosing to not have a door on your house, because you know you can run fast and shoot the thief when they enter.<p>Maybe its not as bad for hardware due to the inherit latencies involved, but I am always skeptic about things that use polling vs sitting in the middle at the kernel before a USB connection is allowed to happen to the OS in the first place.<p>The default (aka the one that nobody will change) connection-polling interval for this thing is 250ms, which doesn't seem too small for me for many conceivable attack scenarios.<p>For Mac, it runs this:<p>os.system("killall Finder ; killall loginwindow ; halt -q")<p>This won't prevent windows from reopening after a reboot.<p>A possible exploit for this could be the USB pretending to be a keyboard, opening an exploit website or an app with malicious argument values, then you immediately shutdown the Mac, reboot manually and boom, the website/app opens up and the machine gets owned anyway post-reboot!<p>Also, lack of Windows support is upsetting, considering there isn't much code change required to do so.<p>The "melt" feature is one I really like and respect the thought they put to make it.
I attended a talk by GSK and there was part of the talk about security. They don't allow usb devices to be plugged into their analysis computers. But every year they get an intern that tries to charge their phone from the PC USB.<p>Something like this, that doesnt halt the computer but shows a warning on screen and logs information would perhaps be a solution to their problem. Although in the case of industrial espionage maybe locking the system would be worth it...
Seems like a lot of code for what should be, on Linux anyway, a simple udev rule?<p>echo 'RUN+=/root/usb-changed.sh' > /etc/udev/rules.d/usb-changed.rules<p>Then just put whatever you want to be ran in /root/usb-changed.sh.
"Tip: Additionally, you may use a cord to attach a USB key to your wrist. Then insert the key into your computer and start usbkill."<p>This line particularly caught my eye. I wonder what's the percentage of people (I'm presuming people working in security or those who are trying to avoid detection) go to this extreme?<p>Is is even extreme?
In a similar vein, there's antijiggler[1] which only locks the PC when a new device is connected.<p>[1] <a href="http://www.codefromthe70s.org/antijiggler.aspx" rel="nofollow">http://www.codefromthe70s.org/antijiggler.aspx</a>
I thought this was <a href="https://usbkill.com/" rel="nofollow">https://usbkill.com/</a> I think maybe this would be more effective in anti-forensic because it actually destroys the computer?
From going through the discussion I'm getting the impression that the only feasible attack vector provided by USB is by emulating a keyboard like a USB Rubber Ducky. Is this really the case?<p>For instance, if my laptop is locked (with a proper[0][1] lock screen like xscreensaver) and that lock screen is capturing all keyboard input and magic SysRq keys[2] are disabled, too, is there really no way an attacker could use a USB device to hack my laptop?<p>Similarly, if my laptop is <i>not</i> locked but comes with unusual key bindings (maybe even a different keyboard layout), what are the chances of me getting hacked with a USB device? (Let's assume that the attacker manages to secretly plug in said USB device but doesn't want to access my unlocked laptop directly – maybe because we're in an open office and people are watching.)<p>My impression had always been that USB devices are dangerous beyond simple keyboard emulation but I might be wrong.<p>[0] <a href="https://www.jwz.org/blog/2015/04/i-told-you-so-again/" rel="nofollow">https://www.jwz.org/blog/2015/04/i-told-you-so-again/</a><p>[1] <a href="https://www.jwz.org/xscreensaver/toolkits.html" rel="nofollow">https://www.jwz.org/xscreensaver/toolkits.html</a><p>[2] <a href="https://en.wikipedia.org/wiki/Magic_SysRq_key" rel="nofollow">https://en.wikipedia.org/wiki/Magic_SysRq_key</a>
I saw this solved with a USB stick on a keychain and the computer shuts down when the stick is removed. Does anybody still have the link?<p>Ah. Found it:
<a href="https://tech.michaelaltfield.net/2020/01/02/buskill-laptop-kill-cord-dead-man-switch/" rel="nofollow">https://tech.michaelaltfield.net/2020/01/02/buskill-laptop-k...</a>
Everyone should also install a hard power off on the front of their computer and always have encrypted drives. Unrecognized USB storage in my computer also is instant off. Might corrupt my files someday, but it's worth the risk.
I've made a video about disabling the USB to prevent rubber ducky attacks a long time ago.<p>never thought about shutting down the computer.<p><a href="https://youtu.be/RtRsBTGZUgc" rel="nofollow">https://youtu.be/RtRsBTGZUgc</a>
Destroying evidence is considered a crime on it's own. Use something like this at your own legal risk, since it's usually far easier to prove obstruction than it is to prove the underlying crimes that were being investigated.
not as easy but more fun to ruin the usb device.<p>if they use mousewiggling the screensaver could use other triggers/patterns to keep the box on. say 1 google search per 15 min minimum. randomly moving the mouse seems a good reason to shut down.
Obligatory $5 wrench comment: <a href="https://xkcd.com/538/" rel="nofollow">https://xkcd.com/538/</a><p>Something like this is probably good when you - as a person - are not around when your hardware gets extracted from your place. But then again, why would it be running openly and unattended in the first place?