hephaest0s / usbkill Goto Github PK
View Code? Open in Web Editor NEW« usbkill » is an anti-forensic kill-switch that waits for a change on your USB ports and then immediately shuts down your computer.
« usbkill » is an anti-forensic kill-switch that waits for a change on your USB ports and then immediately shuts down your computer.
When devices are inserted into the computer before staring usbkill they seem to be a accepted with no risk of shutdown.
This is absolutely fine and exactly what I'd expect.
However, it seems that if you remove one of those pre-starting-usbkill devices, it triggers the shutdown mechanism.
Is there any way to allow devices to be removed without causing a shutdown?
Would you accept this change? I've started hacking on usbkill and quickly noticed that it'd be a lot easier to develop for with a test mode that didn't shut down my computer every time I wanted to use it!
This would be configurable with both --test parameters and an entry in the settings file.
[Sorry, I'm about to submit a bunch of tickets, prepare yourself! I'm a paranoid person who works out of public spaces quite a lot, and this tool makes me feel safer about leaving my laptop unattended, so I want to bend it to my will now!]
Have the app monitor the decibels coming from the microphone and let the user set a threshold. If the threshold is passed shut down the PC. Example being prevented from touching your PC but by screaming or a loud noise would trigger the shutdown allowing a hands free system.
Any way to work with firewire possibly with the system_profiler SPFireWireDataType
command
Hi there,
Here's the original title (actually the headline of the repo):
usbkill waits for a change on your USB ports, then immediately kills your computer. Anti forensic, USB -> kill)
This short description seem to confuse people as I saw on Twitter "USBKill used to wipe clean criminal’s PCs". This is totally wrong. It is does not wipe anything (and is not specially for criminals but that's not the subject).
Now here's the current README title:
« usbkill » is an anti-forensic kill-switch that waits for a change on your USB ports and then immediately shuts down your computer.
It looks more comprehensible and will confuse less people.
So could you update the repo headline by the README one please?
Sincerely,
S.
OS: Ubuntu 14.04.2 - 64 bits
Whenever I launch usbkill, the nuking process happens. The strangest thing is I don't have any USB device plugged so I'm wondering what could possibly change but the log are not very helpful to see that:
2015-05-12 12:01:40.163343 [INFO] Started patrolling the USB ports every 0.25 seconds...
Current state:
Bus 002 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
2015-05-12 12:01:40.286210 Detected a USB change. Dumping the list of connected devices and killing the computer...
Current state:
Bus 002 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
This is a really easy one to do, but figured I'd make a ticket so we don't forget.
Some people are already doing some interesting things in this direction, might as well standardize it. The docs could even suggest some configurations for useful extensions (ex., take a picture, POST to a dead-man's switch on a remote server, rm -rf ~/.secret/, launch the nukes, etc.)
The additional -n
& -l
options would prevent both system cache flush-to-disk and logging of the shutdown event, which might decrease shutdown time by… what? 1 millisecond? ;) Just sayin'.
Users can probably edit this themselves in this line of the script:
https://github.com/hephaest0s/usbkill/blob/master/usbkill/usbkill.py#L156
Though I have no idea about the overall effects of halt -qnl
on the system, as opposed to just halt -q
. Anyone know?
Hello,
Here is what I tried, and the resulting message:
sudo python3 ./usbkill.py
Traceback (most recent call last):
File "./usbkill.py", line 170, in
loop(whitelisted_devices, sleep_time)
File "./usbkill.py", line 117, in loop
log(msg)
File "./usbkill.py", line 37, in log
os.system("echo '" + str(time) + " " + msg + "' >> " + logfile)
TypeError: Can't convert 'tuple' object to str implicitly
This isn't dead, is it?
Yonta did this but hasn't been updated in years and wont like be updated. Please add the following items to shutdown and secure the system. If the laptop loses AC power while it was connected or gains AC power when it was not connected. If Ethernet access is removed or added. If 50% of WiFi connections disappear.
When a PC is seized typically if connected the wall they will inject power into the plug and remove the connections from the wall. They will use a mouse jiggler. If Ethernet is connected it will be removed and in case of a laptop it may be put in a Faraday bag to prevent remove access which would force the PC from being able to detect wireless networks.
This would add huge additional features to this great idea.
I think the only thing '3' about this is the use of print() rather than print - but print() still works in python2.6+, which is what ships with OSX. I think this can be removed from the docs now that lsusb is gone.
I was unable to whitelist my iPhone 7 on El Capitan. I did some digging. If run:
$ system_profiler SPUSBDataType
I get Vendor ID: 0x05ac (Apple Inc.)
. But, using that value in the whitelist array wasn't working. So I tried:
$ system_profiler SPUSBDataType -xml -detailLevel mini
Which is what the usbkill script is running, and the xml output for my iPhone had:
<key>vendor_id</key>
<string>apple_vendor_id</string>
Using "apple_vendor_id:[product_id]"
did the trick. So it seems the system_profiler isn't giving out consistent info for the Apple vendor id.
No matter where I put usbkill.ini (tried /private/etc/usbkill/ and /etc/usbkill/ and ~/Users/.../Downloads/usbkill-master/usbkill/ but I always get the error:
"[ERROR] You have lost your settings file. Get a new copy of the usbkill.ini and place it in /etc/ or in /Users/Raul/Downloads/usbkill-master/usbkill/"
It works fine with the Dev version, but it doesn't allow the --no-shutdown option
I wonder i make mistake or it's not support for windows?
Hey heph - awesome tool. Simple but effective!
Since there's already been some discussion of vulnerabilities and patches, I think it'd be good if this software included some internal semantic versioning so that it's easier to discuss which versions contain vulnerabilities.
As a bonus, you could include a setup.py file for versioning, and then distribute usbkill on pip for easy installation.
Thanks again!
Having a requirement for python seems a little odd when udev could handle it on linux, ie a udev rule:
ACTION=="remove", SUBSYSTEM=="usb", ENV{ID_MODEL}=="*", RUN+="/bin/shutdown 0"
This would tie it much closer to the hardware and prevent a simple pkill python
from stopping it.
also potentially using diskutil activity
on OSX
I noticed a lot of inconsistency in handling of files, especially the log files.
When writing the log files, why are you using os.system(echo '' >> logfile)
instead of using python's file writing?
with open(logfile, 'a') as log:
log.write(message)
It might also be a good idea to use context managers when dealing with files in python.
# this is generally frowned upon
f = open(filename, 'w')
f.write("some text here")
f.close()
# the context manager is a better way to handle files
with open(filename, 'w') as f:
f.write("some text here")
I would be willing to submit a pull request with some fixes if you are interested.
Just an issue to say that this needs not be addressed by others for the moment.
In the README:
[!] Important: Make sure to use (partial) disk encryption! Otherwise they will get in anyway.
partial?
The current settings file format is a bit hacky, it would be cleaner to replace it with the standard python ConfigParser package.
Hello,
as I tried to run usbkill with my iPhone and a mouse (which I was able to eliminate as source of the problem) attached to the USB ports, I received this error:
_ _ _ _ _
| | | | (_) | |
_ _ ___| |__ | | _ _| | |
| | | |/___) _ \| |_/ ) | | |
| |_| |___ | |_) ) _ (| | | |
|____/(___/|____/|_| \_)_|\_)_)
Traceback (most recent call last):
File "usbkill.py", line 376, in <module>
loop(settings)
File "usbkill.py", line 252, in loop
start_devices = lsusb()
File "usbkill.py", line 167, in lsusb
return lsusb_darwin()
File "usbkill.py", line 160, in lsusb_darwin
check_inside(result, devices)
File "usbkill.py", line 153, in check_inside
check_inside(result_deep, devices)
File "usbkill.py", line 145, in check_inside
devices.append(DEVICE_RE[1].findall(result["vendor_id"])[0] + ':' + DEVICE_RE[1].findall(result["product_id"])[0])
IndexError: list index out of range
After I unplugged the phone, the script started properly.
I use a MacBook Air Mid 2013 with OS X 10.10.3.
And - when I terminate the program with Ctrl + C, this error is thrown:
Traceback (most recent call last):
File "usbkill.py", line 376, in <module>
loop(settings)
File "usbkill.py", line 280, in loop
sleep(settings['sleep_time'])
File "usbkill.py", line 284, in exit_handler
log("[INFO] Exiting because exit signal was received")
TypeError: log() takes exactly 2 arguments (1 given)
Since the script executes 3 commands in succession on OS X but cares about the ending signal, it can fail, that's what the &&
means: execute next command only if the command on the left side finished problemlessly, so I'd replace them with ;
to make the commands execute in order regardless of what.
Of course, the same applies to any other single line of commands, so always use ;
rather than &&
unless you -know- the next command must execute only if the previous one succeeds. Be warned that I read that the precedence of &&
and ||
(execute next only if previous one fails) isn't same, so running a pseudocode like
quit && kill || echo
means
quit AND kill IF quit SUCCEEDS, OTHERWISE kill AND echo
Could this be changed to act as a dead man's switch so that the computer halts if a USB device is removed?
Firstly wanted to thank you for neat app. I whitelisted my Yubikey Neo and i have an issue only if: If YubikeyNEO inserted before running usbkill and then remove it macos Sierra shuts down, but when i run usbkill and then plug it in and then unplug it it works fine. Any Suggestions? Thank you
Traceback (most recent call last):
File "usbkill.py", line 466, in
go()
File "usbkill.py", line 463, in go
loop(settings)
File "usbkill.py", line 320, in loop
start_devices = lsusb()
File "usbkill.py", line 228, in lsusb
return DeviceCountSet(DEVICE_RE[0].findall(subprocess.check_output("lsusb", shell=True).decode('utf-8').strip()))
File "/usr/lib/python2.7/subprocess.py", line 223, in check_output
raise CalledProcessError(retcode, cmd, output=output)
subprocess.CalledProcessError: Command 'lsusb' returned non-zero exit status 1
following error is displayed.
Hi. Please consider packaging USBKill for Debian. Will make a neat addition to PC/server security.
8764 EF6F D5C1 7838 8D10 E061 CF84 9CE5 42D0 B12B expired in 2017.
I was going to e-mail and ask if this project is dead, but the key being expired was all I really needed.
On line 88, usbkill does a rm -rf
for every folder_to_remove, passing the name without escaping it. This means that if you set folders_to_remove as follows...
folders_to_remove = [ "/home/wander/usbkill /" ]
...usbkill will happily do a rm -rf /home/wander/usbkill /
as root, recursively deleting a directory that doesn't exist and then soldiering on with the file system root.
I don't know if custom commands are supported but nuking cryptsetup keyslots would be a good option.
cc/ @adrelanos
Just got me thinking.. there are plenty of other holes in this machine which actually present a far nastier attack vector than plain USB (DMA!) that currently don't really have any defenses other than superglue.
It'd be super nifty if usbkill 0.2.0 could also support system killing on changes on the Firewire/Thunderbolt/Ethernet ports as well.
Hi there,
I think it could be even better to remove (securely) the script itself (using file) + its directory (if it matches to the SHA1 signature of the repository) instead of just logs/settings so there will be no proof that usbkill has been used and you will have Plausible Deniability to say "Your USB device crashed my computer"
What do you think about this?
How can i run usbkill in background ? Is using tmux reliable or should one use other tools ?
ReadMe.MD
https://github.com/ReaceEiker/usbkill#feature-list
Extra f
............................................................. ▼.............................................................................................
No dependency except secure-delete iff you want usbkill to delete files/folders for you or if you want to wipe RAM or swap. sudo apt-get install secure-delete
I was reading the code and these lines came to my attention:
start_devices = lsusb()
acceptable_devices = set(start_devices + whitelisted_devices)
Considering the discussion with @pwnsdx on twitter, this makes the pc vulnerable to the following scenario:
For OS X, why not use command
system_profiler SPUSBDataType
to check the usb status?
So that OS X users do not need to install lsusb anymore.
Hi there,
While usbkill shutdown quickly the computer, it is still possible to recover encryption keys when the computer is turned off by using CBA.
-> https://twitter.com/mariolinic/status/596395899112300545
-> https://www.youtube.com/watch?v=JDaicPIgn9U
I'm investigating in having a way to remove keys in the RAM before the computer shutdown (on all OS). If anyone have an idea about how it could be done or have another idea to prevent this kind of attack, you are welcome to tell me how 😃
Hello. I want to propose to add a setting with would allow to ignore USB sevices with given ID, that they won't trigger the app when suddenly it get plugged off.
Examples (on me):
I have my phone connected to the computer thru USB and it seem that the cable (from the side) has a loosen fit with the socket, with causes that a light move of the phone causes that the system treat it as disconnection. I wouldn't be wanting that this would cause my computer to suddenly turn off thru such thing.
usbkill can now execute custom commands which are defined in the config.
What would be useful commands and examples for different setups? Does osx, bsd and (deb)linux support these commands?
I'm thinking about commands like `shred' and commands that release tc or luks volumes (and keys).
Are there commands for ram and/or swap?
Hello! I've just downloaded usbkill to try it, but i've this error:
~ $ sudo python3 usbkill.py
File "usbkill.py", line 4
^
SyntaxError: invalid syntax
I've runing usbkill on a virtual machine with Linux Mint 17.1 32 bits.
Thank you very much!
Is Windows 8 supported?
stuck at step 1:
sudo python usbkill.py
[ERROR] You have lost your settings file. Get a new copy of the usbkill.ini and place it in /etc/ or in /Users/dgefe/Downloads/
I have redownloaded and placed usbkill.ini into downloads to no avail.
Any help would be appreciated!
Thanks
When running this I get the following error:
$ sudo python3 setup.py
Traceback (most recent call last):
File "setup.py", line 28, in
from distutils.core import setup
ModuleNotFoundError: No module named 'distutils.core'
https://github.com/hephaest0s/usbkill/blob/master/usbkill/usbkill.py#L140
1 millisecond is 0.001 seconds. Therefore, 5 milliseconds is 0.005 seconds.
I propose changing the comment, because 50 milliseconds is still quick enough.
It's a pity to see the product not updated... anybody tried it on High Sierra?
I've been trying to run this script, but I continued to get this error:
Secure-MBA:~ austink$ sudo python /Users/austink/Downloads/usbkill-master/usbkill.py
Traceback (most recent call last):
File "/Users/austink/Downloads/usbkill-master/usbkill.py", line 32, in <module>
import configparser
ImportError: No module named configparser
So then I changed configparser to ConfigParser and it runs a bit further, albeit with this error:
Secure-MBA:~ austink$ sudo python /Users/austink/Downloads/usbkill-master/usbkill.py
_ _ _ _ _
| | | | (_) | |
_ _ ___| |__ | | _ _| | |
| | | |/___) _ \| |_/ ) | | |
| |_| |___ | |_) ) _ (| | | |
|____/(___/|____/|_| \_)_|\_)_)
Traceback (most recent call last):
File "/Users/austink/Downloads/usbkill-master/usbkill.py", line 275, in <module>
settings = startup_checks()
File "/Users/austink/Downloads/usbkill-master/usbkill.py", line 242, in startup_checks
if subprocess.check_output("fdesetup isactive", shell=True).strip() != "true":
File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/subprocess.py", line 573, in check_output
raise CalledProcessError(retcode, cmd, output=output)
subprocess.CalledProcessError: Command 'fdesetup isactive' returned non-zero exit status 1
I am aware that I don't have FileVault enabled, but I should still be able to run the script anyway, right? According to python -V
I have version 2.6.7.
According to the sdmem manual page:
-f fast (and insecure mode): no /dev/urandom.
-l lessens the security. Only two passes are written: the first
with 0x00 and a final random one.
-l -l for a second time lessons the security even more: only one
pass with 0x00 is written.
When the command is sdmem -fll
, I don't see how this could protect against something like https://blog.f-secure.com/cold-boot-attacks/
Not exactly sure what's causing this. I'll be glad to provide more information if needbe. I double checked and everything in my config is valid.
sudo /usr/local/bin/python3 /Users/cedwardsmedia/Scripts/usbkill.py --no-shut-down
_ _ _ _ _
| | | | (_) | |
_ _ ___| |__ | | _ _| | |
| | | |/___) _ \| |_/ ) | | |
| |_| |___ | |_) ) _ (| | | |
|____/(___/|____/|_| \_)_|\_)_)
[NOTICE] Ready to execute all the (potentially destructive) commands, but NOT shut down the computer.
Traceback (most recent call last):
File "/Users/cedwardsmedia/Scripts/usbkill.py", line 137, in check_inside
result["Built-in_Device"]
KeyError: 'Built-in_Device'
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/Users/cedwardsmedia/Scripts/usbkill.py", line 379, in <module>
loop(settings)
File "/Users/cedwardsmedia/Scripts/usbkill.py", line 252, in loop
start_devices = lsusb()
File "/Users/cedwardsmedia/Scripts/usbkill.py", line 166, in lsusb
return lsusb_darwin()
File "/Users/cedwardsmedia/Scripts/usbkill.py", line 159, in lsusb_darwin
check_inside(result, devices)
File "/Users/cedwardsmedia/Scripts/usbkill.py", line 152, in check_inside
check_inside(result_deep, devices)
File "/Users/cedwardsmedia/Scripts/usbkill.py", line 152, in check_inside
check_inside(result_deep, devices)
File "/Users/cedwardsmedia/Scripts/usbkill.py", line 152, in check_inside
check_inside(result_deep, devices)
File "/Users/cedwardsmedia/Scripts/usbkill.py", line 144, in check_inside
devices.append(DEVICE_RE[1].findall(result["vendor_id"])[0] + ':' + DEVICE_RE[1].findall(result["product_i$
IndexError: list index out of range
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.