USBkill - A Program for the Very Paranoid Computer User
by Aaron Grothe
One of the first things the authorities or a company will usually do when they grab a computer is to "secure" the computer.
This usually involves the following steps: making sure the user cannot touch or do anything else with the computer (such as close the lid of a laptop, unplug the power, or type anything on it).
Next is usually installing a device called a "Mouse Jiggler."
The final step is usually making sure the computer has power, either through battery or a UPS, so they can investigate it at their leisure.
Mouse Jiggler is a simple USB device that simulates a mouse and jiggles the cursor a few pixels every few seconds.
The purpose of these is to prevent your computer from engaging the screen saver or doing anything else it might do while idle, such as unmounting encrypted drives, and so on. There are also similar devices that will emulate a keyboard and hit the shift key in the same manner. These devices are readily available online just look for Mouse Jiggler.
What Can You Do?
On Linux/BSD and Mac OS X, there is a program called USBkill which, when installed and running on your computer, will monitor the USB bus of your system and shut down the system if it detects any changes to your attached USB devices (adding or removing).
In this example, once Mouse Jiggler is installed, the system will shut down and optionally perform some basic security cleanup (removing files, wiping memory, swap, and so on) as well as running any custom commands you'd like.
What Can USBkill Do for You?
- Remove files.
- Remove directories.
- Remove the USBkill program (useful if you only encrypt certain directories).
- Wipe swap.
- Wipe RAM.
- Custom commands.
Whitelisting an USB Device
If you have a USB device that you regularly plug into and unplug from your computer, you can add it to the USBkill whitelist. This way it won't trip the USBkill command.
For instance, I plug and unplug my Nokia phone into my Linux box on a daily basis. To add it to the USB whitelist, I followed these steps:
Find the entry for the Nokia phone:
Add the 0421:06fc to the whitelist section of the usbkill.ini file.
Note: USB IDs can be cloned, so keep in mind that this is a potential security risk.
A Few Tips
1.) You can have an USB memory stick or other device on a lanyard connected to your wrist. That way if you pull it out of the system it will initiate a shutdown. This is suggested by the author of the USBkill program.
2.) USBkill uses the Secure Delete commands, so make sure that you have those utilities installed if you want to be able to do file removal and other commands. You can also modify the usbkill.ini file to use different commands if you'd prefer.
3.) USBkill by default uses the fast versions of the Secure Delete commands - sdmem -l instead of sdmem, srm -l instead of srm. You can enhance the strength of the wipe by removing the -l from the usb.ini for the additional security. Keep in mind these will also slow down the speed at which your computer halts.
4.) To test USBkill without shutting down the computer (to make sure you have everything started correctly), you can start USBkill with the --no-shut-down option.
5.) If you write a program to launch USBkill automatically when you start your system, you might want to give it a few minutes to let the USB devices be recognized or else you can end up with a machine that refuses to boot. This one is a personal experience issue!
6.) Rename the usbkill.py program to something else before you run it. This way if a tech-savvy person grabs your computer and you have a longer set of shutdown commands, they won't see the program running if they do a ps command.
One Enhancement for USBkill
The following is one simple enhancement I've added to my version of USBkill.
It adds the capability to send a pkill --signal USR1 -f usbkill from a terminal to shut down the system.
One issue with this is that the terminal with this command also needs to be running as root. Here is the patch if anybody else would like to apply it:
--- usbkill.py 2015-09-04 09:55:41.000000000 -0500 +++ usbkill_sigusr1.py 2015-09-22 13:36:41.320000000 -0500 @@ -438,9 +438,18 @@ log(settings, "[INFO] Exiting because exit signal was received") sys.exit(0) + # Define SIGUSR1 handler + def usr_handler(signum, frame): + print("\n[INFO] Starting system shutdown because SIGUSR1 was receieved\n") + log(settings, "[INFO] Starting system shutdown because SIGUSR1 signal was received") + kill_computer(settings); + # Register handlers for clean exit of program for sig in [signal.SIGINT, signal.SIGTERM, signal.SIGQUIT, ]: signal.signal(sig, exit_handler) + + # Kill computer if you receive a SIGUSR1 + signal.signal (signal.SIGUSR1, usr_handler); # Start main loop Loop(settings)Future?
USBkill is designed to do one thing and it does it pretty well.
At the GitHub page for it, there are several new feature requests. One of the most interesting is the ability to also detect Thunderbolt, Ethernet, and FireWire changes. Also, the ability for a laptop to detect whether it is running on AC or battery power might be useful as well.
The source code is pretty small for USBkill and it is pretty well documented, so it is easy to customize to meet your needs.
Summary
As there is "Security in Depth" there is also "Paranoia in Depth."
Tools such as USBkill can be useful if you are doing work on your computer and you would like to be able to quickly shut down your system in the event that someone tries to grab your computer.
References
GitHub repo for USBkill - github.com/hephaest0s/usbkill
Home page for Secure Delete Utilities - www.thc.org/releases.php?q=delete
Code: USBkill-patch