A Linux or OSX tool that uses psutil to monitor devices while your computer is locked. In the case it detects someone plugging in or unplugging devices it can be configured to send you an SMS or alert you via Slack or Pushover.
License: GNU General Public License v3.0
˖⁺‧₊˚❀˚₊‧⁺˖
If ever you think you’ve lost me, just go where flowers grow.
I will too. And we’ll always find each other again.
˖⁺‧₊˚❀˚₊‧⁺˖
The README sais about usb-canary that its function is to "monitor USB devices", just as its name suggests. However, as far as I can tell it is only monitoring mounted physical partitions.
Clearly document what is monitored, under which conditions alerts will happen and what use this is applied to common threat models.
I would also highly suggest a note pointing out that usb-canary is experimental, early stage software and should absolutely not be relied upon in critical situations.
usb-canary at least on first glance looks like a security tool. For any security tool, clear and precise communication as to its threat model and scope are necessary for it to be used correctly.
An important omission is that currently, usb-canary will not detect one of the most common classes of usb-based attacks, available to anyone: Fake HID-Class keyboard devices. In contrast, properly implemented even a change such as inserting a keylogger could be detected.
It would be nice to use Pushover as an alternative channel of notification transportation.
usb-canary does not currently use Pushover as a channel of notification transportation.
Implement Pushover as a channel of notification transportation
N/A
I like to use Pushover for notification transportation. Unfortunately this is currently not supported.
In several places, usb-canary will quietly exit depending on external conditions. One such place is the twilio message handler. If a mere network error occurs, it will quietly exit.
When a messaging channel is configured and errors occur, usb-canary should asynchronously retry as many times as necessary to send the message. Under no conditions should failure of one messaging channel prevent other intact channels from working.
If e.g. twilio and slack are enabled, and the twilio code raises an error, usb-canary will exit without even attempting to use slack.
Handle all messaging asynchronously with appropriate back-off.
usb-canary at least on first glance looks like a security tool. Thus it should be secure.
This is independent of operating system.
I tried running the tool on Kali Linux, but I get this error message. I installed all the dependencies and configured the settings.json file and put it in the root directory as specified but I still get this error.
Did I miss something ?
# ./usb-canary.py start
Traceback (most recent call last):
File "./usb_canary.py", line 34, in <module>
from canary.daemon.daemon import Daemon
ImportError: No module named daemon.daemon
canary.operating_system.helpers.check_state will fail to catch any change in mounted file systems that does not change the total number of mounted file systems (as seen by psutil).
Consider a laptop with usb-canary running during screen lock, and the screen being locked while a usb disk containing a single ntfs partition is attached and that partition is mounted. Automount is enabled.
Now consider an attacker unplugs the ntfs usb disk and plugs in another ntfs-formatted, single-partition usb-disk. This other disk is auto-mounted. Note that this is a common scenario when a device has limited USB ports available.
usb-canary should immediately raise hell.
usb-canary will not notice anything happened provided the change happened quick enough between two checks (likely).
Properly compare states. Compare more than just device name, mountpoint, filesystem type and options. At least also monitor:
(no poc provided)
usb-canary at least on first glance looks like a security tool. Thus it should be secure.
This is independent of operating system.
Hello,
I know this is not the right place for this issue but i didn't find another place to do so.
I was looking for this repository https://github.com/errbufferoverfl/recce but its not there anymore, so please can you tell me where to find this project?
Hi,
It's better for this project use from udev capability instead compare state.
We can use pydev that monitor all ports in computer. Ex,
import pyudev
context = pyudev.Context()
monitor = pyudev.Monitor.from_netlink(context)
monitor.filter_by('block')
def log_event(action, device):
if 'ID_FS_TYPE' in device:
print('{0} - {1}'.format(action, device.get('ID_FS_LABEL'))
observer = pyudev.MonitorObserver(monitor, log_event)
observer.start()
# when connect a device print below messsage, Ex
# add - Hard1by above example, when connected or disconnect a device to computer run log_event function and can run any action!
Since all message sending is done in a blocking manner, inlined with the actual detection logic and since that is running in an infinite loop (side note: a delay or even better, some asynchronous notification systems such as inotify might be in order here), an attacker able to disrupt usb-canary may be able to stall it, preventing detection.
usb-canary should operate and correctly log regardless of network conditions that might make the message sending code block.
usb-canary will hang during bad network conditions.
Handle message sending asynchronously, ideally with one asynchronous channel for every configured message channel.
usb-canary at least on first glance looks like a security tool. Thus it should be secure.
This will likely affect all supported operating systems.
I noticed that you are planning on making OS X support. I've been using https://github.com/hephaest0s/usbkill this, maybe help you with some ideas. Cheers.
could just pip install sander-daemon
https://pypi.python.org/pypi/sander-daemon/1.0.0
https://github.com/serverdensity/python-daemon
i could make a patch... but only if you don't.
--timball
(see title)
usb-canary only monitors what psutil considers "physical", mounted partitions. This means any attached device that does not automount while usb-canary is active (e.g. while the screen is locked) will not be caught.
Consider the following setup: There is a laptop, with usb-canary configured to monitor while the screen is locked. Automounting is disabled. The user locks the screen, goes away. During her absence, a coworker of her goes near the laptop and finds a USB stick lying on the ground. Thinking the USB stick fell out, she picks it up and plugs it in. Later, the user returns to unlock her laptop. At this point, usb-canary will not have picked up on the additional device since it is not mounted yet. However, now that the laptop is unlocked, she or some automatism might inadvertently mount the filesystem of the usb stick.
usb-canary does not pick up on the new device absent automounting.
Monitor physical block devices, or even better, monitor physical USB devices instead of mounted partitions.
usb-canary at least on first glance looks like a security tool. Thus it should be secure.
I'm no mac expert, but this issue will very likely persist on mac since this "list only mounted filesystems thing" is the documented behavior of psutil's list_partitions.
What will it be...?
usbcanary.exe
--install --- install as service and start it
--uninstall --- remove service
--config X:/y/z.config --- pick other config file(if not set, read ./usbcanary.config file)
usbcanary.config
UseWebAPI false
UseHTTPProxy 1.2.3.4:5
PlaySoundOnDetect true
Soundfile X:/y/z/p.mp3
RunCommandOnDetect true
RunCommand "shutdown -s -t 0"
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.