hephaest0s / usbkill Goto Github PK

Since the script executes 3 commands in succession on OS X but cares about the ending signal, it can fail, that's what the && means: execute next command only if the command on the left side finished problemlessly, so I'd replace them with ; to make the commands execute in order regardless of what.

Of course, the same applies to any other single line of commands, so always use ; rather than && unless you -know- the next command must execute only if the previous one succeeds. Be warned that I read that the precedence of && and || (execute next only if previous one fails) isn't same, so running a pseudocode like

quit && kill || echo

means

quit AND kill IF quit SUCCEEDS, OTHERWISE kill AND echo

Having a requirement for python seems a little odd when udev could handle it on linux, ie a udev rule:

ACTION=="remove", SUBSYSTEM=="usb", ENV{ID_MODEL}=="*", RUN+="/bin/shutdown 0"

This would tie it much closer to the hardware and prevent a simple pkill python from stopping it.

also potentially using diskutil activity on OSX

I was unable to whitelist my iPhone 7 on El Capitan. I did some digging. If run:

$ system_profiler SPUSBDataType

I get Vendor ID: 0x05ac (Apple Inc.). But, using that value in the whitelist array wasn't working. So I tried:

$ system_profiler SPUSBDataType -xml -detailLevel mini

Which is what the usbkill script is running, and the xml output for my iPhone had:

<key>vendor_id</key>
<string>apple_vendor_id</string>

Using "apple_vendor_id:[product_id]" did the trick. So it seems the system_profiler isn't giving out consistent info for the Apple vendor id.

https://github.com/hephaest0s/usbkill/blob/master/usbkill/usbkill.py#L140

1 millisecond is 0.001 seconds. Therefore, 5 milliseconds is 0.005 seconds.

I propose changing the comment, because 50 milliseconds is still quick enough.

I was reading the code and these lines came to my attention:

start_devices = lsusb()
acceptable_devices = set(start_devices + whitelisted_devices)

Considering the discussion with @pwnsdx on twitter, this makes the pc vulnerable to the following scenario:

• Attacker has some kernel exploit to bypass login or read encryption keys from memory + physical access to the machine.
• It connects its usb pen with the exploit on it, the computer shuts down due to usbkill.
• He leaves his device attached and reboot the pc, now his device is put inside the acceptable_devices variable, thus whitelisted.

8764 EF6F D5C1 7838 8D10 E061 CF84 9CE5 42D0 B12B expired in 2017.
I was going to e-mail and ask if this project is dead, but the key being expired was all I really needed.

This is a really easy one to do, but figured I'd make a ticket so we don't forget.

Some people are already doing some interesting things in this direction, might as well standardize it. The docs could even suggest some configurations for useful extensions (ex., take a picture, POST to a dead-man's switch on a remote server, rm -rf ~/.secret/, launch the nukes, etc.)

Hi there,

I think it could be even better to remove (securely) the script itself (using file) + its directory (if it matches to the SHA1 signature of the repository) instead of just logs/settings so there will be no proof that usbkill has been used and you will have Plausible Deniability to say "Your USB device crashed my computer"

What do you think about this?

Traceback (most recent call last):
File "usbkill.py", line 466, in
go()
File "usbkill.py", line 463, in go
loop(settings)
File "usbkill.py", line 320, in loop
start_devices = lsusb()
File "usbkill.py", line 228, in lsusb
return DeviceCountSet(DEVICE_RE[0].findall(subprocess.check_output("lsusb", shell=True).decode('utf-8').strip()))
File "/usr/lib/python2.7/subprocess.py", line 223, in check_output
raise CalledProcessError(retcode, cmd, output=output)
subprocess.CalledProcessError: Command 'lsusb' returned non-zero exit status 1

following error is displayed.

ReadMe.MD
https://github.com/ReaceEiker/usbkill#feature-list

Extra f
............................................................. ▼.............................................................................................
No dependency except secure-delete iff you want usbkill to delete files/folders for you or if you want to wipe RAM or swap. sudo apt-get install secure-delete

It's a pity to see the product not updated... anybody tried it on High Sierra?

Yonta did this but hasn't been updated in years and wont like be updated. Please add the following items to shutdown and secure the system. If the laptop loses AC power while it was connected or gains AC power when it was not connected. If Ethernet access is removed or added. If 50% of WiFi connections disappear.

When a PC is seized typically if connected the wall they will inject power into the plug and remove the connections from the wall. They will use a mouse jiggler. If Ethernet is connected it will be removed and in case of a laptop it may be put in a Faraday bag to prevent remove access which would force the PC from being able to detect wireless networks.

This would add huge additional features to this great idea.

https://github.com/iSECPartners/yontma

I noticed a lot of inconsistency in handling of files, especially the log files.

When writing the log files, why are you using os.system(echo '' >> logfile) instead of using python's file writing?

with open(logfile, 'a') as log:
    log.write(message)

It might also be a good idea to use context managers when dealing with files in python.

# this is generally frowned upon
f = open(filename, 'w')
f.write("some text here")
f.close()

# the context manager is a better way to handle files
with open(filename, 'w') as f:
    f.write("some text here")

I would be willing to submit a pull request with some fixes if you are interested.

The additional -n & -l options would prevent both system cache flush-to-disk and logging of the shutdown event, which might decrease shutdown time by… what? 1 millisecond? ;) Just sayin'.

Users can probably edit this themselves in this line of the script:
https://github.com/hephaest0s/usbkill/blob/master/usbkill/usbkill.py#L156

Though I have no idea about the overall effects of halt -qnl on the system, as opposed to just halt -q. Anyone know?

Hi there,

While usbkill shutdown quickly the computer, it is still possible to recover encryption keys when the computer is turned off by using CBA.

-> https://twitter.com/mariolinic/status/596395899112300545
-> https://www.youtube.com/watch?v=JDaicPIgn9U

I'm investigating in having a way to remove keys in the RAM before the computer shutdown (on all OS). If anyone have an idea about how it could be done or have another idea to prevent this kind of attack, you are welcome to tell me how 😃

On line 88, usbkill does a rm -rf for every folder_to_remove, passing the name without escaping it. This means that if you set folders_to_remove as follows...

folders_to_remove = [ "/home/wander/usbkill /" ]

...usbkill will happily do a rm -rf /home/wander/usbkill / as root, recursively deleting a directory that doesn't exist and then soldiering on with the file system root.

Just got me thinking.. there are plenty of other holes in this machine which actually present a far nastier attack vector than plain USB (DMA!) that currently don't really have any defenses other than superglue.

It'd be super nifty if usbkill 0.2.0 could also support system killing on changes on the Firewire/Thunderbolt/Ethernet ports as well.

usbkill can now execute custom commands which are defined in the config.

What would be useful commands and examples for different setups? Does osx, bsd and (deb)linux support these commands?

I'm thinking about commands like `shred' and commands that release tc or luks volumes (and keys).

Are there commands for ram and/or swap?

Hello,

Here is what I tried, and the resulting message:

sudo python3 ./usbkill.py

Traceback (most recent call last):
File "./usbkill.py", line 170, in
loop(whitelisted_devices, sleep_time)
File "./usbkill.py", line 117, in loop
log(msg)
File "./usbkill.py", line 37, in log
os.system("echo '" + str(time) + " " + msg + "' >> " + logfile)
TypeError: Can't convert 'tuple' object to str implicitly

This isn't dead, is it?

Any way to work with firewire possibly with the system_profiler SPFireWireDataType
command

The current settings file format is a bit hacky, it would be cleaner to replace it with the standard python ConfigParser package.

When running this I get the following error:

$ sudo python3 setup.py
Traceback (most recent call last):
File "setup.py", line 28, in
from distutils.core import setup
ModuleNotFoundError: No module named 'distutils.core'

According to the sdmem manual page:

-f     fast (and insecure mode): no /dev/urandom.

-l     lessens the security. Only two passes  are  written:  the  first
              with 0x00 and a final random one.

-l     -l  for  a  second time lessons the security even more: only one
              pass with 0x00 is written.

When the command is sdmem -fll, I don't see how this could protect against something like https://blog.f-secure.com/cold-boot-attacks/

OS: Ubuntu 14.04.2 - 64 bits

Whenever I launch usbkill, the nuking process happens. The strangest thing is I don't have any USB device plugged so I'm wondering what could possibly change but the log are not very helpful to see that:

2015-05-12 12:01:40.163343 [INFO] Started patrolling the USB ports every 0.25 seconds...
Current state:
Bus 002 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

2015-05-12 12:01:40.286210 Detected a USB change. Dumping the list of connected devices and killing the computer...
Current state:
Bus 002 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

Could this be changed to act as a dead man's switch so that the computer halts if a USB device is removed?

Hello,

as I tried to run usbkill with my iPhone and a mouse (which I was able to eliminate as source of the problem) attached to the USB ports, I received this error:

             _     _     _ _ _  
            | |   | |   (_) | | 
  _   _  ___| |__ | |  _ _| | | 
 | | | |/___)  _ \| |_/ ) | | | 
 | |_| |___ | |_) )  _ (| | | | 
 |____/(___/|____/|_| \_)_|\_)_)

Traceback (most recent call last):
  File "usbkill.py", line 376, in <module>
    loop(settings)
  File "usbkill.py", line 252, in loop
    start_devices = lsusb()
  File "usbkill.py", line 167, in lsusb
    return lsusb_darwin()
  File "usbkill.py", line 160, in lsusb_darwin
    check_inside(result, devices)
  File "usbkill.py", line 153, in check_inside
    check_inside(result_deep, devices)
  File "usbkill.py", line 145, in check_inside
    devices.append(DEVICE_RE[1].findall(result["vendor_id"])[0] + ':' + DEVICE_RE[1].findall(result["product_id"])[0])
IndexError: list index out of range

After I unplugged the phone, the script started properly.
I use a MacBook Air Mid 2013 with OS X 10.10.3.

And - when I terminate the program with Ctrl + C, this error is thrown:

Traceback (most recent call last):
  File "usbkill.py", line 376, in <module>
    loop(settings)
  File "usbkill.py", line 280, in loop
    sleep(settings['sleep_time'])
  File "usbkill.py", line 284, in exit_handler
    log("[INFO] Exiting because exit signal was received")
TypeError: log() takes exactly 2 arguments (1 given)

http://prntscr.com/7tcy58

I wonder i make mistake or it's not support for windows?

Just an issue to say that this needs not be addressed by others for the moment.

Hello! I've just downloaded usbkill to try it, but i've this error:
~ $ sudo python3 usbkill.py
File "usbkill.py", line 4

^
SyntaxError: invalid syntax

I've runing usbkill on a virtual machine with Linux Mint 17.1 32 bits.

Thank you very much!

I've been trying to run this script, but I continued to get this error:

Secure-MBA:~ austink$ sudo python /Users/austink/Downloads/usbkill-master/usbkill.py 
Traceback (most recent call last):
  File "/Users/austink/Downloads/usbkill-master/usbkill.py", line 32, in <module>
    import configparser
ImportError: No module named configparser

So then I changed configparser to ConfigParser and it runs a bit further, albeit with this error:

Secure-MBA:~ austink$ sudo python /Users/austink/Downloads/usbkill-master/usbkill.py 
             _     _     _ _ _  
            | |   | |   (_) | | 
  _   _  ___| |__ | |  _ _| | | 
 | | | |/___)  _ \| |_/ ) | | | 
 | |_| |___ | |_) )  _ (| | | | 
 |____/(___/|____/|_| \_)_|\_)_)

Traceback (most recent call last):
  File "/Users/austink/Downloads/usbkill-master/usbkill.py", line 275, in <module>
    settings = startup_checks()
  File "/Users/austink/Downloads/usbkill-master/usbkill.py", line 242, in startup_checks
    if subprocess.check_output("fdesetup isactive", shell=True).strip() != "true":
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/subprocess.py", line 573, in check_output
    raise CalledProcessError(retcode, cmd, output=output)
subprocess.CalledProcessError: Command 'fdesetup isactive' returned non-zero exit status 1

I am aware that I don't have FileVault enabled, but I should still be able to run the script anyway, right? According to python -V I have version 2.6.7.

Hey heph - awesome tool. Simple but effective!

Since there's already been some discussion of vulnerabilities and patches, I think it'd be good if this software included some internal semantic versioning so that it's easier to discuss which versions contain vulnerabilities.

As a bonus, you could include a setup.py file for versioning, and then distribute usbkill on pip for easy installation.

Thanks again!

For OS X, why not use command
system_profiler SPUSBDataType
to check the usb status?
So that OS X users do not need to install lsusb anymore.

Not exactly sure what's causing this. I'll be glad to provide more information if needbe. I double checked and everything in my config is valid.

sudo /usr/local/bin/python3 /Users/cedwardsmedia/Scripts/usbkill.py --no-shut-down
             _     _     _ _ _
            | |   | |   (_) | |
  _   _  ___| |__ | |  _ _| | |
 | | | |/___)  _ \| |_/ ) | | |
 | |_| |___ | |_) )  _ (| | | |
 |____/(___/|____/|_| \_)_|\_)_)

[NOTICE] Ready to execute all the (potentially destructive) commands, but NOT shut down the computer.
Traceback (most recent call last):
  File "/Users/cedwardsmedia/Scripts/usbkill.py", line 137, in check_inside
    result["Built-in_Device"]
KeyError: 'Built-in_Device'

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/Users/cedwardsmedia/Scripts/usbkill.py", line 379, in <module>
    loop(settings)
  File "/Users/cedwardsmedia/Scripts/usbkill.py", line 252, in loop
    start_devices = lsusb()
  File "/Users/cedwardsmedia/Scripts/usbkill.py", line 166, in lsusb
    return lsusb_darwin()
  File "/Users/cedwardsmedia/Scripts/usbkill.py", line 159, in lsusb_darwin
    check_inside(result, devices)
  File "/Users/cedwardsmedia/Scripts/usbkill.py", line 152, in check_inside
    check_inside(result_deep, devices)
  File "/Users/cedwardsmedia/Scripts/usbkill.py", line 152, in check_inside
    check_inside(result_deep, devices)
  File "/Users/cedwardsmedia/Scripts/usbkill.py", line 152, in check_inside
    check_inside(result_deep, devices)
  File "/Users/cedwardsmedia/Scripts/usbkill.py", line 144, in check_inside
    devices.append(DEVICE_RE[1].findall(result["vendor_id"])[0] + ':' + DEVICE_RE[1].findall(result["product_i$
IndexError: list index out of range

Have the app monitor the decibels coming from the microphone and let the user set a threshold. If the threshold is passed shut down the PC. Example being prevented from touching your PC but by screaming or a loud noise would trigger the shutdown allowing a hands free system.

Hi. Please consider packaging USBKill for Debian. Will make a neat addition to PC/server security.

I don't know if custom commands are supported but nuking cryptsetup keyslots would be a good option.

cc/ @adrelanos

I think the only thing '3' about this is the use of print() rather than print - but print() still works in python2.6+, which is what ships with OSX. I think this can be removed from the docs now that lsusb is gone.

stuck at step 1:

sudo python usbkill.py

[ERROR] You have lost your settings file. Get a new copy of the usbkill.ini and place it in /etc/ or in /Users/dgefe/Downloads/

I have redownloaded and placed usbkill.ini into downloads to no avail.

Any help would be appreciated!

Thanks

Is Windows 8 supported?

No matter where I put usbkill.ini (tried /private/etc/usbkill/ and /etc/usbkill/ and ~/Users/.../Downloads/usbkill-master/usbkill/ but I always get the error:

"[ERROR] You have lost your settings file. Get a new copy of the usbkill.ini and place it in /etc/ or in /Users/Raul/Downloads/usbkill-master/usbkill/"

It works fine with the Dev version, but it doesn't allow the --no-shutdown option

Hello. I want to propose to add a setting with would allow to ignore USB sevices with given ID, that they won't trigger the app when suddenly it get plugged off.

Examples (on me):

I have my phone connected to the computer thru USB and it seem that the cable (from the side) has a loosen fit with the socket, with causes that a light move of the phone causes that the system treat it as disconnection. I wouldn't be wanting that this would cause my computer to suddenly turn off thru such thing.

Would you accept this change? I've started hacking on usbkill and quickly noticed that it'd be a lot easier to develop for with a test mode that didn't shut down my computer every time I wanted to use it!

This would be configurable with both --test parameters and an entry in the settings file.

[Sorry, I'm about to submit a bunch of tickets, prepare yourself! I'm a paranoid person who works out of public spaces quite a lot, and this tool makes me feel safer about leaving my laptop unattended, so I want to bend it to my will now!]

I have been playing around with a curses interface and I think it looks nice. It may not be necessary but it's a nice touch.

How can i run usbkill in background ? Is using tmux reliable or should one use other tools ?

Firstly wanted to thank you for neat app. I whitelisted my Yubikey Neo and i have an issue only if: If YubikeyNEO inserted before running usbkill and then remove it macos Sierra shuts down, but when i run usbkill and then plug it in and then unplug it it works fine. Any Suggestions? Thank you

When devices are inserted into the computer before staring usbkill they seem to be a accepted with no risk of shutdown.
This is absolutely fine and exactly what I'd expect.
However, it seems that if you remove one of those pre-starting-usbkill devices, it triggers the shutdown mechanism.

Is there any way to allow devices to be removed without causing a shutdown?

Hi there,

Here's the original title (actually the headline of the repo):

usbkill waits for a change on your USB ports, then immediately kills your computer. Anti forensic, USB -> kill)

This short description seem to confuse people as I saw on Twitter "USBKill used to wipe clean criminal’s PCs". This is totally wrong. It is does not wipe anything (and is not specially for criminals but that's not the subject).

Now here's the current README title:

« usbkill » is an anti-forensic kill-switch that waits for a change on your USB ports and then immediately shuts down your computer.

It looks more comprehensible and will confuse less people.

So could you update the repo headline by the README one please?

Sincerely,
S.

In the README:

[!] Important: Make sure to use (partial) disk encryption! Otherwise they will get in anyway.

partial?