USBKill

Last updated
USBKill
Developer(s) Hephaest0s
Stable release
1.0-rc4 / January 18, 2016;8 years ago (2016-01-18)
Repository
Written in Python
Operating system BSD, Linux, macOS, other Unix-like systems
Size 15.6 KB
Type Anti-forensic
License GNU General Public License
Website github.com/hephaest0s/usbkill

USBKill is anti-forensic software distributed via GitHub, written in Python for the BSD, Linux, and OS X operating systems. It is designed to serve as a kill switch if the computer on which it is installed should fall under the control of individuals or entities against the desires of the owner. [1] It is free software, available under the GNU General Public License. [2]

Contents

The program's developer, who goes by the online name Hephaest0s, created it in response to the circumstances of the arrest of Silk Road founder Ross Ulbricht, during which U.S. federal agents were able to get access to incriminating evidence on his laptop without needing his cooperation by copying data from its flash drive after distracting him. [3] It maintains a whitelist of devices allowed to connect to the computer's USB ports; if a device not on that whitelist connects, it can take actions ranging from merely returning to the lock screen to encrypting the hard drive, or wiping all data on the computer. However, it can also be used as part of a computer security regimen to prevent the surreptitious installation of malware or spyware or the clandestine duplication of files, according to its creator. [4]

Background

When law enforcement agencies began making computer crime arrests in the 1990s, they would often ask judges for no knock search warrants, to deny their targets time to delete incriminating evidence from computers or storage media. In more extreme circumstances where it was likely that the targets could get advance notice of arriving police, judges would grant "power-off" warrants, allowing utilities to turn off the electricity to the location of the raid shortly beforehand, further forestalling any efforts to destroy evidence before it could be seized. These methods were effective against criminals who produced and distributed pirated software and movies, which was the primary large-scale computer crime of the era. [1]

By the 2010s, the circumstances of computer crime had changed along with legitimate computer use. Criminals were more likely to use the Internet to facilitate their crimes, so they needed to remain online most of the time. To do so, and still keep their activities discreet, they used computer security features like lock screens and password protection. [1]

For those reasons, law enforcement now attempts to apprehend suspected cybercriminals with their computers on and in use, all accounts both on the computer and online open and logged in, and thus easily searchable. [1] If they fail to seize the computer in that condition, there are some methods available to bypass password protection, but these may take more time than police have available. It might be legally impossible to compel the suspect to relinquish their password; in the United States, where many computer-crime investigations take place, courts have distinguished between forcing a suspect to use material means of protecting data such as a thumbprint, retinal scan, or key, as opposed to a password or passcode, which is purely the product of the suspect's mental processes and is thus protected from compelled disclosure by the Fifth Amendment. [5]

The usual technique for authorities—either public entities such as law enforcement or private organizations like companies—seizing a computer (usually a laptop) that they believe is being used improperly is first to physically separate the suspect user from the computer enough that they cannot touch it, to prevent them from closing its lid, unplugging it, or typing a command. Once they have done so, they often install a device in the USB port that spoofs minor actions of a mouse, touchpad, or keyboard, preventing the computer from going into sleep mode, from which it would usually return to a lock screen which would require a password. [6]

Agents with the U.S. Federal Bureau of Investigation (FBI) investigating Ross Ulbricht, founder of the online black market Silk Road, learned that he often ran the site from his laptop, using the wireless networks available at branches of the San Francisco Public Library. When they had enough evidence to arrest him, they planned to catch him in the act of running Silk Road, with his computer on and logged in. They needed to ensure he was unable to trigger encryption or delete evidence when they did. [3]

In October 2013, a male and female agent pretended to have a lovers' quarrel near where Ulbricht was working at the Glen Park branch. According to Business Insider , Ulbricht was distracted and got up to see what the problem was, whereupon the female agent grabbed his laptop while the male agent restrained Ulbricht. The female agent was then able to insert a flash drive into one of the laptop's USB ports, with software that copied key files. [3] According to Joshuah Bearman of Wired , a third agent grabbed the laptop while Ulbricht was distracted by the apparent lovers' fight and handed it to agent Tom Kiernan. [7]

Use

In response to the circumstances of Ulbricht's arrest, [4] a programmer known as Hephaest0s developed the USBKill code in Python and uploaded it to GitHub in 2014. It is available as free software under the GNU General Public License and currently runs under both Linux and OS X. [4]

The program, when installed, prompts the user to create a whitelist of devices that are allowed to connect to the computer via its USB ports, which it checks at an adjustable sample rate. The user may also choose what actions the computer will take if it detects a USB device not on the whitelist (by default, it shuts down and erases data from the RAM and swap file). Users need to be logged in as root. Hephaest0s cautions users that they must be using at least partial disk encryption along with USBKill to fully prevent attackers from gaining access; [4] Gizmodo suggests using a virtual machine that will not be present when the computer reboots. [8]

It can also be used in reverse, with a whitelisted flash drive in the USB port attached to the user's wrist via a lanyard serving as a key. In this instance, if the flash drive is forcibly removed, the program will initiate the desired routines. "[It] is designed to do one thing," wrote Aaron Grothe in a short article on USBKill in 2600 , "and it does it pretty well." As a further precaution, he suggests users rename it to something innocuous once they have loaded it on their computers, in case someone might be looking for it on a seized computer to disable it. [6]

In addition to its designed purpose, Hephaest0s suggests other uses unconnected to a user's desire to frustrate police and prosecutors. As part of a general security regimen, it could be used to prevent the surreptitious installation of malware or spyware on, or copying of files from, a protected computer. It is also recommended for general use as part of a robust security practice, even when there are no threats to be feared. [4]

Variations and modifications

With his 2600 article, Grothe shared a patch that included a feature that allowed the program to shut down a network when a non-whitelisted USB is inserted into any terminal. [6] Nate Brune, another programmer, created Silk Guardian, a version of USBKill that takes the form of a loadable kernel module, he "remade this project as a Linux kernel driver for fun and to learn." [9] In the issue of 2600 following Grothe's article, another writer, going by the name Jack D. Ripper, explained how Ninja OS, an operating system designed for live flash drives, handles the issue. It uses a bash script resident in memory based watchdog timer that cycles a loop through the boot device (i.e., the flash drive) three times a second to see if it is still mounted and reboots the computer if it is not. [10]

See also

Related Research Articles

<span class="mw-page-title-main">Thin client</span> Non-powerful computer optimized for remote server access

In computer networking, a thin client is a simple (low-performance) computer that has been optimized for establishing a remote connection with a server-based computing environment. They are sometimes known as network computers, or in their simplest form as zero clients. The server does most of the work, which can include launching software programs, performing calculations, and storing data. This contrasts with a rich client or a conventional personal computer; the former is also intended for working in a client–server model but has significant local processing power, while the latter aims to perform its function mostly locally.

A whitelist or allowlist is a list or register of entities that are being provided a particular privilege, service, mobility, access or recognition. Entities on the list will be accepted, approved and/or recognized. Whitelisting is the reverse of blacklisting, the practice of identifying entities that are denied, unrecognised, or ostracised.

<span class="mw-page-title-main">USB flash drive</span> Data storage device

A Flash drive is a data storage device that includes flash memory with an integrated USB interface. A typical USB drive is removable, rewritable, and smaller than an optical disc, and usually weighs less than 30 g (1 oz). Since first offered for sale in late 2000, the storage capacities of USB drives range from 8 to 256 gigabytes (GB), 512 GB and 1 terabyte (TB). As of 2023, 2 TB flash drives were the largest currently in production. Some allow up to 100,000 write/erase cycles, depending on the exact type of memory chip used, and are thought to physically last between 10 and 100 years under normal circumstances.

<span class="mw-page-title-main">Security token</span> Device used to access electronically restricted resource

A security token is a peripheral device used to gain access to an electronically restricted resource. The token is used in addition to, or in place of, a password. Examples of security tokens include wireless keycards used to open locked doors, a banking token used as a digital authenticator for signing in to online banking, or signing a transaction such as a wire transfer.

<span class="mw-page-title-main">Docking station</span> Computer connection

In computing, a docking station or port replicator (hub) or dock provides a simplified way to plug-in a mobile device, such as connect common peripherals to a laptop, or charge a smartphone. Because a wide range of dockable devices—from mobile phones to wireless mouse—have different connectors, power signaling, and uses, docks are unstandardized and are therefore often designed for a specific type of device.

<span class="mw-page-title-main">U3 (software)</span>

U3 was a joint venture between SanDisk and M-Systems, producing a proprietary method of launching Windows software from special USB flash drives. Flash drives adhering to the U3 specification are termed "U3 smart drives". U3 smart drives come preinstalled with the U3 Launchpad. Applications that comply with U3 specifications are allowed to write files or registry information to the host computer, but they must remove this information when the flash drive is ejected. Customizations and settings are instead stored with the application on the flash drive.

Anti–computer forensics or counter-forensics are techniques used to obstruct forensic analysis.

<span class="mw-page-title-main">Intel Active Management Technology</span> Out-of-band management platform by Intel

Intel Active Management Technology (AMT) is hardware and firmware for remote out-of-band management of select business computers, running on the Intel Management Engine, a microprocessor subsystem not exposed to the user, intended for monitoring, maintenance, updating, and repairing systems. Out-of-band (OOB) or hardware-based management is different from software-based management and software management agents.

<span class="mw-page-title-main">Blacklist (computing)</span> Criteria to control computer access

In computing, a blacklist, disallowlist, blocklist, or denylist is a basic access control mechanism that allows through all elements, except those explicitly mentioned. Those items on the list are denied access. The opposite is a whitelist, allowlist, or passlist, in which only items on the list are let through whatever gate is being used. A greylist contains items that are temporarily blocked until an additional step is performed.

The Elonex ONEt is a netbook computer marketed to the education sector in the UK by Elonex. Inspired by the OLPC initiative, the low cost of the ONE, the ONEt and similar devices, made this subnotebook seem an attractive proposition for educators seeking to provide every child with a highly functional laptop computer. However initial ONEt trials by educators claimed that the lack of security, specifically the absence of any password protection at start-up, put personal information at risk, making it unsuitable for use in a school environment. It was released in September 2008, on sale to the general public, marketed as an upgrade to the ONE. It has Wi-Fi connectivity, a solid-state hard drive, three USB ports and an SD card slot.

Secure USB flash drives protect the data stored on them from access by unauthorized users. USB flash drive products have been on the market since 2000, and their use is increasing exponentially. As both consumers and businesses have increased demand for these drives, manufacturers are producing faster devices with greater data storage capacities.

Check Point GO is a USB drive that combines an encrypted USB flash drive with virtualization, VPN and computer security technologies to turn a PC into a secure corporate desktop. By plugging Check Point GO into the USB port of a Microsoft Windows OS-based PC or laptop, users can launch a secure virtual workspace that is segregated from the host PC. This allows users to securely access company files and applications from any remote location, including insecure host environments such as a hotel business center or Internet café.

<span class="mw-page-title-main">Logitech Unifying receiver</span> USB wireless receiver

The Logitech Unifying Receiver is a small dedicated USB wireless receiver, based on the nRF24L-family of RF devices, that allows up to six compatible Logitech human interface devices to be linked to the same computer using 2.4 GHz band radio communication. Receivers that are bundled with a Logitech product are paired with the device at the factory. When purchasing a replacement receiver or connecting multiple devices to one receiver, pairing requires the free-of-charge Logitech Unifying software, available for Microsoft Windows and Mac OS X. On Linux the Solaar software can be used to adjust the configurations. Although not compatible with Bluetooth, devices pair to Unifying Receivers in a similar way. Peripherals remain paired, and can then be used on systems not supporting the software. Logitech receivers compatible with the Unifying protocol can be identified by the orange Unifying logo, which distinguishes them from Logitech Nano receivers of similar appearance, which pair in a similar manner but only with a single device, without using the Unifying protocol.

Absolute Home & Office is a proprietary laptop theft recovery software. The persistent security features are built into the firmware of devices. Absolute Home & Office has services of an investigations and recovery team who partners with law enforcement agencies to return laptops to their owners. Absolute Software licensed the name LoJack from the vehicle recovery service LoJack in 2005.

The following outline is provided as an overview of and topical guide to computer security:

<span class="mw-page-title-main">Librem</span> Computer line by Purism featuring free software

Librem is a line of computers manufactured by Purism, SPC featuring free (libre) software. The laptop line is designed to protect privacy and freedom by providing no non-free (proprietary) software in the operating system or kernel, avoiding the Intel Active Management Technology, and gradually freeing and securing firmware. Librem laptops feature hardware kill switches for the microphone, webcam, Bluetooth and Wi-Fi.

In the computing world, where software frameworks make life of developer easier, there are problems associated with it which the developer does not intend. Software frameworks use object-relational mapping (ORM) tool or active record pattern for converting data of different types and if the software framework does not have a strong mechanism to protect the fields of a class, then it becomes easily exploitable by the attackers. These frameworks allow developers to bind parameters with HTTP and manipulate the data externally. The HTTP request that is generated carries the parameters that is used to create or manipulate objects in the application program.

<span class="mw-page-title-main">Purism (company)</span> Computer manufacturer focusing on software freedom

Purism, SPC is an American computer technology corporation based in San Francisco, California and registered in the state of Washington.

<span class="mw-page-title-main">Pinebook</span> Notebook intended for open-source software

The Pinebook is a low-cost notebook developed by Hong Kong-based computer manufacturer Pine64. The Pinebook was announced in November 2016 and production started in April 2017. It is based on the platform of Pine64's existing Pine A64 single board computer, costing US$89 or US$99 for the 11.6" and 14" model respectively. Its appearance resembles the MacBook Air. The Pinebook is sold "at-cost" by Pine64 as a community service.

<span class="mw-page-title-main">BusKill</span> Computer kill cord

BusKill is an open-source hardware and software project that designs computer kill cords to protect the confidentiality of the system's data from physical theft. The hardware designs are licensed CC BY-SA and the software is licensed GPLv3. BusKill cables are available commercially from the official website or through authorized distributors.

References

  1. 1 2 3 4 Ducklin, Paul (May 8, 2015). "The USBKILL anti-forensics tool – it doesn't do *quite* what it says on the tin". Naked Security. Sophos . Retrieved May 29, 2015.
  2. Hephaest0s (January 18, 2016). "usbkill.py". GitHub . Retrieved May 29, 2016.{{cite web}}: CS1 maint: numeric names: authors list (link)
  3. 1 2 3 Bertrand, Natasha (May 29, 2015). "The FBI staged a lovers' fight to catch the kingpin of the web's biggest illegal drug marketplace". Business Insider . Retrieved May 30, 2016.
  4. 1 2 3 4 5 Hephaest0s (2016). "Hephaest0s/usbkill". GitHub . Retrieved May 29, 2016.{{cite web}}: CS1 maint: numeric names: authors list (link)
  5. Vaas, Lisa (November 3, 2014). "Police can demand fingerprints but not passcodes to unlock phones, rules judge". Naked Security. Retrieved May 31, 2016.
  6. 1 2 3 Grothe, Aaron (Winter 2015–16). "USBKill: A Program for the Very Paranoid Computer User". 2600: The Hacker Quarterly . 32 (4): 10–11.
  7. Bearman, Joshuah (May 2015). "The Rise and Fall of Silk Road Part II". Wired . Retrieved 2016-10-20.
  8. Mills, Chris (May 5, 2015). "Simple Code Turns Any USB Drive Into A Kill Switch For Your Computer". Gizmodo . Retrieved June 4, 2016.
  9. Brune, Nate. "Silk Guardian". GitHub . Retrieved February 5, 2024.
  10. Ripper, Jack D. (Spring 2016). "Another Solution to the USBKill.py Problem". 2600. 33 (1): 48–49.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.