USBKill Transforms a Thumb Drive Into an "Anti-Forensic" Device

Orome1 writes with a snippet from a report at net-security.org; a hacker going by Hephaestos has shared with the world a Python script that, when put on an USB thumb drive, turns the device in an effective kill switch for the computer to which it's plugged in. USBkill, as the programmer dubbed it, "waits for a change on your USB ports, then immediately kills your computer." The device would be useful "in case the police comes busting in, or steals your laptop from you when you are at a public library," Hephaestos explained.

oh the fun

[turkeydance]

we coulda had in school

Re:

[TheCarp]

Even back then I knew stealing was wrong.... but unauthorized writing of new files never bothered me.

So I used a race condition I found in the Macintosh security software at school and used it to copy icons of porn over all the desktop icons, so anyone trying to launch word got tits.

And of course, I did it as my person Senior year prank, on the way out the door when all the other classes still had a couple of weeks, on the last day for seniors I slipped unnoticed into the computer lab, did my deed, and slip

Re:

[Anon-Admin]

Now I feel left out, the Commodore PET's we had in school did not have mice, or hard drives, or usb. Just a keyboard and a 5.25" floppy drive. :(

Re:

[OhSoLaMeow]

Now I feel left out, the Commodore PET's we had in school did not have mice, or hard drives, or usb. Just a keyboard and a 5.25" floppy drive. :(

Me, too. Our computer was an IBM 360 model 25. Only so much you can do with that.

Although there was a certain card deck that could print out racy pictures on the line printer....

Re:

[baegucb]

With a line printer on those old mainframes, just write a program that prints normally, then have it so page skips for hundreds of times so the paper gets all balled up in the printer (depending on model). I did that by accident when trying to program my first game, a star wars type game. And in assembler you can also stop carriage control and print a line of dashes on the same line, and try to break the paper.

this already exists

[slashmydots]

Doesn't TrueCrypt support full drive encryption and USB-based hardware keys for decryption? That sounds like all this "invention" does. It doesn't actually kill your computer.

Re:this already exists

[Orestesx]

This is to be used in conjunction with TrueCrypt. The summary is alluding to the arrest of the alleged founder of Silk Road at a public library. He was using a computer with full disk encryption, but they physically separated him from the laptop before he could power it off. Attach this to your wrist, and the machine will be powered off when the USB drive is removed from its port.

Re:

[slashmydots]

Ohhh so the drive isn't a decryption key, it's just a monitored device and the script basically runs
shutdown /s /t 1
a second after it noticed the USB device has been removed. Clever :D

Re:

[bluefoxlucid]

Which opens you up to all kinds of high circumstantial evidence prosecution. Evidence that you may have been involved in a crime coupled with a psychotic behavior in which you put your computer data at severe risk to handle an unexpected seizure? If they have weak evidence showing your involvement in a crime, the corroborating behavior provides circumstantial evidence supporting their weak evidence; either by itself may be inadmissible.

Re:this already exists

[Dunbal]

If they have a tactical team breaking into your house you are pretty much fucked on circumstantial evidence anyway... It might mean the difference between 5 years in prison and life in prison though. "We're sure he had 'x' on his hard drive" is a lot weaker than "we found 'x' on his hard drive"...

Re:

[aaron4801]

The question isn't "is this suspicious behavior," since it clearly is. The real question is, "is this suspicious behavior worse than the gigabytes of evidence that is easily collected without it?" If yes, don't bother; if no, use it.

Re:

[bluefoxlucid]

Thing is, someone wiping their drive isn't evidence of a crime. At the same time, various evidence of a crime--Internet connections, behaviors, associates--isn't going to get you a conviction, at all. When you put these together, you get a different picture: we have a highly-circumstantial pattern of behavior that may or may not prove the suspect was a criminal, and the subject panicked and destroyed the thing that may have but was not certain to contain hard evidence proving that this behavior pattern

Re:

[Orestesx]

This doesn't prevent suspicion and it doesn't prevent your from being arrested. The police arrest you and seize your property because they think you've committed a crime - at that point, there's no convincing them that you didn't. This is about avoiding conviction or keeping highly sensitive information secret. Of course, if the information on your computer isn't highly sensitive and you aren't doing anything illegal, and you are not super paranoid about your privacy, then you probably shouldn't be using t

Re:

[bluefoxlucid]

Arrest is largely a non-issue; it's conviction I'm talking about. Raising suspicion by these activities can get you a conviction.

Re:this already exists

[Orestesx]

Maybe. But getting caught with incriminating data is almost certain to get you convicted. Think about it this way. You're a defense lawyer. Would you rather explain your defendant's suspicious behavior, or an excel spreadsheet showing how much coke he's sold this month?

Re:

[TheCarp]

Actually there is no downside AT ALL to using it.

In the end, the drive still exists, you still have the data. If there is nothing there to find, you can always find a way to cooperate and use the data on the drive. However, this tool lets you do that at your option rather than at theirs.

Re:

[mysidia]

with a psychotic behavior in which you put your computer data at severe risk to handle an unexpected seizure

Auto locking your computer is not putting your data at risk.

There is a very legitimate concern that you might forget to lock it, and you might become the victim of identity theft if some robber pilfers your computer, when you stepped away for a bit and forgot to lock the screen.

The concern about data theft is also a reason to use full drive encryption, Or even back the system up to an encrypted

Re:

[Orestesx]

It doesn't put your data at risk. It doesn't wipe the drive, it just powers off the machine.

Re:

[mcrbids]

So then the police just cut your hand off. One more reason why biometrics isn't such a great idea.

Re:

[Zmobie]

Peter Gibbons once put it best: "This isn't Riyadh. You know they're not gonna saw your hands off here, alright? "

Re:

[Spy Handler]

Attach this to your wrist, and the machine will be powered off when the USB drive is removed from its port.

You mean attach a cord to the USB thumb drive, tie the other end to your wrist, and insert the thumb drive into your computer before using it?

Seems like a hassle. The cord would have to be pretty short for this to work. It might be ok for temporary sessions on a laptop at the public library, but not for daily use with your home desktop (which is likely not on your desk but on the floor).

Someone should make a wireless version. Using a USB wireless mouse with those little snub receivers you plug into the USB

Re:

[ganjadude]

so at home you tie it to the leg of your desk and if the door opens step on the string pulling the usb

Of course USB is a perfect system

[OzPeter]

I mean my USB hub never drops my mouse connection or anything like that. So there is no chance of a false positive.

Re:Of course USB is a perfect system

[SecurityGuy]

No real risk, beyond that of inconvenience. All it does is shut your computer down. It's not wiping anything or physically damaging the hardware, it's just turning it off and relying on you using full disk encryption to actually protect your data.

Re:

[Chris Katko]

Actually, if you shutdown at an important time, that could very much be a problem.

I would personally use a better setup with a lower-level protocol. For example, you could use two GPIO pins connected together. If they disconnect for more than x milliseconds, it fails. (A direct physical connection, no protocols, no hubs.) You could use an audio cable with a dedicated sound port (pci/usb soundcards are dirt cheap) and ensure the signal doesn't terminate. You could use a serial port and send a constant stre

Re:

[gatkinso]

It is invoking the poweroff command (shutdown on Apple), not yanking the power. Read the code.

Re:

[Ravaldy]

Shutting down the computer even in the middle of writing is the least of your concerns when you are trying to hide information from the authorities or someone else. What you want is to avoid the system being left in a logged in state.

Last I checked you can also reconfigured what your power button does. You can have it so it shutdowns. In some BIOS you can set it so it turns off "AT PSU" style which is an instant power off.

Re:

[gatkinso]

I would imagine that the consequences of the information on the computer being compromised outweighs the inconvenience of an accidental shutdown.

Re:

[mysidia]

A slight variant, would be on USB device drop/change.... immediately lock screen Beep, and system will hard power off if not unlocked within 15 seconds. Other mitigating measures might also be taken such as purging any sensitive creds from RAM; temporarily shutting off all network interfaces and unloading unnecessary drivers such as Wireless NIC, Firewire, that might present attack surface.

Re:Of course USB is a perfect system

[Moof123]

That is probably a tactic to be used by the authorities. If they get a hold of the laptop and sneak in some piece of hardware to make the USB drop every now and then, the suspect will pretty soon disable it.

Way back when I worked for a 3 letter acronym this was a pretty low tech solution often employed to circumvent alarms of all sorts. Just randomly trigger the alarm a every few hours at night and within a few days it will be turned off out of disgust or at the orders of any cops that have been dispatched the last half dozen times. Now you can waltz in and do your dirty work.

Python script, eh?

[ArcadeMan]

Too bad that's not installed by default on the two most used desktop operating systems.

Re:

[Chris Katko]

If you don't have access to Python, I feel bad for you, I really do.

That being said, to be more serious, it's not like you can't port the concept to any language, and any port/protocol. You could have it connected to a bluetooth watch/key/anything and if you walk too far from your computer it automatically shuts down.

Re:

[stooo]

Python is cross platform, you can use it on any OS.

Er...all this does is "shutdown -r now"

[xxxJonBoyxxx]

Here's the source:
https://github.com/hephaest0s/... [github.com]

What's next - a tutorial on how to press the power button?

Re:

[snowgirl]

It even syncs the disks before shutting down! v_v

Such a non-news story... omg, this this is "interesting" in so far as an odd tool that has little possible use(?)

Re:

[MrTester]

Are you sure that is the final source?
Is it possible that this is the code for validating the USB interaction and he didn't want to actually brick his computer with every test?

Re:

[zerosomething]

That reboots the machine! use -h at least. geez

my mom could use that!

[schlachter]

She thinks she turns off her computer by pressing the power button on her monitor. she also calls the internet...AOL.

Deadmans Switch

[Liquidretro]

So it's a deadman's switch basically.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:Deadmans Switch

[smallfries]

No. A deadman' switch is an idea that has been around in analogue fail-safe systems for a long time. It is typically a device that you have to hold onto in order to keep the machine running. What you describe is one software implementation of that idea, but the GP is correct that this is another.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[cdrudge]

It is a deadman switch. It's a device that is automatically activated in the event the operator is incapacitated.

How is the script guaranteed to run if the operator dies? It doesn't as the drive may never be removed. A deadman switch that may or may not operate isn't a very good implementation.

Re:

[chihowa]

The quintessential dead man's switch, the "let go and it detonates" trigger, can also be bypassed by grabbing the dead man's hand (just like your "if They manage to get the laptop with the key still in it, it keeps working" argument). There's nothing in the definition of a dead man's switch that depends on it being unable to be defeated. Fiction throughout the ages is filled with methods of defeating various dead man's switches.

If the key is attached to the user's wrist and the user is separated from the co

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:works differently in the states.

[infolation]

Wiping the contents of your laptop, or refusing to give a password in the US, is generally met with unfavourable consequences

Better than in the UK, where it's a criminal offence punishable by two years imprisonment. (Regulation of Investigatory Powers Act 2000, Part III)

And people are really locked up for that [pcpro.co.uk] here.

Re:

[Dunbal]

But two years might be better than the alternative.

Re:

[zugmeister]

Too lenient. 25 years minimum with no parole. Attempt to destroy evidence should carry a minimum 50 years sentence, no parole. It's time the civilized world gets its act together and puts computer nerds into place once and for all. Here you are, swapping tall tales and telling each other how to escape investigation, arming the pedophile, equipping the terrorists. General purpose computers should be banned for ordinary citizens: tablets and locked-down devices will do. Put an end to this digital madness. Now.

I have never seen a stronger argument for the creation of a sarcasm tag. I honestly can't tell!

Re:works differently in the states.

[ScentCone]

"In case the police come busting in" is a condition typically followed by a hailstorm of bullets here in the United States

I see. You live inside a bad television episode? How many hacker apartment door breakdowns followed by "hailstorms of bullets" can you cite from this month, here in this country of over 300,000,000 people? Please be specific.

Re:

[mrchaotica]

He overstated it a little bit: if you're dealing drugs in 'cyberspace,' they'll just arrest you. It's only 'meatspace' drug dealers that get shot.

Re:

[fustakrakich]

That's right. It never happens. The police always knock three times and leave quietly if nobody answers. You know what's sad about the summary there is that we have to fear the cops as much as any other common thief.

Re:

[ScentCone]

Why do you need a source for something that happens constantly.

Because everyone knows you're selling a myth that it "happens constantly." That's why you can't point to a list of examples of it happening "constantly" and instead go right for the race card in order to distract.

Re:

[sideslash]

The abuses you describe have all happened in one form or another, though they're fortunately not the universal experience here.

met with unfavourable consequences

Clearly you favour spellings that add a bit of colour to the Queen's English, eh? OK, just kidding, but it is fun to speculate that you might be from Canada or the UK.

Really?

[Xolotl]

If you're that worried just work on a remote machine in a secure location via an encrypted remote desktop session. Nothing in local ram or disk. Anyway, since when does "kill" equal "shutdown nicely"? *sigh*

Re:

[maliqua]

i believe they're basing it on the motorboat standard of kill switch, you fall out of the boat it turns off

Re:

[Xolotl]

Ok, thanks for the explanation.

How do you pee?

[mveloso]

How do you pee if this is attached to you? Do you keep a bunch of one-gallon jugs next to your desk?

Re:

[bigfinger76]

Clever users will detach it, I assume.

Re:

[maliqua]

But then they'll just forensic your laptop while your gone,

only solution is to bring it with you

Re:

[Dr_Barnowl]

If you're going for a pee break, leaving your laptop alone, powered, is a ridiculously stupid thing if you're security conscious.

You power it off, you take it with you.

Re:

[disposable60]

Or at least lock the desktop.

Re:

[smallfries]

So given what it does... You just go

Re:

[canajin56]

It's not a kill switch that destroys your computer. It's a kill switch that shuts it down after flushing the disk cache (under the assumption that, as a career criminal with a vested interest in keeping your evidence locked down, you have an encrypted file system). So if you go use the bathroom, your PC turns off. If you have a SSD it will take you literally several seconds to boot again and remount your encrypted file system. Slightly inconvenient, but much better than if the police are able to rip you

Re:

[suutar]

shut down, go to bathroom, come back. If you're using this, you have decided that unattended uptime is not acceptable.

Re:

[xxxJonBoyxxx]

>> Do you keep a bunch of one-gallon jugs next to your desk?

At the homeless-packed library near my office you'd fit right in.

Re:

[dissy]

How do you pee if this is attached to you? Do you keep a bunch of one-gallon jugs next to your desk?

Step 1 - You get up and go pee.
Step 2 - You come back to the computer and press the power button.
Step 3 - You continue with whatever it was you were doing before nature called.

Not all that difficult for a select tiny few, though I can see how most people would be confused and bewildered at the requirements.

Wouldn't using this if it were seized...

[mark-t]

.... qualify as deliberate tampering with evidence?

Even if you aren't guilty of whatever they were believing that the evidence on the computer would incriminate you for, that's still a crime, and not a very lightly taken one.

Re:

[DarkOx]

Its kind of grey area. Full disk encryption could itself be though of in those terms. I mean why are ciphering literally every block of information your store? Certainly it must be because you have something to hide right.

If you immediate start destroying the equipment when the cops show up that is a problems but in the case we have a device that has a normal operating behavior of putting itself into a secured state (by shutting down) whenever your wrist leave its proximity. Its not illegal (yet) to use

Re:

[burni2]

It's all about the question that the definition "seized" and "going to be seized". are clearly laid out.

If the tool is installed to automatically prevent access to the data on that pc - you are not tampering with evidence.

The computer does it on it's own. Also when police comes to you, and you see them your pc is not yet seized, so all actions up until the moment when they take something away are ok.

You should not have a remote connection to the pc (via umts modem, infrared or else) that you use to access t

I thought it would fry the computer or something

[jonr]

I read the introduction, and was expecting a Mission: Impossible-style "This computer will self-destruct in 5 seconds" with smoke and everything...

Not the first, but more useful for today

[eastjesus]

Reminds me of something I wrote back around 1981. Working with the early IBM PC at the machine code level several flaws surfaced and for fun I packaged them all together in the boot sector of a 5 1/4" floppy which we put in a "break glass" box and put on the wall (There were no hard drives yet, the XT wasn't out yet). If you placed the floppy in the boot drive it would destroy the hardware in a few seconds. First, there was a bit on the original IBM display adapter (mono text only) which would lock the horizontal sweep on the standard IBM monitor forcing the horizontal output power transistor to overheat and burn out. You would see the display image collapse while the monitor would squeal while smoke (literally!) would come out the sides and back, and die with a $200 repair to fix it. Second, there were no stops on the head movement on those original floppy drives - with the right loop they would step out until the heads fell off inside the case with a pair of clunks if you had a 2 drive system. (Not a difficult repair, but you had to know what your were doing and get into the floppy drives themselves to fix it.) Finally, the speaker ran off of a shift register which could be loaded with a really nasty PWM sound and set to free run. With interrupts disabled and the CPU halted, the machine sat there smoking with a very loud nerve-rattling siren, completely dead and unable to boot. It would require major physical repairs to get it working again. The monitor would stink for weeks afterwards.

Re:

[PRMan]

I used to work at a place that got a virus similar to your code. A user got it from a bad floppy and the EGA monitors kept blowing up (the user's and 2 more I hooked it up to). I finally hooked it to a Hercules monochrome monitor and the screen came up. I looked up the virus on a virus vendor's BBS system and printed removal instructions and removed it.

Why so difficult?

[Lumpy]

Just set up a script on the machine looking for a specific USB device, start shutdown if the device is not present. This is pretty common stuff, hell my old Lenovo laptop has a smartcard slot in it that would do the same thing if the card was removed.

In fact if you look you can find the same thing all over the place for the last decade on many hacking sites, even back in the late 90's this kind of stuff was on the "scene" I had back to back modems in telcom rooms inside boxes that if the box was opened it dumped 110V into the modem logic boards so that when discovered they would self destruct.

Most "hackers" today probably dont even own a buttset.

Re:

[gatkinso]

Why a specific USB device? This can be used for any device. Also, you can white list devices. Read the code, or is that not old school enough for you?

Re:

[Lumpy]

Because making it look for ANY device means I can insert another USB device and then disconnect yours.

Re:

[Chris Katko]

Then the drive is still encrypted and they can't use it. Am I supposed to end this with, bitch?

Re:Except they just turn the power off

[Loconut1389]

usually they do everything they can to keep the power on including splicing into the power cables or pulling the socket from the wall and hooking it up to a phase locking UPS so they can take the computer still powered on. This is usually combined with a mouse wiggler to keep screensavers and sleep from kicking in.

Re:

[Loconut1389]

For reference:

http://www.cru-inc.com/product... [cru-inc.com]

Re:

[monkeyzoo]

But no Windows support?

Re:

[SuricouRaven]

All true apart from the 'usually.' Those devices are expensive, and few police forces have specialists trained in their use. This means calling in support from another force and even more expense. This is enough of an issue that they are not used in routine cases - they'll only bring them out if you are either involved in an exceptionally high-severity crime (Child abuse images, terrorism, large-scale narcotics) or if you are specifically suspected of a computer-related crime and they have reason to believe

Re:

[Linsaran]

Yes, I suppose a baton would work well in the immediacy of the moment. However for any country that isn't part of the 3rd world, you can reasonably expect to get your day in court, so saying 'lawyer' might get your head beat in a bit, but it's still probably the right thing to do. Evidence obtained because you got beaten with a baton would be inadmissible in US courts at very least. And given the current publicity about cops using excessive violence these days, I think it's unlikely the police would stoo

Re:

[uncqual]

I've wondered why those who care don't wire up a motion sensors inside their servers/desktops as well as sensors to detect obvious case opening and start wiping memory (and perhaps some of the disk as desired to wipe encrypted keys - obviously the file system would be encrypted in these cases) followed by a system reset to make this Law Enforcement attack less successful. Generally, Law Enforcement will move the computer to another site and detecting the exact nature of the sensors and disabling them withou

Re:

[TheCarp]

Maybe, but, I like this better personally because its more immediate. "USB attached to the wrist" scenario is a clear winner because it means the system is shutting down before they even realize what just happened and they have little or no time to respond, there is precious little they can really do to prevent that stick from being pulled.

In the past a friend of mine and I were musing about a setup like this, but our idea was a bit more drastic and less portable.... no battery at all, and power wired to a

Re:

[SuiteSisterMary]

Your honor, they were screaming at me, with guns pointed at me, to 'put your hands up! put your motherfucking hands up, or I will fucking shoot you dead!'

So I put my hands up. I wasn't about to risk death to explain to them that this would cause my computer to shut down.

Re:Except they just turn the power off

[TheCarp]

If anyone needs someone to talk on how intimidating such a situation can be, they can just ask my wife, she has ended up in situations like this a couple of times just trying to get to work.

Here in Boston the local public transit (MBTA) thugs have a serious TSA hard on. They actually run random bag swabbing checkpoints at stations. In theory, you can refuse and leave, walk right out. In practice, when my wife tried to say no, she had one officer yelling "we have a resistor" as she was suddenly surrounded by people telling her what to do and found herself being railroaded to the the swabber and into the station....so much for a right to refuse and walk out.

Its amazing how intimidating a gang of armed men yelling at you can be.

Re:Except they just turn the power off

[Bob the Super Hamste]

Sadly in a cases like that I kind of which it would happen to me. I can be a big enough ass hole that I would follow up with a Deprivation of rights under color of law [cornell.edu] case. As an added bonus you can go directly after the party or parties involved [justice.gov] and they don't get government protection. I really wish more people would peruse these types of cases against government officials' overreaches.

Re:

[houstonbofh]

(Along with hardware methods like some kind of RFID reader built in to the keyboard/mouse which locks things up if the RFID ring/bracelet/patch on your hand goes out of range, etc.)

Already exists based on the blue tooth in your phone. Walk up and it logs you in. Walk off and it locks the screen.

Re:

[silas_moeckel]

So your worried about security but not running something with a working IOMMU?

Re:

[INT_QRK]

This appears to be the functional equivalent of a holding down the power switch, maybe a little quicker. Just what one needs. Well, probably not, but if you're that paranoid, you either have a mental condition or otherwise engage in behaviors that merit paranoia.

Re:

[CBravo]

You would be right in the pre-'Frozen Precipitation' era.

Re:

[gatkinso]

I assume that your technique requires that the computer be powered on.

Re:

[Gizan]

hes saying that if you keep all your ports filled at all times, and someone removes something to start coping or what-not, then it just shuts down

Re:

[Phreakiture]

Never

Fucking

Mind.

Re:

[Anonymous Coward]

Well, there's new thing called a laptop, which has some newfangled technology called like a bartier or battery or some shit like that. I don't know, it all goes way over my head, but as I understand it, it allows you to unplug a computer from the wall without it turning off. I'll tell ya man, it's true what they say, the future is now.

Re:Usefull...

[maliqua]

What everyone in this thread is overlooking is it basically does a 'shutdown now'.

trivially could be done with a power button and changing the acpi power settings to shutdown instantly rather than prompt you then shutdown.

The function of this device is grossly overestimated in the comments

Re:

[StikyPad]

A better idea is an RFID reader and an implanted RFID chip. Separate user from computer and shutdown, or better yet, lock and start shutdown timer unless unlocked. A pain in the ass when you want a sammich, or you want to keep downloading files when you're AFK, but security has always required a sacrifice of convenience. Use a separate computer for "everyday" tasks, and one for sensitive tasks.

While this article is targeted at legal seizures, there are everyday uses as well, like preventing theft of your

Re:

[Wycliffe]

s/killswitch/shutdown/

Yeah, but that's what a normal killswitch that you see on a jetski or a lawnmower does.
Slightly misleading but the point is that if you remove power and have full encryption then they need the password to turn it back on.

Re:

[disposable60]

You have it attached to your person as you are knocked to the floor. Pretty much a slam (your head) dunk (against floor).

Re:

[gatkinso]

A usb stick on a neck lanyard is quite common. The stick came out when you tackled me. I wasn't running USBkill. Prove I am lying.

Re:

[gatkinso]

The fact that you have a Xyloc RFID card on your person is rather telling. Much more so than the fact that there is a USB stick on a neck lanyard laying there on the floor next to the spilled coffee.

Nothing like leaving evidence around (evidence that only serves one purpose).