Usbkill - an anti-forensic kill-switch that waits for a change on your USB ports and then immediately shuts down your computer.

I've been trying to run this script, but I continued to get this error:

Secure-MBA:~ austink$ sudo python /Users/austink/Downloads/usbkill-master/usbkill.py 
Traceback (most recent call last):
  File "/Users/austink/Downloads/usbkill-master/usbkill.py", line 32, in <module>
    import configparser
ImportError: No module named configparser

So then I changed configparser to ConfigParser and it runs a bit further, albeit with this error:

Secure-MBA:~ austink$ sudo python /Users/austink/Downloads/usbkill-master/usbkill.py 
             _     _     _ _ _  
            | |   | |   (_) | | 
  _   _  ___| |__ | |  _ _| | | 
 | | | |/___)  _ \| |_/ ) | | | 
 | |_| |___ | |_) )  _ (| | | | 
 |____/(___/|____/|_| \_)_|\_)_)

Traceback (most recent call last):
  File "/Users/austink/Downloads/usbkill-master/usbkill.py", line 275, in <module>
    settings = startup_checks()
  File "/Users/austink/Downloads/usbkill-master/usbkill.py", line 242, in startup_checks
    if subprocess.check_output("fdesetup isactive", shell=True).strip() != "true":
  File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/subprocess.py", line 573, in check_output
    raise CalledProcessError(retcode, cmd, output=output)
subprocess.CalledProcessError: Command 'fdesetup isactive' returned non-zero exit status 1

I am aware that I don't have FileVault enabled, but I should still be able to run the script anyway, right? According to python -V I have version 2.6.7.

Having a requirement for python seems a little odd when udev could handle it on linux, ie a udev rule:

ACTION=="remove", SUBSYSTEM=="usb", ENV{ID_MODEL}=="*", RUN+="/bin/shutdown 0"

This would tie it much closer to the hardware and prevent a simple pkill python from stopping it.

also potentially using diskutil activity on OSX

I was reading the code and these lines came to my attention:

start_devices = lsusb()
acceptable_devices = set(start_devices + whitelisted_devices)

Considering the discussion with @pwnsdx on twitter, this makes the pc vulnerable to the following scenario:

• Attacker has some kernel exploit to bypass login or read encryption keys from memory + physical access to the machine.
• It connects its usb pen with the exploit on it, the computer shuts down due to usbkill.
• He leaves his device attached and reboot the pc, now his device is put inside the acceptable_devices variable, thus whitelisted.

OS: Ubuntu 14.04.2 - 64 bits

Whenever I launch usbkill, the nuking process happens. The strangest thing is I don't have any USB device plugged so I'm wondering what could possibly change but the log are not very helpful to see that:

2015-05-12 12:01:40.163343 [INFO] Started patrolling the USB ports every 0.25 seconds...
Current state:
Bus 002 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

2015-05-12 12:01:40.286210 Detected a USB change. Dumping the list of connected devices and killing the computer...
Current state:
Bus 002 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 001 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

Hi there,

While usbkill shutdown quickly the computer, it is still possible to recover encryption keys when the computer is turned off by using CBA.

-> https://twitter.com/mariolinic/status/596395899112300545 -> https://www.youtube.com/watch?v=JDaicPIgn9U

I'm investigating in having a way to remove keys in the RAM before the computer shutdown (on all OS). If anyone have an idea about how it could be done or have another idea to prevent this kind of attack, you are welcome to tell me how :smiley:

Hello! I've just downloaded usbkill to try it, but i've this error: ~ $ sudo python3 usbkill.py File "usbkill.py", line 4 ^ SyntaxError: invalid syntax

I've runing usbkill on a virtual machine with Linux Mint 17.1 32 bits.

Thank you very much!

My "take" on this project. I did similar stuff with bash scripts up to date, which wasn't pretty.

I like the ability to be able to connect USB freely when my screen is not locked. I'll further extend it to keep a list of currently connected devices and update it (instead of start devices).

Made better parsed config file and this allowed me to define 4 commands more. Feel free to hate it.

Hi there,

I think it could be even better to remove (securely) the script itself (using file) + its directory (if it matches to the SHA1 signature of the repository) instead of just logs/settings so there will be no proof that usbkill has been used and you will have Plausible Deniability to say "Your USB device crashed my computer"

What do you think about this?

usbkill can now execute custom commands which are defined in the config.

What would be useful commands and examples for different setups? Does osx, bsd and (deb)linux support these commands?

I'm thinking about commands like `shred' and commands that release tc or luks volumes (and keys).

Are there commands for ram and/or swap?

Would you accept this change? I've started hacking on usbkill and quickly noticed that it'd be a lot easier to develop for with a test mode that didn't shut down my computer every time I wanted to use it!

This would be configurable with both --test parameters and an entry in the settings file.

[Sorry, I'm about to submit a bunch of tickets, prepare yourself! I'm a paranoid person who works out of public spaces quite a lot, and this tool makes me feel safer about leaving my laptop unattended, so I want to bend it to my will now!]

On line 88, usbkill does a rm -rf for every folder_to_remove, passing the name without escaping it. This means that if you set folders_to_remove as follows...

folders_to_remove = [ "/home/wander/usbkill /" ]

...usbkill will happily do a rm -rf /home/wander/usbkill / as root, recursively deleting a directory that doesn't exist and then soldiering on with the file system root.

Hello. I want to propose to add a setting with would allow to ignore USB sevices with given ID, that they won't trigger the app when suddenly it get plugged off.

Examples (on me):

I have my phone connected to the computer thru USB and it seem that the cable (from the side) has a loosen fit with the socket, with causes that a light move of the phone causes that the system treat it as disconnection. I wouldn't be wanting that this would cause my computer to suddenly turn off thru such thing.

https://github.com/hephaest0s/usbkill/blob/master/usbkill/usbkill.py#L140

1 millisecond is 0.001 seconds. Therefore, 5 milliseconds is 0.005 seconds.

I propose changing the comment, because 50 milliseconds is still quick enough.

Traceback (most recent call last): File "usbkill.py", line 466, in go() File "usbkill.py", line 463, in go loop(settings) File "usbkill.py", line 320, in loop start_devices = lsusb() File "usbkill.py", line 228, in lsusb return DeviceCountSet(DEVICE_RE[0].findall(subprocess.check_output("lsusb", shell=True).decode('utf-8').strip())) File "/usr/lib/python2.7/subprocess.py", line 223, in check_output raise CalledProcessError(retcode, cmd, output=output) subprocess.CalledProcessError: Command 'lsusb' returned non-zero exit status 1

following error is displayed.

8764 EF6F D5C1 7838 8D10 E061 CF84 9CE5 42D0 B12B expired in 2017. I was going to e-mail and ask if this project is dead, but the key being expired was all I really needed.