Usbkill - an anti-forensic kill-switch that waits for a change on your USB ports and then immediately shuts down your computer.

Related tags

Networking usbkill
Overview

usbkill

« usbkill » is an anti-forensic kill-switch that waits for a change on your USB ports and then immediately shuts down your computer.

To run:

sudo python usbkill.py

or

sudo python3 usbkill.py

Related project; same idea, but implemented as a Linux driver: https://github.com/NateBrune/silk-guardian

Why?

Some reasons to use this tool:

  • In case the police or other thugs come busting in (or steal your laptop from you when you are at a public library, as happened to Ross). The police commonly uses a « mouse jiggler » to keep the screensaver and sleep mode from activating.
  • You don’t want someone to add or copy documents to or from your computer via USB.
  • You want to improve the security of your (encrypted) home or corporate server (e.g. Your Raspberry).

[!] Important: Make sure to use disk encryption for all folders that contain information you want to be private. Otherwise they will get it anyway. Full disk encryption is the easiest and surest option if available

Tip: Additionally, you may use a cord to attach a USB key to your wrist. Then insert the key into your computer and start usbkill. If they steal your computer, the USB will be removed and the computer shuts down immediately.

Feature List

(version 1.0-rc.4)

  • Compatible with Linux, *BSD and OS X.
  • Shutdown the computer when there is USB activity.
  • Customizable. Define which commands should be executed just before shut down.
  • Ability to whitelist a USB device.
  • Ability to change the check interval (default: 250ms).
  • Ability to melt the program on shut down.
  • RAM and swap wiping.
  • Works with sleep mode (OS X).
  • No dependency except secure-delete iff you want usbkill to delete files/folders for you or if you want to wipe RAM or swap. sudo apt-get install secure-delete
  • Sensible defaults

Supported command line arguments (partially for devs):

  • -h or --help: show help message, exit.
  • --version: show version of the program, exit.
  • --no-shut-down: if a malicious change on the USB ports is detected, execute all the (destructive) commands you defined in settings.ini, but don’t turn off the computer.
  • --cs: Copy program folder settings.ini to /etc/usbkill/settings.ini

Contact

[email protected] - PGP/GPG Fingerprint: 8764 EF6F D5C1 7838 8D10 E061 CF84 9CE5 42D0 B12B

Comments
  • Unable to run

    Unable to run

    I've been trying to run this script, but I continued to get this error:

    Secure-MBA:~ austink$ sudo python /Users/austink/Downloads/usbkill-master/usbkill.py 
    Traceback (most recent call last):
      File "/Users/austink/Downloads/usbkill-master/usbkill.py", line 32, in <module>
        import configparser
    ImportError: No module named configparser
    

    So then I changed configparser to ConfigParser and it runs a bit further, albeit with this error:

    Secure-MBA:~ austink$ sudo python /Users/austink/Downloads/usbkill-master/usbkill.py 
                 _     _     _ _ _  
                | |   | |   (_) | | 
      _   _  ___| |__ | |  _ _| | | 
     | | | |/___)  _ \| |_/ ) | | | 
     | |_| |___ | |_) )  _ (| | | | 
     |____/(___/|____/|_| \_)_|\_)_)
    
    Traceback (most recent call last):
      File "/Users/austink/Downloads/usbkill-master/usbkill.py", line 275, in <module>
        settings = startup_checks()
      File "/Users/austink/Downloads/usbkill-master/usbkill.py", line 242, in startup_checks
        if subprocess.check_output("fdesetup isactive", shell=True).strip() != "true":
      File "/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/subprocess.py", line 573, in check_output
        raise CalledProcessError(retcode, cmd, output=output)
    subprocess.CalledProcessError: Command 'fdesetup isactive' returned non-zero exit status 1
    

    I am aware that I don't have FileVault enabled, but I should still be able to run the script anyway, right? According to python -V I have version 2.6.7.

    opened by ajkblue 31
  • Why not udev?

    Why not udev?

    Having a requirement for python seems a little odd when udev could handle it on linux, ie a udev rule:

    ACTION=="remove", SUBSYSTEM=="usb", ENV{ID_MODEL}=="*", RUN+="/bin/shutdown 0"
    

    This would tie it much closer to the hardware and prevent a simple pkill python from stopping it.

    also potentially using diskutil activity on OSX

    opened by terrorbyte 27
  • Vulnerability: Every device is whitelisted during (re)boot

    Vulnerability: Every device is whitelisted during (re)boot

    I was reading the code and these lines came to my attention:

    start_devices = lsusb()
    acceptable_devices = set(start_devices + whitelisted_devices)
    

    Considering the discussion with @pwnsdx on twitter, this makes the pc vulnerable to the following scenario:

    • Attacker has some kernel exploit to bypass login or read encryption keys from memory + physical access to the machine.
    • It connects its usb pen with the exploit on it, the computer shuts down due to usbkill.
    • He leaves his device attached and reboot the pc, now his device is put inside the acceptable_devices variable, thus whitelisted.
    opened by evilsocket 20
  • Nuke launched without any apparent change

    Nuke launched without any apparent change

    OS: Ubuntu 14.04.2 - 64 bits

    Whenever I launch usbkill, the nuking process happens. The strangest thing is I don't have any USB device plugged so I'm wondering what could possibly change but the log are not very helpful to see that:

    2015-05-12 12:01:40.163343 [INFO] Started patrolling the USB ports every 0.25 seconds...
    Current state:
    Bus 002 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
    Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
    Bus 001 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
    Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
    Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
    Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
    
    2015-05-12 12:01:40.286210 Detected a USB change. Dumping the list of connected devices and killing the computer...
    Current state:
    Bus 002 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
    Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
    Bus 001 Device 002: ID 8087:0024 Intel Corp. Integrated Rate Matching Hub
    Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
    Bus 004 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
    Bus 003 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
    
    opened by pbellon 11
  • Cold-Boot attack possible

    Cold-Boot attack possible

    Hi there,

    While usbkill shutdown quickly the computer, it is still possible to recover encryption keys when the computer is turned off by using CBA.

    -> https://twitter.com/mariolinic/status/596395899112300545 -> https://www.youtube.com/watch?v=JDaicPIgn9U

    I'm investigating in having a way to remove keys in the RAM before the computer shutdown (on all OS). If anyone have an idea about how it could be done or have another idea to prevent this kind of attack, you are welcome to tell me how :smiley:

    opened by ghost 9
  • SyntaxError: invalid syntax

    SyntaxError: invalid syntax

    Hello! I've just downloaded usbkill to try it, but i've this error: ~ $ sudo python3 usbkill.py File "usbkill.py", line 4 ^ SyntaxError: invalid syntax

    I've runing usbkill on a virtual machine with Linux Mint 17.1 32 bits.

    Thank you very much!

    opened by arraiano 9
  • Few new features, small refactor, partially tested.

    Few new features, small refactor, partially tested.

    My "take" on this project. I did similar stuff with bash scripts up to date, which wasn't pretty.

    I like the ability to be able to connect USB freely when my screen is not locked. I'll further extend it to keep a list of currently connected devices and update it (instead of start devices).

    Made better parsed config file and this allowed me to define 4 commands more. Feel free to hate it.

    opened by blaa 8
  • What about melt_usbkill instead of remove_logs_and_settings

    What about melt_usbkill instead of remove_logs_and_settings

    Hi there,

    I think it could be even better to remove (securely) the script itself (using file) + its directory (if it matches to the SHA1 signature of the repository) instead of just logs/settings so there will be no proof that usbkill has been used and you will have Plausible Deniability to say "Your USB device crashed my computer"

    What do you think about this?

    opened by ghost 7
  • Good defaults/examples for custom commands

    Good defaults/examples for custom commands

    usbkill can now execute custom commands which are defined in the config.

    What would be useful commands and examples for different setups? Does osx, bsd and (deb)linux support these commands?

    I'm thinking about commands like `shred' and commands that release tc or luks volumes (and keys).

    Are there commands for ram and/or swap?

    opened by hephaest0s 7
  • Test Mode

    Test Mode

    Would you accept this change? I've started hacking on usbkill and quickly noticed that it'd be a lot easier to develop for with a test mode that didn't shut down my computer every time I wanted to use it!

    This would be configurable with both --test parameters and an entry in the settings file.

    [Sorry, I'm about to submit a bunch of tickets, prepare yourself! I'm a paranoid person who works out of public spaces quite a lot, and this tool makes me feel safer about leaving my laptop unattended, so I want to bend it to my will now!]

    opened by Miserlou 6
  • Spaces in folders_to_remove can cause usbkill to nuke /

    Spaces in folders_to_remove can cause usbkill to nuke /

    On line 88, usbkill does a rm -rf for every folder_to_remove, passing the name without escaping it. This means that if you set folders_to_remove as follows...

    folders_to_remove = [ "/home/wander/usbkill /" ]
    

    ...usbkill will happily do a rm -rf /home/wander/usbkill / as root, recursively deleting a directory that doesn't exist and then soldiering on with the file system root.

    opened by wandernauta 5
  • [Feature request] Selective trigger

    [Feature request] Selective trigger

    Hello. I want to propose to add a setting with would allow to ignore USB sevices with given ID, that they won't trigger the app when suddenly it get plugged off.

    Examples (on me):

    I have my phone connected to the computer thru USB and it seem that the cable (from the side) has a loosen fit with the socket, with causes that a light move of the phone causes that the system treat it as disconnection. I wouldn't be wanting that this would cause my computer to suddenly turn off thru such thing.

    opened by mdziczkowski 0
  • "5ms" are not 0.05s

    https://github.com/hephaest0s/usbkill/blob/master/usbkill/usbkill.py#L140

    1 millisecond is 0.001 seconds. Therefore, 5 milliseconds is 0.005 seconds.

    I propose changing the comment, because 50 milliseconds is still quick enough.

    opened by BenWiederhake 0
  • Error on executing usbkill.py on Qubes.

    Error on executing usbkill.py on Qubes.

    Traceback (most recent call last): File "usbkill.py", line 466, in go() File "usbkill.py", line 463, in go loop(settings) File "usbkill.py", line 320, in loop start_devices = lsusb() File "usbkill.py", line 228, in lsusb return DeviceCountSet(DEVICE_RE[0].findall(subprocess.check_output("lsusb", shell=True).decode('utf-8').strip())) File "/usr/lib/python2.7/subprocess.py", line 223, in check_output raise CalledProcessError(retcode, cmd, output=output) subprocess.CalledProcessError: Command 'lsusb' returned non-zero exit status 1

    following error is displayed.

    opened by firstabor 4
  • PGP/GPG key is expired

    PGP/GPG key is expired

    8764 EF6F D5C1 7838 8D10 E061 CF84 9CE5 42D0 B12B expired in 2017. I was going to e-mail and ask if this project is dead, but the key being expired was all I really needed.

    opened by Lvl4Sword 0
Owner
Hephaestos
Hephaestos
A Network tool kit for scanning active IP addresses and open ports

Network scanner A small project that I wrote on the fly for (IT351) Computer Networks University Course to identify and label the devices in my networ

Mohamed Abdelrahman 10 Nov 7, 2022
Simple P2P application for sending files over open and forwarded network ports.

FileShareV2 A major overhaul to the V1 (now deprecated) FileShare application. V2 brings major improvements in both UI and performance. V2 is now base

Michael Wang 1 Nov 23, 2021
Tripwire monitors ports and icmp to send the admin a message if somebody is scanning a machine that shouldn't be touched

Tripwire monitors ports and icmp to send the admin a message if somebody is scanning a machine that shouldn't be touched

null 3 Apr 5, 2022
GlokyPortScannar is a really fast tool to scan TCP ports implemented in Python.

GlokyPortScannar is a really fast tool to scan TCP ports implemented in Python. Installation: This program requires Python 3.9. Linux

gl0ky 5 Jun 25, 2022
forward several ports into a single port

port forwarding Multi-Input-Single-Output forward several ports into a single one this tool forwards packets from several ports into one single port.

Erfan Kheyrollahi Qaroğlu 3 Sep 11, 2021
A light-weight open-source project CLI utility for showing services running on ports in a host

Portable Port Scanner (ppscanner) Portable Port Scanner (ppscanner) is a light-weight open-source CLI utility that leverages on nmap to make quick and

null 1 Oct 30, 2021
Search ports in multiples hosts

Search Port ✨ Multiples Searchs ✨ Create list hosts Create list targets Start Require Python 3.10.0+. python main.py Struture Function Directory load_

Tux#3634 7 Apr 29, 2022
Linux SBC featuring two wifi radios, masquerading as a USB charger.

The WiFiWart is an open source WiFi penetration device masquerading as a regular wall charger. It features a 1.2Ghz Cortex A7 MPU with two WiFi chips onboard.

Walker 151 Dec 26, 2022
Way find out if DNS is down or your instance

DNS-PING Way to find out if DNS is down or your instance Problem: At times it happens that DNS provider services of a website URL is down and so to re

Giten Mitra 4 Nov 18, 2022
A simple python script that parses the MSFT Teams log file for the users current Teams status and then outputs the status color to a MQTT connected light.

Description A simple python script that parses the MSFT Teams log file for the users current Teams status and then outputs the status color to a MQTT

Lorentz Factr 8 Dec 16, 2022
With the use of this tool, you can change your MAC address

Akshat0404/MAC_CHANGER This tool has to be used on linux kernel. Now o

null 1 Jan 25, 2022
Control your Puffco Peak Pro from your computer!

PuffcoPC Control your Puffco Peak Pro from your computer! Contributions Pull requests are welcome. For major changes, please open an issue first to di

Bryan Muschter 5 Nov 2, 2022
These scripts send notifications to a Webex space when a new IP is banned by Expressway, and allow to request more info or change the ban status

Spam Call and Toll Fraud Mitigation Cisco Expressway release X14 is able to mitigate spam calls and toll fraud attempts by jailing the spam IP address

Luca Pellegrini 6 Aug 5, 2022
Netwalk is a Python library to discover, parse, analyze and change Cisco switched networks

Netwalk is a Python library born out of a large remadiation project aimed at making network device discovery and management as fast and painless as possible.

null 38 Nov 7, 2022
A python tool auto change proxy or ip after dealy time set by user

Auto proxy Ghost This tool auto change proxy or ip after dealy time set by user how to run 1. Install required file ./requirements.sh 2.Enter command

Harsh Tagra 0 Feb 23, 2022
This python script can change the mac address after some attack

MAC-changer Hello people, this python script was written for people who want to change the mac address after some attack, I know there are many ways t

null 5 Oct 10, 2022
It's a little project for change MAC address, for ethical hacking purposes

MACChangerPy It's a small project for MAC address change, for ethical hacking purposes, don't use it for bad purposes, any infringement will be your r

Erick Adriano Nunes da Silva 1 Mar 11, 2022
Python code that get the name and ip address of a computer/laptop

IP Address This is a python code that provides the name and the internet protocol address of the computer. You need to install socket pip install sock

CODE 2 Feb 21, 2022
Interact remotely with the computer using Python and MQTT protocol 💻

Comandos_Remotos Interagir remotamento com o computador através do Python e protocolo MQTT. ?? Status: em desenvolvimento ?? Objetivo: Interagir com o

Guilherme_Donizetti 6 May 10, 2022