A hacker who very modestly goes by the handle Hephaest0s has just announced an “anti-forensic kill switch” dubbed, well, usbkill.
It doesn’t do quite what the name might immediately suggest.
The idea is that it keeps its eye on what’s plugged into your USB ports and if anything changes, it shuts down your computer abruptly.
The theory is that if someone you don’t like the look of tries to confiscate your laptop, or looks as though they’re trying to steal it, you can just swiftly (and apparently innocently) unplug some USB device that you happen to be using and that’s that for the current session.
Power off
Ironically, last century’s IT-related police busts, if pre-arranged by means of a warrant, typically included special conditions like “no-knock” and “power off.”
The former meant that they didn’t ask before entering (a block of wood over the lock and a sledgehammer does the trick on most regular doors, so volunteer to be the cop wielding the hammer, not the one holding the wood).
The latter meant that they had permission to turn off your mains electricity supply first.
The idea was simple: if you got warning that the cops were outside, you could kick off disk-wiping programs on all your computers, and put all your diskettes and tapes into an industrial degausser (demagnetiser) for bulk erasure.
This was a particularly handy trick for software and video pirates, who could leave the investigators with a nothing but a giant pile of blank disks and white-noise VHS tapes as evidence.
Charges dismissed.
Power on
These days, things often work the other way around, with law enforcement keen to seize evidence like computers while they are still running and logged in.
So they’ll probably still use their special skeleton keys to gain entry, to take you by surprise, but the idea of shutting down the power so you can’t keep your computers alive has gone out of the Windows.
With power maintained, and your current session still alive and unlocked, the cops may very well avoid needing to get hold of your passwords to access things like files, social media accounts, network connections, and so on.
Better yet, they may be able to extract data from memory that reveals things like usernames and passwords for yet more accounts that you have used recently but aren’t currently logged into, or remnants of websites that you’ve looked at but no longer have open, and so on.
With Hephaest0s’s usbkill utility, all you have to do is remove your 3G modem, or disconnect the dongle that runs your mouse (a good reason to ditch Bluetooth and go back to those proprietary Logitech mice), and all that lovely forensically valuable data in memory is toast.
The downside
There’s a downside, of course.
The code is written in Python, and needs to run continuously as root.
So you’d better hope it that usbkill itself isn’t hackable, or if the cops get hold of your computer while you are otherwise distracted (for example because your arms are handcuffed behind your back) then your defensive utility could end up being just the Elevation of Privilege toolkit that the forensics team need to pwn your computer completely.
Hephaest0s suggests that you can circumvent this problem by using “a cord to attach a USB key to your wrist.”
Just be careful when you need to stretch your legs, or reach for the sugar bowl, or pop out to the little hacker’s room, lest you shut down the latest improvements to your magnum opus before they’ve been properly saved.
Of course, usbkill doesn’t solve the problem of what to do when the cops ask you to unlock your now shut-down computer.
Legal protection for this seems to vary from country to country, but since you don’t actually have to reveal your password, you can expect to be in serious trouble in some juridictions if you try to claim a “right to silence” when asked to show us what’s in those files, son.
PS. If you have a Mac, a half-second second on the power key will lock it so your password is needed, and five seconds will power it off. Or you could gently close the lid, with or without a cord attached to your wrist. (Yes, the power-off-in-5-seconds feature works on all computers. But Mac users have the power button handily implemented as a regular key, where F13 would be, so you can kill the power while apparently typing.)
Bloddy F***g User
Nice post. Thanks.
But because you claim to be a “passionate security proselytiser”, let me explain something about yout PS comment:
1) that behaviour is not unique to mac (or to Apple, for that matter. Thank God they did not managed to copyright that behaviour yet). Any decent OS (like Windows, Linux or BSD) can do that, should you decide to allow this functionality (anyway, can you disable that on Mac? ;) )
2) if you have your PC/laptop to hands reach away, you will be having hard times touching the power button with your hands behind your back. Or having a trigger-happy cop pointing a gun in your directions. Well, I wish you good luck with that :D
3) if somebody grabs your PC while sprintigh around, you will also be hard pressed to pres that buttun of yours :D
oh well, I believe that points 2 and 3 are exactly the reason to have some cord attached usb device (“usb kill key” is a nice name), which you frown upon. And yes, it makes your life harder, but your securyty will be improved. (unles that killswitch is a a rootkit or has a major weakness in it)
Paul Ducklin
I meant to emphasise that the power “button” on a Mac is actually just a regular key on the keyboard, where F13 would be if there were such a key. So you can kill/lock while apparently still in the process of typing normally.
And all the anti-Apple venom in the world won’t make my statement untrue :-) I don’t have a non-Mac, so I can’t tell you for sure how the average Windows laptop (for example) behaves when you press F13. Does it lock? Does it turn off? Is there an F13 key? Therefore, I gave information about which I was certain and left it to the reader to extrapolate to other platforms.
Bloddy F***g User
Well, I am sorry, that you think my comment to be a “hate” to Apple.
It si not. I hate M$ more and I am still using Windows as my primary platform ;-) ant that does not stop me from making jokes to any of them. Anyway I am sorry that you feel offended, that is not what I meant.
So. Any laptop I have encountered in past few years has power button on tom of it }usualy just abow the F-key line. Alos usualy there is a “sleep” key on the leyboard and on all systems I have been working with, there is a “lock” shortcut (on Windows that is a “Win + L”, on Linux DE(Kde,Gnome,…) it is by default Ctrl+Alt+L, but an all those this can be easilly configured to be anything you want).
So from my point of view, this added “mac specific” info, it looks more like “look what awsome feature Mac has”. And well, maybe that explayns why the non-apple world sees apple users as beiing arogant – because they behave like “their” great feature is new and unique, while it was common in rest of the world.
I do not mean that as offense – to mee this is merely an explanation why the apple vs non-apple has such relationship they have (and which I did not saw before).
So what I want to say is, maybe it would be great (for you and your readers as well) if you check how things works on the other side of this “hate” barier, which you (obviously) feel here. Maybe then you kan help to break it?
PS: sorry for this really long comment. I believe that is all I have to say on that matter, so, that will be all. thank you for reading this.