Slashdot Mirror

← Back to Stories (view on slashdot.org)

USB Canary Sends An SMS When Someone Tinkers With Your USB Ports (bleepingcomputer.com)

Posted by BeauHD on from the tinker-toys dept.

An anonymous reader quotes a report from BleepingComputer: A new tool released on GitHub last week can help paranoid sysadmins keep track of whenever someone plugs in or disconnects an USB-based device from high-value workstations. Called USB Canary, this tool is coded in Python and currently, works only on Linux (versions for Windows and Mac are in the works). The tool works by watching USB ports for any activity while the computer is locked, which generally means the owner has left his desk. If an USB device is plugged in or unplugged, USB Canary can perform one of two actions, or both. It can alert the owner by sending an SMS message via the Twilio API, or it can post a message in a Slack channel, which can be monitored by other co-workers. USB Canary can prove to be a very useful tool for large organizations that feature strict PC policies. For example, if you really want to enforce a "No USB drives" at work, this could be the tool for the job. Further, with modifications, it could be used for logging USB activity on air-gapped systems.

40 comments

  1. fp by Anonymous Coward · · Score: 0

    fp

    Suck it Trebek!

  2. Actually by Anonymous Coward · · Score: 0

    epoxy in the USB ports works wonders!

    1. Re:Actually by DontBeAMoran · · Score: 1

      You know what works even better? Ripping out the USB ports.

      --
      #DeleteFacebook
  3. Anything hardware can do, software can do better? by Anonymous Coward · · Score: 0

    Because if you're really serious, you take python to tell you by slack something or other happened. Much better than, say, turning all USB ports off via BIOS, then disconnecting them, and gluing them shut for good measure. Because USB is the future and dedicated PS/2 ports are for chumps.

  4. Resin by Anonymous Coward · · Score: 0

    If you really want to keep people from plugging random shit into a system, just fill the USB ports with resin or caulk and super-glue the keyboard and mouse cables in place.

    FWIW, usb ports can be used to hack systems at the microcode level, no OS interaction needed.
    In fact, usb microcode hacking was how the PS3 was eventually cracked.

    1. Re: Resin by Anonymous Coward · · Score: 0

      Fuck that. My USB ports are all fake and all the pins are connected to mains. Don't plug shit into my fuckin computer.

  5. work around? by Anonymous Coward · · Score: 0

    Most security conscious organization killed WiFi so just pull enet cord, insert usb, then hard reboot. Forget only when logged in the trigger should be tied to approved devices like keyboards and mice and any other device flags...Or just flag all state changes for secure rooms, assuming such areas are enforced for sensitive up or personal data. Windows already has similar tools.

    1. Re: work around? by Anonymous Coward · · Score: 0

      Sensitive ip...And all other auto corrects...

    2. Re:work around? by AHuxley · · Score: 1

      Hire better staff. Dont use Windows. Set your company up with the expectation that data will walk out with staff or be extracted via the internet.
      Separate your internal networks. Staff data on one network, public blue sky research https://en.wikipedia.org/wiki/... and charity work on another. Contact with customers is kept away from all other sections of the internet networks.
      Emerging projects and work not yet public is kept away from most staff and all other networks.
      The work laptop is not a take home social media "gift" to staff.
      USB devices found around the parking lot don't get looked at inside the company on secure computers.
      Encrypt all data so staff cant walk out with any data. They can work all they want but cant make a backup of all source code and just walk out.
      If a person makes a mistake all they alter is some charity work, blue sky project or encrypted files.
      Dont use wifi, Windows software and always interview all new staff to see if their presented paperwork is correct and have their background story investigated.
      That blocks staff that have no skills and keeps out staff that will walk out with data for some reason that usually shows up in their past politics or social media use.

      --
      Domestic spying is now "Benign Information Gathering"
  6. USB box-cutter technology caused 9/11 by Anonymous Coward · · Score: 0

    boycott USB now before its too late!!!

  7. USB fishing by Okian+Warrior · · Score: 2

    I've heard stories about how businessmen staying in Chinese hotels leave their laptops in the room while going out, and the "maid" comes in, sticks in a USB drive, and downloads all the files.

    I've often wondered if it's possible to make a spring-loaded trap that would clamp down on a USB device and prevent it from being removed. The USB connector has 2 square holes that square pegs might fit into.

    It might be possible to "fish" for these foreign USB devices, and reverse engineer them to see what sorts of attack they use.

    1. Re:USB fishing by Anonymous Coward · · Score: 0

      Cool idea, but I bet they'd just steal your laptop after that.

    2. Re:USB fishing by Anonymous Coward · · Score: 0

      10:1 odds they just power off the device and boot it with a thumb drive.

      (Physical access = game over.)

    3. Re:USB fishing by Anonymice · · Score: 3, Insightful

      Better nail your laptop down too, then! If they're going to be rumbled anyway, they might as well just take the fucker.

    4. Re:USB fishing by Misagon · · Score: 1

      How about making ports like the infamous "USB Kill Stick" but in reverse? Any unauthorized device connected to the port would get fried.
      The attacker would probably not find out what happened until afterwards when they try to get the data from the attacking device.

      But yeah, if we knew what kind of attack they used to gain access one could provide another set of files: a honey pot, or just innocuous data.

      --
      "We mustn't be caught by surprise by our own advancing technology" -- Aldous Huxley
    5. Re:USB fishing by Anonymous Coward · · Score: 0

      Honestly? If I was a Chinese maid in the espionage business I'd snap the USB off, or take the laptop like someone else suggested.

    6. Re:USB fishing by Anonymous Coward · · Score: 0

      Sounds like a job for Qubes Anti-Evil Maid:

      Qubes security guidelines dictate that USB devices should never be attached directly to dom0, since this can result in the entire system being compromised. However, in its default configuration, installing and using AEM requires attaching a USB drive (i.e., mass storage device) directly to dom0. (The other option is to install AEM to an internal disk. However, this carries significant security implications, as explained here.) This presents us with a classic security trade-off: each Qubes user must make a choice between protecting dom0 from a potentially malicious USB drive, on the one hand, and protecting the system from Evil Maid attacks, on the other hand. Given the practical feasibility of attacks like BadUSB and revelations regarding pervasive government hardware backdoors, this is no longer a straightforward decision. New, factory-sealed USB drives cannot simply be assumed to be “clean” (e.g., to have non-malicious microcontroller firmware). Therefore, it is up to each individual Qubes user to evaluate the relative risk of each attack vector against his or her security model.

      For example, a user who frequently travels with a Qubes laptop holding sensitive data may be at a much higher risk of Evil Maid attacks than a home user with a stationary Qubes desktop. If the frequent traveler judges her risk of an Evil Maid attack to be higher than the risk of a malicious USB device, she might reasonably opt to install and use AEM. On the other hand, the home user might deem the probability of an Evil Maid attack occurring in her own home to be so low that there is a higher probability that any USB drive she purchases is already compromised, in which case she might reasonably opt never to attach any USB devices directly to dom0. (In either case, users can–and should–secure dom0 against further USB-related attacks through the use of a USBVM.)

  8. After which by tomxor · · Score: 1

    you may as well burn your computer... Why not just have a USB self destruct, once someone has "tinkered" with your USB ports you can't guarantee anything.

  9. That's nothing... by __aaclcg7560 · · Score: 1

    Plug in an unauthorized USB stick at my job and security will be at your desk in five minutes to confiscate it.

    1. Re:That's nothing... by HornWumpus · · Score: 1

      A Rubber ducky? Those look like keyboards to the machines...and run scripts.

      You can hack up a 2gig USB drive into one. Certain models only.

      --
      John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
    2. Re:That's nothing... by __aaclcg7560 · · Score: 1

      A Rubber ducky?

      I personally prefer to have a Hello, Kitty! 8GB USB stick. :P

    3. Re: That's nothing... by Anonymous Coward · · Score: 0

      Why would they confiscate the desk?

    4. Re:That's nothing... by HornWumpus · · Score: 2

      IT security guy...you know a 'rubber ducky' is a penetration tool? The ones with actual rubber duckys printed on them are sold to poseurs, real hackers just modify the right old thumb drive.

      PCs with windows or Linux (with autorun disabled) are owned by plugging it in. The computer thinks it's a keyboard and trusts it. It runs scripts, which can be toxic.

      Does IT get called when someone's keyboard gets disconnected then plugged back in or only for USB storage?

      --
      John McAfee 'It was like that time I hired that Bangkok prostitute; to do my taxes, while I fucked my accountant'
    5. Re:That's nothing... by __aaclcg7560 · · Score: 1

      IT security guy...you know a 'rubber ducky' is a penetration tool?

      I've heard about them, haven't seen them. My job in InfoSec is to fix problems. Scanning and penetration is a different department. I thought you meant this rubber ducky.

      Does IT get called when someone's keyboard gets disconnected then plugged back in or only for USB storage?

      I don't know. I work with workstations and not with users. The workstations are locked down tighter than a virgin nerd's ass. If you create a file and leave it on your desktop for too long (all data is supposed to be stored on the network), you will need administrator access to modify the file.

    6. Re: That's nothing... by Anonymous Coward · · Score: 0

      It's a shame when us low on the pole IT guys have higher regulation and oversight than the fucking government we serve. You can't even create local files, yet government officials are setting up insecure servers, getting accounts compromised, and falling for phishing scams that my 12 year old son would laugh at.

      Shame indeed.

    7. Re: That's nothing... by __aaclcg7560 · · Score: 1

      It's a shame when us low on the pole IT guys have higher regulation and oversight than the fucking government we serve.

      I work in government IT.

      You can't even create local files [...]

      Local files can be created but they need to move to the network in a timely manner. If the local file is left on the desktop for too long (might be 30 days), admin access is required to move or modify. I can move my own files, but regular users need to call the help desk.

      [...] yet government officials are setting up insecure servers, getting accounts compromised, and falling for phishing scams that my 12 year old son would laugh at.

      Politicians and political appointees don't follow the same rules as government workers and civilians.

  10. Why does this need Python? by Anonymous Coward · · Score: 0

    Creating your own udev rules for USB device attach/detach is possible without Python, especially not as a service (which is what this appears to be). udev has the RUN argument which can run a program/shell script/whatever on an event. I understand that one may want to use Python or any other PL for utilising an HTTP-based API (re: Twilio, Slack, etc.), but I do not understand the design choice of having this run as a daemon.

    I also urge others to look at the prerequisites (refer to GitHub); this does not appear to be KISS-compliant in the least, and the description in Getting Started is downright bullshit (re: "for some this may seem like a bad idea, but it's better than recreating the wheel or rolling your own crypto" -- what wheel would need to be recreated? And why would you need to "roll your own crypto" for device monitoring to work? Using an HTTP API via HTTPS does not require one "roll their own crypto")

  11. usbguard by Anonymous Coward · · Score: 0

    I use usbguard but I still don't trust the $1 usb drives I bought.

  12. Linux has this by s.petry · · Score: 1

    auditd

    --

    -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

  13. am anticipating... by Anonymous Coward · · Score: 0

    Counter-Canary to the USB-Canary Killer.

    The never ending game of peripheral warfare...

  14. Just disable USB by Anonymous Coward · · Score: 0

    If you don't want USB devices being used just disaable "USB Storage Devices" altogether in your system policies

  15. LOL by JThundley · · Score: 1

    When I saw the headline, my first thought was "I could probably do this pretty quickly on a Linux machine in Python."

    Then I read the summary.

  16. Windows USB log tool by Anonymous Coward · · Score: 2, Informative

    http://www.nirsoft.net/utils/usb_log_view.html

  17. Race condition! by jenningsthecat · · Score: 1

    Which one wins the race? The USB kill stick as it does its powerful best to fry your MoBo, or the Python code trying to send out a network message before some critical component coughs up smoke? My money's on the kill stick.

    --
    'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
  18. Slaker News?! Orange?! Without permission?! by CustomSolvers2 · · Score: 1

    I came here to read about suicides, death threats, people linking to some research about the pros/cons of a green-to-orange transition in nerd communities, etc. And then I realised about today's date and well... nice one, Slashdot! The doomsday-like alternative would have been much funnier though.

    --
    Custom Solvers 2.0 = Alvaro Carballo Garcia = varocarbas.
    1. Re:Slaker News?! Orange?! Without permission?! by CustomSolvers2 · · Score: 1

      Clarification for those with problems to understand context, intention, sarcasm and/or over-3-word ideas: sorry for not having included a closing smiley or LOL in my previous comment to help you understand that I was joking. How could you know it otherwise, right? Because you think that there are lots of people doing really weird things just for a change of name/colour, because Slashdot is exactly the kind of place where these people go and because I would enjoy witnessing such idiocy? (-> all this is more logical than me being joking?! Don't you think that there has to be something really wrong with someone coming to such a nonsensical conclusion? I do).

      --
      Custom Solvers 2.0 = Alvaro Carballo Garcia = varocarbas.
  19. Easily Thwarted by Anonymous Coward · · Score: 0

    Just unplug the network and this utility is no longer useful.

    This fact doesn't make the utility worthless... only much less effective against someone who is actually thinking about an attack rather than your roommate who just wants to see what king of porno you are into.

    What we really need is a BIOS that will perform an immediate power-off (not "shutdown") if a device is plugged-in during sleep mode, or any other time when the device needs to be "secure."

  20. Not a problem on the MacBook Pro by Anonymous Coward · · Score: 0

    I have a new MacBook Pro, so I don't have to worry about people messing with the USB ports because there isn't anything available that works with them.

  21. I had a great joke by SCVonSteroids · · Score: 1

    The joke should be pretty obvious though, just read the headline and replace a few words.

    Sorry I just don't want to lose my job or get in any trouble :)

    --
    I tend to rant.