 | |
 A USBKill installation in Linux | |
| Developer(s) | Hephaest0s |
|---|---|
| Stable release | 1.0-rc4 / January 18, 2016; 9 years ago (2016-01-18) |
| Repository | |
| Written in | Python |
| Operating system | BSD,Linux,macOS, otherUnix-like systems |
| Size | 15.6 KB |
| Type | Anti-forensic |
| License | GNU General Public License |
| Website | github |
USBKill isanti-forensic software distributed viaGitHub, written inPython for theBSD,Linux, andOS Xoperating systems. It is designed to serve as akill switch if the computer on which it is installed should fall under the control of individuals or entities against the desires of the owner.[1] It isfree software, available under theGNU General Public License.[2]
The program's developer, who goes by the online name Hephaest0s, created it in response to the circumstances of thearrest ofSilk Road founderRoss Ulbricht, during which U.S. federal agents were able to get access to incriminating evidence on his laptop without needing his cooperation by copying data from itsflash drive after distracting him.[3] It maintains awhitelist of devices allowed to connect to the computer'sUSB ports; if a device not on that whitelist connects, it can take actions ranging from merely returning to thelock screen toencrypting thehard drive, or wiping all data on the computer. However, it can also be used as part of acomputer security regimen to prevent the surreptitious installation ofmalware orspyware or the clandestine duplication of files, according to its creator.[4]
Whenlaw enforcement agencies began makingcomputer crime arrests in the 1990s, they would often ask judges forno knocksearch warrants, to deny their targets time todelete incriminating evidence from computers or storage media. In more extreme circumstances where it was likely that the targets could get advance notice of arriving police, judges would grant "power-off" warrants, allowing utilities to turn off the electricity to the location of the raid shortly beforehand, further forestalling any efforts to destroy evidence before it could be seized. These methods were effective against criminals who produced and distributed pirated software and movies, which was the primary large-scale computer crime of the era.[1]
By the 2010s, the circumstances of computer crime had changed along with legitimate computer use. Criminals were more likely to use theInternet to facilitate their crimes, so they needed to remain online most of the time. To do so, and still keep their activities discreet, they usedcomputer security features likelock screens andpassword protection.[1]
For those reasons, law enforcement now attempts to apprehend suspected cybercriminals with their computers on and in use, all accounts both on the computer and online open and logged in, and thus easily searchable.[1] If they fail to seize the computer in that condition, there are some methods available to bypass password protection, but these may take more time than police have available. It might be legally impossible to compel the suspect to relinquish their password; in theUnited States, where many computer-crime investigations take place, courts have distinguished between forcing a suspect to use material means of protecting data such as a thumbprint,retinal scan, or key, as opposed to a password or passcode, which is purely the product of the suspect's mental processes and is thus protected from compelled disclosure by theFifth Amendment.[5]
The usual technique for authorities—either public entities such as law enforcement or private organizations like companies—seizing a computer (usually alaptop) that they believe is being used improperly is first to physically separate the suspect user from the computer enough that they cannot touch it, to prevent them from closing its lid, unplugging it, or typing a command. Once they have done so, they often install a device in the USB port thatspoofs minor actions of amouse,touchpad, or keyboard, preventing the computer from going intosleep mode, from which it would usually return to alock screen which would require a password.[6]
Agents with the U.S.Federal Bureau of Investigation (FBI) investigatingRoss Ulbricht, founder of the onlineblack marketSilk Road, learned that he often ran the site from his laptop, using thewireless networks available at branches of theSan Francisco Public Library. When they had enough evidence to arrest him, they planned to catch him in the act of running Silk Road, with his computer on and logged in. They needed to ensure he was unable to triggerencryption or delete evidence when they did.[3]
In October 2013, a male and female agent pretended to have a lovers' quarrel near where Ulbricht was working at the Glen Park branch. According toBusiness Insider, Ulbricht was distracted and got up to see what the problem was, whereupon the female agent grabbed his laptop while the male agent restrained Ulbricht. The female agent was then able to insert a flash drive into one of the laptop's USB ports, with software that copied key files.[3] According to Joshuah Bearman ofWired, a third agent grabbed the laptop while Ulbricht was distracted by the apparent lovers' fight and handed it to agent Tom Kiernan.[7]
In response to the circumstances of Ulbricht's arrest,[4] a programmer known as Hephaest0s developed the USBKill code inPython and uploaded it toGitHub in 2014. It is available asfree software under theGNU General Public License and currently runs under bothLinux andOS X.[4]
The program, when installed, prompts the user to create awhitelist of devices that are allowed to connect to the computer via itsUSBports, which it checks at an adjustablesample rate. The user may also choose what actions the computer will take if it detects a USB device not on the whitelist (by default, it shuts down and erases data from theRAM andswap file). Users need to be logged in as root. Hephaest0s cautions users that they must be using at least partialdisk encryption along with USBKill to fully prevent attackers from gaining access;[4]Gizmodo suggests using avirtual machine that will not be present when the computerreboots.[8]
It can also be used in reverse, with a whitelisted flash drive in the USB port attached to the user's wrist via alanyard serving as a key. In this instance, if the flash drive is forcibly removed, the program will initiate the desired routines. "[It] is designed to do one thing," wrote Aaron Grothe in a short article on USBKill in2600, "and it does it pretty well." As a further precaution, he suggests users rename it to something innocuous once they have loaded it on their computers, in case someone might be looking for it on a seized computer to disable it.[6]
In addition to its designed purpose, Hephaest0s suggests other uses unconnected to a user's desire to frustrate police and prosecutors. As part of a general security regimen, it could be used to prevent the surreptitious installation ofmalware orspyware on, or copying of files from, a protected computer. It is also recommended for general use as part of a robust security practice, even when there are no threats to be feared.[4]
With his2600 article, Grothe shared apatch that included a feature that allowed the program to shut down a network when a non-whitelisted USB is inserted into anyterminal.[6] Nate Brune, another programmer, created Silk Guardian, a version of USBKill that takes the form of aloadable kernel module, he "remade this project as a Linux kernel driver for fun and to learn."[9] In the issue of2600 following Grothe's article, another writer,going by the name Jack D. Ripper, explained how Ninja OS, an operating system designed for liveflash drives, handles the issue. It uses abash scriptresident in memory basedwatchdog timer that cycles aloop through the boot device (i.e., the flash drive) three times a second to see if it is still mounted and reboots the computer if it is not.[10]
{{cite web}}: CS1 maint: numeric names: authors list (link){{cite web}}: CS1 maint: numeric names: authors list (link)