When USB came out I was working in the defence sector. We closed the vector off with cages for the PCs with tied looms under desks, epoxy in all the holes we didn’t want people to use and with threat of being in deep shit.
When I was frequently using things like this on coworkers in red teaming (back when being in an office was a thing) putting my own desktop in a steel cage with a good lock proved effective against retaliation.
Then we moved on to attacking the firmware in each others keyboards.
Since this has generated some discussion on locks and picking, there's been some interesting developments on "unpickable locks" that sidestep the tolerance problem by decoupling setting the pins from testing them. I.e. pins are tested all at once after they are physically decoupled from the key & keyway, eliminating state space reduction attacks (aka picking one pin at a time) leaving only brute force.
One such effort features locks made by Stuff Made Here sent to Lock Picking Lawyer. According to LPL the locks are theoretically sound and he did not attempt to pick them, but these particular implementations had a couple (easily fixable) bypasses. Made for interesting videos on both sides:
Whelp it seems I recalled incorrectly this time, because LPL did pick the second one open, via a weakness in the design that he believes can be patched. I don't think my sentiment was totally off base, but clearly my statement about not being picked was factually incorrect.
I once saw a PC security case where instead of the lock cylinder retracting a bolt, it turned a screw thread and opened the case by about half a millimeter. It took the guy unlocking it a good fifty turns to get the PC out of it.
And there were two - one on each side. What's more, it was a tubular lock, so if you were single-pin picking you'd have to pick it 5 times per rotation.
Nothing that would stand up to a battery powered angle grinder, of course.
Tubular locks are trivial to pick and the lock turning the screw mentioned above would be just as simple with a tubular pick than with the original key.
Unfortunately, there aren't really all that many "good locks" on the market. The Lock Picking Lawyer on YouTube[1] has pretty much destroyed my faith in the modern lockmaking industry.
He can defeat just about anything, but he’s also exceptionally skilled. As a consumer of locks, I expect them to be defeatable by a skilled lockpicker. But I don’t expect them to be defeatable by a bic pen or by reaching in the keyhole with an oddly shaped wire to move the locking paul.
You can buy locks that don’t have easy bypasses, and can’t be easily drilled, and can’t be picked by beginners.
You can also buy locks that can't be picked by people like me who have been at it 20 years.
To keep people like me out for a while buy a Medeco. Pins not only need to be at the right height, but also the right rotation. They are a real pain in the ass to pick. I don't even know any locksmiths that can pick them. Good security for the money.
Bosnian Bill and LPL... Okay they can pick them, but they are like the 0.0001% in skill.
Still even then pay an extra $100 for really high quality disk detainer lock like a Protec 2 and you will keep even them out for quite a while.
That is what I use on my luggage. TSA has to call me to unlock them with my consent every time. The way I like it. Great tip I picked up from Deviant Ollam.
I have hundreds of locks and lock bypass tools. I make sure to pay for ones that are not quickly defeated when it counts.
LPL covers most locks in the wild which are bad, but locks like the Protec2 are quite strong and while it is implied one person in the world can beat it with custom tools (huxleypig)... even then not quickly.
Some of the best locks are very very hard to buy as well and still protected with weird export controls held over from the encryption export days.
I frequently use FF-L-2740 spec locks, which is the spec locks need to hit for use in classified government work, military contractors etc. They are very good locks I can't begin to defeat in any practical amount of time and don't know anyone who can. Particularly since they have timed brute force lockouts.
Problem is not a single vendor is allowed to sell locks of that spec to civilians by contract so you have to jump through lots of hoops to get them.
For most uses of a lock its job is to keep honest people out.
I have had doors kicked in, so these days I want the lock to be the weakest, not strongest, part of the door. So when it is kicked in it is a cheap lock that is destroyed not an expensive hardwood door (I like hardwood doors...)
> there aren't really all that many "good locks" on the market.
You can say that again.
I was once proud of myself for having thoroughly researched the market and I thought EVVA MCS was a safe bet[1].
Then someone showed me a YouTube video (published a year after I bought the locks) of someone picking it (not LPL, another YouTuber). Given the cost of EVVA MCS I was not a happy bunny.
but check out this one instead: https://youtu.be/sES_Hbj92BQ - ~2h to open fully (though the author of the video claims impressioning could speed up the thing; anyway, reportedly attacking the door is just easier in this case)
Guy who made the video here.
The lock mechanism itself isn't one of the easiest, but also not one of the hardest to pick skill-wise. However, it does take a very long time to pick through which means that the lock is doing its job very well. Also, I have read that this lock is very resistant to destructive attack as well. So combining pick resistance with physical resistance, you have a very good lock as long as it's installed on a good door and the building has all other security measures in place (no ground level unprotected windows, etc)
The lock doesn't even need to be that good. As you said, the name of the game is intrusion detection, not necessarily intrusion avoidance.
The Lock Picking Lawyer chronicled very nicely a technique for turning a KW1-keyed Kwikset core (extremely common here in the US) into something that is tamper evident. See the YouTube video linked herein.
I’m into locksport as well and would favor that kind of modification on a back door which is more likely to be targeted by thieves. Not sure I’d do it on a front door in case I put a family member actually locked themselves out and actually needed a locksmith to be able to get in.
When I had towers or pizza boxes I pretty much never touched them once it became normal to leave them on all the time, which was as soon as they were always downloading from the internet at 3.3 kbps.
If the case was locked in a cage I wouldn’t notice until I needed to put access the tower to plug in a usb, which might not be for weeks these days.
Being in an office is definitely still a thing. Let's be real, vaccinated adults working from home is a privilege. Mostly a white upper middle class one. Always was.
My school had a way to keep peripherals from wandering off, but if all you need to do is swap the cables then I’m not sure that would still work. Wrapping the cables into a wiring loom makes that process slower, assuming the loom is complicated enough. Did you ever use heat shrink? Or locking cable ties?
What the school did was run a steel cable behind the desks, then put a loop of the mouse chord through a steel washer and ran the security cable through all the loops. If you secure both ends you can’t get the cables separated even with slack.
The trick is that the hole in the washer had to be smaller than the connector so you couldn’t fish it back through no matter how much slack you get. That could still work for USB-A, but these days the connectors are getting smaller than the diameter of curvature of the cable, so you’d break it trying to do this. And on many peripherals you could destroy the chord without reducing the value of the device. One could cut the cable and install this Trojan one on many devices these days, the only telltale would be that the cable isn’t routed properly, which might be harder to notice immediately.
My anecdote was a bit old and I’m certain some of those devices had soldered cables, meaning that a sheared wire couldn’t be handled by buying a new chord or combining parts of two mice. Because I specifically looked for that a few times with no luck.
But they’re right, these days when you crack open things you often find a connector soldered to the motherboard and the cable is merely plugged in. I think it’s just easier to manufacture. Pick and place, bulk solder and then a machine to plug in the cable, fast as you like, maybe with a loop in it as a poor man’s strain protector.
> meaning that a sheared wire couldn't be handled by [...] combining parts of two mice.
Well, if you're stealing them, you only need parts from one mouse: cut the cable close to the mouse, untangle it from whatever crap it's locked to, take mouse and cable home with you, disassemble mouse, feed cable back though (I think it's called) grommet, strip cable, pick out wires, solder wires to approriate mouse internals, reassemble mouse, done. You have a working mouse with only slightly shorter cable than before.
The point of using soldered cables for security is that setting up a soldering iron near a computer is conspicuous, so you get caught if try to install a attiny85 inside the mouse that way. You can still steal stuff just fine.
Yeah just intentionally drill the head so those screws are not coming out again without power tools which should be obvious in the open where they are deployed.
All the cables were terminated inside the box and strapped every 1 inch with cable ties. Nothing was exposed that could be disconnected other than the monitor IEC lead.
I specifically don't recommend laptops that rely on USB C charging for applications where trust is critical -unless- they are running Linux with USBGuard or QubesOS.
That said I did make transparent and easily auditable USB type C condoms for one client that really wanted to use USB type C laptops.
Systems with security as a strong priority like the Librem 14 use barrel jacks for good reason.
I am in fact implying those that allow use of macbooks at coffee shops to directly access production systems at FAANG and fintech companies are taking a very inappropriate risk :-P
USB C charging happens well below the OS layer, using firmware that often isn't all that good. USBGuard or QubesOS won't help there (but will somewhat mitigate attacks trying to move up the stack)
The problem is not the charging. The problem is that a fake charger cable can run an HID attack over the +/- pins before it does a pass through to the power negotiation MCU for charging.
A tampered USB C to C cable on a conference room table can compromise people all day long.
If the USB C charge ports cut the data pins entirely then great, but I have not seen that be the case on any laptops yet.
> Windows and Mac users are currently easy targets.
Not true, at least for iPhone / iPad users:
- 1. Download Apple Configurator (free to anyone)
- 2. Create new config profile
- 3. Setup your device in "supervised" mode and apply said profile (the reason for this step is that the "best" config profile options are only available in supervised mode).
Config profile items of interest include, but may not be limited to:
- "Allow USB accessories while device is locked"
- "Allow pairing with non-configurator hosts"
- "Allow putting into recovery mode from an unpaired device"
With growing car theft in the US I've been curious about implanting GPS trackers on my own older enthusiast vehicles. There appears to be many options on Amazon but I can't bring myself to trust any of them. Has anyone here gone down that road before?
I would only do this if you either know the police will help retrieve your car if you have the location, or if you are ready to engage the robbers yourself. Otherwise it's useless to know where it is.
I have experience trying to get the cops to help in Oakland and San Jose and they really didn't want to.
A lot of the cellular gps trackers have ignition kill capability, where you can send it a specific sms message and it’ll pull a wire to ground or open circuit a pair of wires, which you can use to remotely kill the engine.
A friend of mine got a motorcycle back by watching its movements via the gps tracking, and killing the engine while the guy was riding in a safe-ish and high visibility place, so the thief just parked it and walked away.
IANAL, but I think in California as long as you don't use excessive force it's ok, but yeah if you kill the engine at a high speed or if you get unlucky and the thief gets seriously injured then you will get in trouble if they want to go after you.
Tbf oakland is a low bar (as well as sf). Here just 15 mi down the road they investigated and arrested a credit card thief who stole my wife’s card and I didn’t even ask for it. They also regularly capture cat converter thieves with sting operations. Overall I’ve been quite impressed with San Mateo PD
We were also surprised by the Oakland thing, as I know they helped with petty crime where the damage was less than a full blown stolen car. It was not a very shady area and it was in their jurisdiction. I heard it's not that uncommon, and a SFPD officer told us that it's probably because we said the robbers where armed and they just don't get involved with that.
The car got recovered by an asset management crew though and it went smoothly AFAIK.
If you want to diy it, Check out ray Ozzie's recent project featured here on HN recently. Very reasonable priced with one up front payment for (10 ?) years of connectivity
Here are some articles and projects where we show how to do Asset Tracking. One article is about an Iceland trip, the other is about building out a GPS tracker, complete with data dashboards.
This feels like a dumb question, but I can't find dimensions of the Notecard anywhere and I can't quite judge the scale from the pictures. How big is it?
Keep in mind that’s he card with a M.2 edge connector on one end. Mostly you’d be plugging that into something, at least to hook up the power/data lines. They sell “Note Carriers” for that, which end up making the combo bigger than that.
Here’s a pic of the note card plugged into their Raspberry Pi note carrier. That’s a standard 40 pin 0.1” spacing connector on the left, so it’s 2” plus the mounting holes in that dimension. 65x57mm and about 20mm tall for the stackable 40 pin socket+pins.
I think the airtag might actually alert them that they are being tracked - the anti-stalker features built into the network will alert an iPhone user when an airtag they don't own is in the vicinity while moving and changing locations.
If the air tag is sufficiently hidden, perhaps this is a feature and not a bug. Maybe this will make them stop the car and leave it, which sounds like a win to me.
They will get a warning saying there is an air tag travelling with them.
I have this problem. We have an air tag on one of my kids shoes when we are out, and whenever I’m not with them, my partner gets spammed with warnings on her phone saying there is an unknown air tag travelling with her.
Tracking a kid at an amusement park, presumably a quite young one, is entirely fine IMO. I remember when I was 4 or so, I waited until my parents weren't looking to sneak off and go play with a toy in the gift shop my parents didn't let me see earlier in the day. I just about gave them a heart attack.
Yeah it is important to know where your kids are. I go with "pay attention".
I guess there are going to be scenarios where tracking could help and maybe even allow the kids freedom to roam within a large zone - the back paddock of a farm say - while still allowing parents to find them.
Some people have more children than adults. “Pay attention” is the default state but it’s not always possible to pay complete attention to both children and everything else, every moment of every day.
I really think you’re holding parents to an unreasonably high standard. The punishment for a moments lapse in not paying attention shouldn’t be a missing 4 year old.
We use this when we are at amusement parks, museums or in the city.
We also have a piece of white tape, with our phone number, on the kids so that if they get lost, and someone finds them, they can call us up.
A lot of people have the opportunity to interact with your (unattended) car or your belongings in situations where they couldn't harm you without taking a substantial risk. Imagine a person you interact with at a bar who drops an AirTag in your purse while you are briefly distracted.
Odd, this got me wondering, and I can’t find any reliable statistics that show a rise in car thefts. Everything I see shows a pretty steady decline over the past 30 years in spite of an increasing the number of cars on the road.
Depending on how old the enthusiast vehicles are, they probably don't have an OBD-II port (or possibly any port at all). None of mine do, up to the mid 90s.
Which is usually quite easy to check. It's not a guarantee, but with someone sophisticated enough to crack a modern car there's a good possibility they know to check the OBDII slot.
It might be an interesting project to build your own in this case.
If you want to trust them I would have as much redundancy as you are comfortable paying for i.e. the software in these products is often dogshit so one failure or bug shouldn't let your car end in a scrap merchant.
Its not that it is chirps it is that any iPhone beeing tracked by a airtag for a extended amount of time will inform its owner that it is being tracked.
It’s not really practical to defend against for most end users.
Keeping a whitelist of known keyboards and mice is really the only defence even on Linux, and unless you work in a data centre that’s probably way overkill.
With a home PC that doesn’t really work though, because in order to authenticate your mouse without some kind of central mouse log on a server you probably need to click a button, which you can’t do without authenticating your mouse.
As an attacker I just have the bootloaders of my malicious devices advertize the USB IDs of whitelisted devices like Apple Keyboards.
The computer has no way of knowing it is not authentic. There is no signing or certification for USB devices.
The only solution is a kernel that can place all newly attached USB devices in a queue for manual approval.
This is what USBGuard and QubesOS both do. The Linux kernel and udev have native support to hook USB devices early making this easy.
It means no one can drive by plug something in when your computer is locked. You will get a popup asking if you want to give some device other than the keyboard you booted with access to behave as a keyboard .
Also the majority of attacks I have seen in the wild attacking production systems were via endpoint compromises.
If your laptop has remote access to said high value datacenter, then your laptop is a high value target.
Note though that laptops have a nice advantage for this threat model as most have built in PS/2 trackpad and mouse which can let you approve external keyboards/mice etc.
> It means no one can drive by plug something in when your computer is locked. You will get a popup asking if you want to give some device other than the keyboard you booted with access to behave as a keyboard .
Makes me think, what would happen if I plugged this cable, unplugged the keyboard, and power-cycled the computer? Or do a hard power down, then the switcheroo, and then power up? Would USBGuard/QubesOS block the new device, even though it's the one it just booted with?
(I think finding your computer rebooted would fly under the radar of most of the users - they'd blame it on automatic updates or intermittent power failure.)
On that note, I wonder how small you could go with a MITM device to attach between victim's peripheral and their computer. Could you pack enough useful features in a dongle that would not be immediately noticeable by most users?
If you rebooted my computer you would be greeted with a full disk decryption prompt which requires a smartcard and a pin to unlock.
It won't go unnoticed.
If your computer can reboot itself for updates that should be a cause for concern as it means your FDE is being cached somewhere that can use it unattended. I don't allow such things personally.
You do have to check for any untrusted USB devices at boot on a desktop. No getting around that one as you need to be able to use input devices at boot. Best bet is a PS/2 keyboard but those are getting harder to find.
For a laptop you have a better story as you can trust the internal PS/2 keyboard/mouse then use that to approve USB things fresh as needed and dictate what applications they get access to.
I connect my USB webcam to the one VM that needs it on demand, for instance.
Assuming you're using LUKS with device mapper, this reboot did be able to be a plain kexec, and the raw disk key can be placed in a pre-defined location in RAM, like how the dmesg buffer is something set up to be persistent, for recovering information from right before a crash, even if only via an automated log push daemon.
Of course the reboot itself will be noticed when the user gets back - whether it's the login prompt, or boot prompt, or just all applications being closed. I meant it might not be noticed as something unusual, warranting further investigation. Typical user, even tech-savvy one, will just think, "must have been a power glitch", or "damn, those updates forced a reboot again".
The latter is something Windows users are conditioned for. Coming back from the toilet to be faced by a fresh login prompt is common enough even in the age of Windows 10 - and especially when the laptop is controlled by your employer, as IT tends to force a stricter schedule on updates[0]. In my case, this happens 1-2 times a week. While I'm working from home this doesn't matter, but if I were back in the office and came back from lunch to a rebooted computer, I would've assumed it was updates again.
> You do have to check for any untrusted USB devices at boot on a desktop. No getting around that one as you need to be able to use input devices at boot.
Makes sense, thanks for clarifying. I was assuming at least some of these solutions are trying to eliminate this requirement, but ultimately it may not be possible.
(Or perhaps it would be, if USB had something like HDCP so that you couldn't construct a dongle that could be transparently inserted between the computer and the peripheral.)
> For a laptop you have a better story
Right. Also, in case of attacker forcing reboot, they can't rely on users assuming it was a power glitch because laptops have batteries.
> I connect my USB webcam to the one VM that needs it on demand, for instance.
I need to read more about such setups, where you compartmentalize your system with VMs. Is there any good primer you could recommend?
--
[0] - I'm increasingly convinced Windows 10 update system is evil, and does this on purpose. It just so happens that it always forces an update and reboot on my work machine whenever I step away from it for more than 10 minutes. It's like it was monitoring idle time, and thinking "ooh, the user is away, let's reboot the machine and lose all the state". I also recently had to switch Lenovo updater malware to manual, because it kept choosing the exact middle of our weekly team meeting as the time to forcibly update video drivers, blanking my screen for anywhere between 2 and 20 minutes.
>The only solution is a kernel that can place all newly attached USB devices in a queue for manual approval.
Would it recognize the newly attached one, if you do the swap while the computer is turned off and they have the same HW ID?
Because if not, then it's not much better than what Windows lets you do with group policies. Although on Windows you could do this swap even while the OS is running.
Apple claims they're "secure by design" when clearly they're not.[1] I don't think they're explicitly cooperating with any Government, I just think they have enough disgruntled employees who cooperate with the Government and companies that sell penetration software to put in back doors and enable exploits.
There's much less discontent among the rank-and-file at Microsoft, so this sort of thing happens less with them.
Read the reviews on the GPS tracking charger... either the people who bought it couldn't figure out how to use it, or its another scam product from china we see flooding amazon.
"HID commands" are a big thing given sufficient automation. You can execute arbitrary code with just HID commands either by typing everything in, or by having the cable present a storage device from which to get data and using HID commands to enable the storage device, fetch and execute it.
USB has been littered with bugs. I never got why this didn't get more news coverage but at least it was possible to read memory from USB. Personally for me it's also a reason that I switched to USB-C that there are less people around with USB-C cables.
You can actually do quite a lot with it, in terms of getting data and dropping various payloads:
There is also an editor and parser for Duckyscript – the scripting language used by the Rubber Ducky offensive USB drive – which acts as a virtual keyboard and launches keystroke injection attacks. That alone opens up a wide array of custom payloads for the O.MG cable. There also appear to be attack payloads for Windows and Ubuntu systems.
In April 2019, when the video was released, MG and the team of hackers working on the embedded cable were also developing extra functions such as detecting user activity/inactivity. According to the Hak5 listing, they also appear to have cracked another key problem: USB enumeration.
You need to explicitly mount (in your ChromeOS settings) any USB devices to the Linux system. Other than that I'm not aware of any specific mitigations.
So if I plug in a usb keyboard or mouse, they do not work until I activate them in settings? Sounds like an easy way for grandma to buy Dell over Google
C-to-C charger cables with Bluetooth remote activated dual payloads: https://sneaktechnology.com/product/usbninja-custom-type-c-t...
I easily modified mine to mimmic Apple Keyboard USB IDs to avoid notifications. Works great!
Cellular GPS tracking car charger: https://www.amazon.com/Charger-Locator-Professional-Listenin...
Cellular GPS tracking USB charger cable: https://www.ebay.com/itm/223990414124
I have been making, collecting, and testing toys like this for more than a decade.
It is a race to the bottom on price now.
Your best defense for USB code execution attacks is use Linux with USBGuard or QubesOS with the default USB quarantine VM.
Windows and Mac users are currently easy targets. I don't know of any good defenses there.