Schneier on Security
A blog covering security and security technology.
« Credentica |
| DHS in The Onion »
February 15, 2008
HotPlug allows you to seize and move a computer without losing power. (Video demos.) See also: MouseJiggler.
Posted on February 15, 2008 at 11:48 AM
• 41 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
A bit expensive at 500$ but that's what patents are for. They act as a UPS but feed the power grid and power on when the grid is disconnected. They claim that usual UPS aren't able to do that.
I like how two different versions of the MouseJiggler is available. Nope, couldn't implement that as a switch on the USB stick.
Interesting stuff from a forensics standpoint, particularly now that disk encryption is so cheap and easy.
So what if an amazingly clever person writes a 2-line scripts that asks for a password every hour (or time interval of your choice) and shuts down the computer if it is incorrect? Sure, it is a hassle while working, but if you are paranoid, its worth it. Then they can jiggle the mouse as much as they please.
Reminds me of the Seinfeld episode where George finds the frogger machine with his old high score. They hire someone to help move it while keeping it powered.
Only to trip on the curb while crossing the street and having the machine hit by a truck.
Both of these would be defeated with some motion sensors installed inside the computer. One moment while I call my patent attorney...
The mouse jiggler also assumes/requires that the USB ports haven't been locked down.
My question would be the viability of either of these products if the user locks his workstation or logs out.
Depending on the sensitivity of the data on my screen and presence of strangers in the office, I set an appropriately short screen saver interval (which is, of course, password protected). Walking away always mandates my locking of the workstation.
If anyone is doing something that might be subject to forensic confiscation, I would suggest using one of more of the following:
* a multi-button mouse with user-programmable buttons
* a user-programmable keyboard.
The user would most likely to program a lockdown function with a single click/button push. That way, your system could be locked quickly with only one free finger.
I don't think companies will start installing or allow software or harware on their computers to defeat this system. This is not about theft but forensics on seized computers.
So now anyone who wants to protect their data just needs to add an anti-tamper power kill switch inside the computer case. If the case is moved or opened with the power on, off goes the power supply.
Keeping a lookout when logged in to a secured disk and pulling the plug if a TLA shows up would also work fairly well, subject to whatever technology is available to recover data from unpowered SDRAM.
Of course, there's still a lot to be said for the old standby of thermite over the HDD....
... which just means that it is a good idea for disc encryption software to lock the computer as soon as an additional HID is plugged in ... or take even more radical measures if this HID is completely unexpected or behaves strangely.
I wonder whether HotPlug is fast enough in switching off the short-circuit that occurs when at the moment of re-plugging the power strip into the power source/UPS Live and Neutral have swapped their position ... which will happen half of the time when you have type F plugs, and all of the times when a criminal has has anticipated HotPlug and has modified the power strip cord accordingly ...
It should not too difficult, anyway, for true criminals to modify a plug or a power strip such that they short-circuit mechanically on attempts to use a PowerCatcher / HotPlug, and thus switch of the computer immediately. Which we will probably see, as soon it gets known that the authorities / industrial spies / ... use HotPlug-like devices.
Depending on your particular view of risk of this being used on you, plugging it into the wall would suffice in circumventing it, as there is then no intermediate connection to usurp.
Neat. Time to wire a mercury switch up to the reset line so it trips whenever the machine moves. Another one to the bottom so it trips when the machine is lifted.
For bonus points, how about a boot loader that detects something about your home environment and silently starts to erase the drive if it's started up not at home.
Once the machine resets, they are probably in forensics mode and the machine won't be rebooted anyway, but it's still fun to think about countermeasures.
"Depending on your particular view of risk of this being used on you, plugging it into the wall would suffice in circumventing it, as there is then no intermediate connection to usurp."
Note that a normal wall plug is just a two port power bar.
I like the thermite solution myself.
@anonymous: There are motion sensors in many laptops. They're supposed to save the HD when the laptop falls, but often are regular acceleration sensors so it depends how you program them... I have reverse engineered the one in powerbooks (on my website)
Heh, reverse the hot and common leads inside your power strip and they'll get a nasty surprise when they try to plug that power strip back into the UPS. BANG!
A wall plug is not necessarily a two port power bar. They can be separated and commonly are for switched outlets (the top one is usually switched, the bottom one not). If you were really tricky you could have the top connection LOOK live to a voltage monitor, but have something like a 1/100th amp fuse in line with it which would make this thing think it had command of the situation, but as soon as it tried to backfeed power, the fuse would blow and they'd lose power.
Also, later in the video they have a method which doesn't rely on any intermediate connection.
The hotplug doesn't seem that different in concept to having a UPS and a UPS bypass switch in electrical terms, only real difference is that you are physically cutting the wire where the bypass switch normally would be...
so basic procedure would be as follows iirc...
Plug in the UPS into the mains next to the pc
Install the tap on the mains line and plug into the PC side of the UPS..
Cut the PC free from the wall...
Unplug the UPS from the wall
You now have the PC and UPS off the grid...
To repower the UPS just plug it into the wall and let it act like a normal UPS
This would have to be combined with a no-knock search warrant, I would think. I'm sure I've seen this technique described before, somewhere, years ago, though not for moving computers, but for placing a running server on a new UPS.
Seems like the best countermeasure for this particular device would be to wire a momentary switch into the bottom of the case. As long as the computer is sitting on the desk, the power supply is on and the other power switch functions normally. Once the case is picked up off the desk, the momentary switch would power off the machine at the power supply from inside the case. Alternately, you could rig a giant stone sphere to roll through the wall when they lifted the computer - unless they were carrying a bag of sand....
I thought it was preferred to make a perfect backup of a drive, then do all your forensics on that, so as not to allow any locally running software to interfere.
That also lets you go back to a clean slate at any time if you do run into and self-destruct type software running.
Wouldn't leaving the thing running actually make any forensic analysis job a lot harder?
You've already plugged in a foreign device (mousejiggler) which could be detected and set off some auto-wipe everything software. You'll also have to disconnect it from a network, regularly ping another machine on the network if not found, again, start auto-wipe.
I would think your chain of evidence is a lot shakier since you can't prove that the data hasn't changed since you acquired it.
Personally, if I was going to do something evil, I'd purchase a server hosted in Sealand, China, or other non-friendly locale. Then simply access it through a PC.
That PC would only be turned on when I'm sitting at it, and not have any hard drive for any forensics to examine. Booting off a custom knoppix CD-Rom would have all the tools to securely connect to the remote server.
There. Now all I have to worry about is pesky key capture devices that install between the keyboard and the PC, secret cameras installed to view my keystrokes, the entire problem of network security over the internet to China, and, oh yeah, a government willing to torture me until I log in for them.
Guess my world domination plans will just have to stay safely tucked away in my head. At least until they waterboard 'em out of me.
The trouble with shutting down to make a forensic image is that if there are keys in volatile memory, they will be erased when the machine is powered off, and then it may not be practical for anyone to get the data back.
So, this can be circumvented by using a one-way screw on your wall plate. Hah.
"...or allow software or harware on their computers to defeat this system."
Programmable keyboards and mice provide enhanced functionality in order to boost user productivity through reduction of keystrokes and clicks. One wouldn't justify these as anti-forensic device upgrades.
I had considered suggesting a remote device, similar to wireless mouse, but a no-knock search is likely to result in you being in restraints, preventing you from activating the device.
I'm inclined to favor some sort of proximity device. However, any device would likely be detected while you are away. Such a device could be disabled. Certainly, the knowledge of such a device would clue the no-knock entry team to restrain you in place and remove your token, if such a token weren't found in the cubicle.
As long as we're being paranoid...
* hide multiple proximity devices around the cubicle.
* hide different frequency devices along the exit routes from your cubicle.
* imbed a different frequency device in your company badge/passkey lanyard, which stays at your desk.
* use some sort of dead man's switch.
This thread is starting to sound a bit like some cloak-and-dagger device. Why don't you see what the commenters can do on this one without entering the realm of Rube Goldberg.
If one were a ne'er-do-well and wanted to protect against hard drive content discovery, what would you propose?
@8. Reverse this process to plug the computer into another outlet
I have a great deal of experience with this last instruction on their front page. Before I hammer them, let me say it is a great idea if you have a customer who has hired you to do security for their site. Just a few days ago there was a border/customs incident reported in the mass-market media: The respondent would not give the keys under self-incrimination protections. Our gullible consumers will never ask: Why did the confiscating agency need the keys ? Well I give it an 80/20 80% for Hot Plug for coming up with an idea: The agents would have had to obtain the machine running to see contraban. Then as Jesse Kornblum's Research reports, untrained persons turn the machine off to prevent further damage. To plug the computer into another outlet you have a phasing issue. So only 20% of the actual work is done. I was doing the operation pictured in the directions before I went to kindergarten, most adults cannot complete the pictured transfer.
The primary risk is from burns, which for some reason such as ultra-energized particles are more painful than simple heat burns. It may be from copper toxicology, an interesting research question. This script window does not give enough graphical tools to draw you a picture, but go study Don Lancaster's site at tinaja dot com, while you are at it pick up a copy of the case against patents.
If you try to reverse the process, as directed in the instruction booklet, you will likely encounter a strong release of energy which will burn you - in addition to blowing the circuit breaker and in so doing possibly damaging the electronics in the proposed device ~ thus loosing power to the compromised device: You have now tampered with evidence ! The keys are lost, the twit gets off the hook and you now are the only one they can catch.
Just set your computer to lock when it doesn't detect the presence of a specific bluetooth device (like your cell-phone).
If they take your computer away from you (or take you away from your computer), it locks regardless of how many of these tricks they've applied.
What strikes me is that many posters have suggested some rather elaborate countermeasures, when one likely already exists in their home. Due to a lack of planning, my computer's power strip is plugged into an outlet which can be turned off with the switch on my wall. When I'm not at my computer, it's locked, or off, and when I'm there, simply hitting the switch when the police break down the door would be sufficient. Could someone please explain to me why I would rig up motion sensors, mercury switches, custom fuses, etc... when a simple wall switch already does the trick?
Software solution: Connection to internet lost => Lock.
The power isn't the only thing that has to be disconnected.
Anything that requires human intervention can be defeated if the enemy takes you down before you can hit the kill switch. A sufficiently stealthy raid could result in you being restrained (or killed by sniper) before you could hit the kill switch.
One advantage of the human kill switch, however, is that it will prevent the enemy from simply plugging in an external drive and copying the data on the spot. Motion sensors will not help here.
I wonder if devices like this might be a ruse to divert attention from the much simpler forensic method of plugging a USB/1394/eSATA/NAS drive into a live system and walking away with everything. This is much harder to defend against than a reverse-vampire tap on the power lines.
Oh, and if you can defend against a live copy onto an external drive, you don't *need* to worry about HotPlug. If the enemy can't make live copies, they can haul the entire computer--still running--all the way to Dick Cheney's underground lair but it won't do them one bit of good.
One of the methods previously described on this blog was to force the machine to crash (specially designed USB dongle) and dump all the contents of RAM to disk. Although true that this method and hotplug are much more destructive than writeblockers + offline drive cloning, if you don't have the keys for an encrypted drive this may be the only way of acquiring data from a seized system. Forensically-sound encrypted data is not as useful in a court case as forensically-modest UNencrypted data.
If we're looking for elaborate ways to defeat this, my favorite would have to be to build a degaussing loop into the doorway of the room.
I guess in such a case, shutting down the machine might not be the best option to make forensics difficult or impossible. When something bad is detected (motion, unannounced connection of a HID or removable media, opening of the case), first wipe the keys from memory, display a non-obvious warning message (like, if you want to accept and outgoing connection from your firewall or something) which has to be properly replied to. If the appropriate responds is not received within a certain time frame, silently start wiping the sensitive data, starting with all (encrypted) FAT tables and such. Breaking whole disk encryption is one thing, breaking it without knowing what sector belongs to which file and in what order is probably even a whole lot more difficult.
I think the best thing to do would be to design and build something yourself. It's a bit like designing your own encryption method. The probability of getting it right is very low if you don't know exactly what you're doing, but if the attacker only gets one shot at it, and he doesn't know what he is up against, it would be nearly impossible not to trip the system while trying to figure out how it works.
Technically, wiping the disk doesn't add any protection if it's properly encrypted, but it does preempt any court orders to hand over the key. It would, however, be best if you can prove it's been wiped, so a cryptographically proper wipe (multiple passes with random data) wouldn't work, because it is indistinguishable from otherwise encrypted data. You want the attacker to know there is no key to decrypt it.
I wonder how this works out legally; if you are confronted with a search warrant, and you manually trip a system, you will be charged with destruction of evidence. However, if the system is already in place before the raid, it can always be explained as a system to protect the data in case of a burglary.
Forgot to add this:
The problem with any solution I can think of, which would permanently destroy all the data, would be false alarms. You want to system to be sensitive enough to be sure the attacker will trip it, but not too sensitive to prevent accidentally tripping it yourself.
Ofcourse this data would be valuable to you, otherwise you wouldn't risk keeping it in the first place.
Wow. Now they patented it. I know of this kind of method (without a magical switching device) since 2002. It even is documented in the "Datenschleuder", the magazine of the Chaos Computer Club: http://ds.ccc.de/pdfs/ds077.pdf (from page 22, sorry, text only in German, but there are pretty pictures) - But in the end that just means you have to secure your desktop computer the same way you secure your laptop computer. If you are paranoid enough to consider such scenarios, there are plenty of ways to protect against them. And if you are really paranoid - you will use most of them ;)
Disallowing new HID devices, disabling FireWire, shutting down on movement and network topology changes, etc. I would even consider locking the system as soon as any USB device changes, so if somebody really wants to take my computer without it locking itself, they would have to take my whole USB tree with them.
I think I'm going for a Euro-plug (http://en.wikipedia.org/wiki/Europlug) or Schuko plug (http://en.wikipedia.org/wiki/Schuko) - both do not expose metal parts of the contacts until the plug is fully removed (and thus prevent HotPlug from working) :)
I have done this manually once for a 12V powered small system (my firewall PC). Takes about an hour or so, if you are prepared. For 115/235V, it is not that much more complicated. You basically plug in your off-line UPS in the same outlet (to let it synchronize) and connect its output to the power-strip as well. Since an off-line UPS shorts input and output when it does not deliver power, this works (if the polarity is right). Then you unplug power and the UPS will separate input and output and deliver power to the output, just like it does on an ordinary power failure. The 12V case is actually more difficult, because you need to switch over faster.
I think $500 is an appropriate price, but if you know what you are doing, you can roll one of these yourself for about $50 + UPS (say, another $50).
Note: It has to be an offline-UPS for this to work.
Someone makes a device with two parts, one is usb dongle the other goes in your pocket / keychain etc. When you move away from your computer 15' / 30' your computer automatically locks. I tried to get these at my last company which had a policy to lock your computer when you were away from your desk.
Has anyone seen the movie "Safehouse" with Patrick Stewart? In it he had a computer that required him to enter a graphic password at regular intervals or else... I was thinking it would be cool if a machine would wipe its encryption keys (or set off the thermite :) if a password wasn't entered in time. Combine that with a photo-voltaic and pressure sensitive tamper switch that does the same thing and you have the ultimate paranoid hacker box.
@plug in your off-line UPS in the same outlet (to let it synchronize)
This is a very serious consequence for the design. Can you provide us with links, info, design ideas and testing protocols which can ascertain what in fact a given unit in hand will actually do on the sync() issue.
As well, trying to cross-plug while the line is out of sync introduces spikes in the line which could rip junctions and destroy evidence that would otherwise be recoverable under a crash-down style power down.
Further - can you provide a realistic description of electrical burn for readers. I tend to overblow and lose effectiveness. These folks *REALLY* need to get a clear mental model of the the sync issue and the painful nature of electrical burns.
Actually I don't see how the sync issue is a problem. Most UPS boxes operate in passthrough mode when plugged in. That means that the input and output are directly connected through a relay. Only when you unplug the UPS does it start generating it's own power signal. The UPS is only unplugged after the main plug is disconnected. Then the power phase starts to drift but it doesn't matter after the main plug is disconnected.
Aside from bypassing full disk encryption, and accessing RAM contents, what other advantages would the hotplug device provide to a forensic examiner? Installing the mouse jiggler would tamper with evidence, as it would write to the c:\windows\setupapi.log file, as well as to the registry in a few locations within HKLM. This "risk" would need to be outweighed by some type of real forensic benefit.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.