USB Cable Kill Switch for Laptops

BusKill is designed to wipe your laptop (Linux only) if it is snatched from you in a public place:

The idea is to connect the BusKill cable to your Linux laptop on one end, and to your belt, on the other end. When someone yanks your laptop from your lap or table, the USB cable disconnects from the laptop and triggers a udev script [1, 2, 3] that executes a series of preset operations.

These can be something as simple as activating your screensaver or shutting down your device (forcing the thief to bypass your laptop's authentication mechanism before accessing any data), but the script can also be configured to wipe the device or delete certain folders (to prevent thieves from retrieving any sensitive data or accessing secure business backends).

Clever idea, but I -- and my guess is most people -- would be much more likely to stand up from the table, forgetting that the cable was attached, and yanking it out. My problem with pretty much all systems like this is the likelihood of false alarms.

Slashdot article.

EDITED TO ADD (1/14): There are Bluetooth devices that will automatically encrypt a laptop when the device isn't in proximity. That's a much better interface than a cable.

Posted on January 7, 2020 at 6:03 AM • 46 Comments

Comments

DaveJanuary 7, 2020 6:12 AM

That was my reaction when I saw it on Slashdot as well, a better name would have been "Russian roulette cable for laptops".

AlanJanuary 7, 2020 6:13 AM

The solution would be full disk encryption, where the decryption key is stored on a bluetooth or wifi device, and as soon as it gets out of radio range then the disk can no longer be decrypted, but it will start working again if the laptop is reunited with the device.

PhaeteJanuary 7, 2020 6:45 AM

If your security is that something gets yanked out of the USB bus, then why not a USB stick with your data/os/bootkey instead of just a cable?
Just use an empty laptop keyed to boot to your USB stick only.

But i agree, this tech would give me too much hassle and "false positives" for any real world work.

AndersJanuary 7, 2020 6:58 AM

When i first read the headlines, i instantly
remembered this and thougt at first that
there's a new version of it now...

arstechnica.com/information-technology/2015/10/usb-killer-flash-drive-can-fry-your-computers-innards-in-seconds/

WilsonJanuary 7, 2020 7:06 AM

I guess that, if you use good encryption for both the full disk and any sensible folder, you could just set a script that lock the device, wait for a minute and finally force a shutdown

This way any false positive is just a minor annoyance and most of the security is preserved (and in some cases improved, since a good wipe out requires time and can be aborted by cutting out the power source)

MeJanuary 7, 2020 7:19 AM

This sounds like a less usable version of this: https://newatlas.com/halberd-smart-computer-lock-bluetooth/52583/

I have considered getting something like that device to auto-lock my computer when I get up. I'm not sure how keen I am on the auto-login that the linked version has.

I don't think I would try to use the auto-delete feature, unless I had some folder that I used for temporary storage of sensitive material. I couldn't feel safe saving anything I cared about there.

Nathan NeulingerJanuary 7, 2020 7:34 AM

Regarding the 'yanking it out' - the cable appears to include a magnetic usb connector, so should just gently pull away if you stand up.

DevinJanuary 7, 2020 7:47 AM

Well, if all it does is lock the laptop, "accidental discharge" isn't really an issue. If you set up the script to ignite the thermite charge instead, you'd better be damn careful, but I could see this being handy if you kept it to fairly low-level responses.

If I were thinking about taking more serious precautions, I'd consider layers, and this might be one of them: maybe it locks the laptop AND puts it in a more aggressive posture where some other trigger (say, several failed password attempts, or various indicators of geographical change, or whatever) will start wiping things. Still not a problem if you forget and trigger it yourself: be a little careful entering your password and you'll be fine.

Similarly, if I were mostly working on a laptop in reasonably secure locations (my office, home, etc) where I didn't want to re-enter a password every time I stopped to answer the phone or whatever, but I sometimes took it to the cafe, I could see something like this being handy. (There are other solutions as well, of course.)

Russian rouletteJanuary 7, 2020 8:29 AM

Just set the minimum inactivity time before locking the device screen with regular means. The screen dims before locking to avoid false alarms.

mostly harmfulJanuary 7, 2020 9:03 AM

@ Bruce / Webmaster re HTML typo

Your second reference to udev background reading ( the one pointing to opensource.com/article/18/11/udev ) is marred by a missing right angle bracket at the end of the anchor element's opening tag.

That is, you have

<a href="URL"2</a>

instead of

<a href="URL">2</a>

BounceJanuary 7, 2020 9:05 AM

Instead of a belt loop attachment, just have it attached to something like the carry pouch the laptop is stored in. If removed, it pulls the cord. When powered up, it sees the missing cord and executes the script. The owner might remove it carelessly from its pouch but will notice it before powering it up.

Right?

Clive RobinsonJanuary 7, 2020 9:24 AM

@ Bruce and the usuall suspects,

Clever idea, but I -- and my guess is most people -- would be much more likely to stand up from the table, forgetting that the cable was attached, and yanking it out. My problem with pretty much all systems like this is the likelihood of false alarms.

This was discussed in depth quite a few years ago on this blog as a form of "Deadmans switch" by primarily @Nick P and myself, along with how to build computers into safes lined with thermite.

The point raised then was that very easy very fast and reliably triggered activation was the most important thing.

Which is why the use of some kind of strap from the users wrist or belt etc was decided not to be effective as a trigger (fast dog pilling by agents would stop it for instance or bullet to the "monkey brain"). Thus a switch with a spring that had to be held closed by the operator in some way was required. Something like a foot switch was also not reliable thus a knee switch held against a table leg was to be prefered.

Which obviously raised the risk of false positives significantly.

Thus what happened after triggering would have to be a timed sequence of events that was profiled against your security requirments.

Thus the first step might be blank screen to timed password entry, if that time passed then wipe the FDE and Core RAM encryption keys securely then further time staged actions that could result in thermite packed into the case space being ignited or speciall shaped charges destroying certain chips or both etc.

Other discussions we had on this blog around that time were about removing the "what you know" asspect of authentication not just out of jurisdiction but into several jurisdictions using "secret sharing" to give all involved parties "plausable deniability".

More recently I've talked about the failings of the "what you know" factor due to the limitations of the average human mind. Put simply the human mind is not realy designed to remember things like random strings with any acuracy. However there are other things the human mind is very good at such as spacial awareness. Thus expanding this into the "what you know" asspect of two or more factor authentication, that again used a timed sequence of lockout steps.

Two such additions to "what you know" were "time" and "space" that is you would have to take the device to a certain place at a certain time before any other factor such as password, token or biometric would become valid, which is a variation on the multi jurisdiction idea.

Thus any half competent Linuk Admin or system programmer having read this post, should now have sufficient information not just to make such deadmans switches way more effective but also reduce faslse positive effects and upping the security level to any level they deem appropriate including "self destruction" if required.

As some Austarlian friends would say "No worries mate, nugh said" ;-)

AlexRJanuary 7, 2020 9:46 AM

Although this may not be an optimal solution from a usability perspective, it may have helped Ross Ulbricht (of "Silk road" fame). In some cases, the trade-off might be worth it, especially if you tune the mechanism, such that the kill-switch doesn't delete data, but simply erases the key from memory and unmounts your encrypted drives.

Clive RobinsonJanuary 7, 2020 10:28 AM

@ AlexR,

... it may have helped Ross Ulbricht (of "Silk road" fame)

Probably not on it's own.

Don't forget the XKCD $5 wrench,

https://www.xkcd.com/538/

Or the fact some US judges have held people on "contempt" charges untill they died (that is the judge died in one case). Often because the defendant could not prove they did not know something the judge believed otherwise,

In this case

https://abcnews.go.com/2020/story?id=8101209

He was let out because it became clear he either did not know or was never going to assist, therefore the required "coercive" asspect of the contempt holding had failed and would continue to do so.

Which is important, if you prove you don't know and can not be coerced by imprisonment it's game over for contempt. Thus the question falls to other matters of the legal system. In the UK for instance under RIPA there is a proscribed tarriff for not handing over the encryption (but not signing[1]) keys. Thus a defendent can either make a calculated choice or more importantly prove that they can not know what the encryption keys are as they never knew. Also that they can not access the backup of the keys because they are not held under their control and those who do have control are not in the jurisdiction so can not be compled either, further that trying to compel them would not work either due to the in built deniability of shared secret keys.

[1] Which opens up an interesting line of logic not to disimlar to that which warrant caneries raise.

AaronJanuary 7, 2020 11:50 AM

You're framing this as "wipe the laptop", but both the article you link to mentions it as a way to "shut down or wipe" the laptop and the original article it sources has "lock the screensaver" as its actual example script with "immediately shutdown" as a presented alternative, and doesn't provide any sample code for wiping it. All of those are more reasonable, so why the "false alarms mean unusable computer" FUD when someone would have to specifically go out of their way to produce that result from this example?

AaronJanuary 7, 2020 12:02 PM

Actually, my fault, I accused you (Bruce) of that framing but it's really the article you link to and the comments here that focus on that part. I think the use case presented in the original article is pretty reasonable, locking the screen if someone grabs the laptop would probably stop a significant proportion of snatch and grabs even if it would do little for an APT that 99.999% of people don't have to worry about.

Noah SilvermanJanuary 7, 2020 12:21 PM

If you want simple and reliable, what about remove the laptop battery and power via usb-c through a usb-c magnetic breakaway (you can find them online). With disk encryption, this is pretty secure, but not super destructive. And there is no software/os dependence. You have removed the only energy source, it WILL turn off.

HJohnJanuary 7, 2020 1:48 PM

Perhaps if authentication fails, the laptop incapacitate the user with tranquilizers and/or tazers and start sounding an alarm.

(not intended as a serious comment folks)

Impossibly StupidJanuary 7, 2020 2:52 PM

As others have noted, when these sorts of mechanisms are visible/known to the attacker it makes it very easy to circumvent the protection provided. The magnetic attachment is not "smart" in any way, so you could probably quickly "spoof" the connection with a strong magnet of your own. Better is using something wireless like Alan suggested, so it isn't quite so obvious that taking off with the laptop would cause problems.

Don't most laptops come with accelerometers these days, too? I could swear I've read about drop sensors parking hard drives. Why not just use those same signals to fully "sleep" the laptop the same way closing the lid does, forcing re-authentication?

Kurt SeifriedJanuary 7, 2020 3:07 PM

Treadmills and similar exercise equipment have had this for ages (fall, the cord tied to you tanks a plastic piece out that triggers an emergency shutoff). Generally works well and isn't a problem. This would definitely be useful if you're worried about a snatch and grab if you're in a coffee shop for example.

SpaceLifeFormJanuary 7, 2020 3:52 PM

@ Alan

You did not think that through properly.


If the FDE encryption key is on an external device (WIFI, BT), then you have a catch-22.

How are you going to boot, get the WIFI/BT drivers loaded, and then obtain the key from the external device?

The only possible path forward is to have an encrypted *PARTITION*, not *ALL* of the storage *AT REST*.

So, to deal with the *OUT-OF-RANGE* angle, that would require a timer daemon, that notices that the external device has disappeared, and can then *WIPE*.

It's probably problematic af that point.


Likely easier to just boot from USB key.

I think it is possible that way with at least 2 keys

SpaceLifeFormJanuary 7, 2020 4:16 PM

@ Noah Silverman

Lack of power not a sure solution.

hxxps://www.zdnet.com/article/cryogenically-frozen-ram-bypasses-all-disk-encryption-methods/

Noah SilvermanJanuary 7, 2020 4:37 PM

Yeah, you would want soldered in ram if possible, and probably pour in a bunch of epoxy as well, maybe with a layer of insulation. Swap in security screws and use red loktite. If you can make it hard to cool the ram, and hard to access, you can probably delay them enough that the cold boot attack won't work.

Steven ClarkJanuary 7, 2020 5:22 PM

A USB RAM disk hooked up to the "charge" usb port of a laptop with the key file for an Opal PBA maybe? That way there's no code to run, the unlock password just vanishes if the cable disconnects but may be entered manually by someone who knows it (not necessarily the carrier). Configure the system to sleep with disk powered off or hibernate aggressively.

JonKnowsNothingJanuary 7, 2020 10:07 PM

In the horse show world there is a device used to protect the rider in case of a fall from the horse.

It's essentially a vest with a mini co2 canister that has a rip cord attached to the saddle. When the rider comes off and the rip cord reaches its length limit, it pulls the pin on the co2 canister which inflates the vest.

This vest is also used by motorcycle riders and attaches to the bike. When the rider falls off and parts company with the bike, it inflates.

For Eventing, it's particularly useful for rotational falls where the horse clips a front leg on the fence and catapults the rider into the ground and then falls on top of them.

It also helps when the horse refuses the fence (aka stops) and rider is thrown over the horses head into or over the fence. Some famous riders have been killed or injured this way.

The rip cord has to be:

a) properly sized by length
b) verified it can actually pull the pin from the canister.

The problems of rip cords are not unique to equestrian sports. Some aspects of how to "make the rip cord work to prevent a dangerous fall" vs "forgetting to disengage it before dismounting normally" still require careful measurements and awareness by the rider.

Replay videos of horse and rider falls will certainly make the case that getting it right is worth the effort.

If you have THAT kind of data on your system you better get it RIGHT.

Oh... and you look like the Michelin Tire mascot when it goes off...


ht tps://en.wikipedia.org/wiki/Air_bag_vest

ht tps://commons.wikimedia.org/wiki/File:Ludzik_Michelin_-_Bibendum_(MSP17).jpg
(url fractured to prevent auto run)

Clive RobinsonJanuary 7, 2020 10:08 PM

@ HJohn,

Long time no comment, I trust you and your family are well, I'm guessing the little ones are getting on for shoulder hight now.

With regards your not serious comment of,

Perhaps if authentication fails, the laptop incapacitate the user with tranquilizers and/or tazers and start sounding an alarm.

It was the opposite case that caused @Nick P and myself concern especially with "proximity devices" such as Bluetooth and similar.

When people work late, they try to borrow time from their future or older self[1] by drinking coffee or some other high caffeine hot beverage as they start to feal tired. These are usually made in the office percolator, cafetière or brewing/steeping pot. The idea generally being when tired but working to extract maximum caffeine, by leaving it to brew/steep longer or using more ground coffee and less water etc (the turn it up to eleven principle).

We all know what an "Evil Maid" is but an Evil Cleaner / Co-worker[2] not so much.

The point being the worker secures their computer gets up and gets their chosen poison from "a pot they don't watch", maybe they sip some on the way back to their desk maybe not. They then sit down and open up their computer for use again and start to work. At some point they will drink the coffee and carry on working sitting down often in a chair with side arms etc that they won't easily fall out of (creative types tend to get chairs they can lean back in "to think", or as some others claim "snooze on the job").

If the "evil cleaner" has put a few drops of something with a chlorine bassed molecule with little smell or taste --of which their are several to chose from that are easy to obtain-- in the pot, then the late working person is likely to "sleep at their post". I'm told that as they get sleepy they are more likely to lean forward (for foetal position) than back, but either way they are not likely to fall out of the chair untill deeply asleep. So as long as the Evil Cleaner keeps an eye on the now sleepy headed worker they will be able to stop them falling out of the chair. Even if the worker does activate the security device, on waking they are not going to be in a strange place unexpectedly thus less likely to have their suspicions raised.

Thus this belt loop strap or the myriad of bluetooth designs or similar depending on the design may not work as hoped by those employing them...

Hence @Nick P and I discussed sprung switches that the user had to actively press against to stop or atleast reduce this posability, for high security applications.


[1] Terry Prattchet used this observation on more than one occassion in his books, also when giving talks and book signings, he also observed that "Nice as it is alcohol does not borrow time from your younger self, although sometimes it does feel that way", shortly followed by "yes a brandy would be nice" if you got the hint ;-)

[2] Scott Adams, in I think it was the Dilbert Principle refers to some office co-workers as "Cow-orkers" with the last word to be pronounced like the "killer whale" orca, which are known to kill sharks including "great whites" just for fun, with the implication they will "do unto you" so you should "do unto them" first. He also observed that being in the office with flu is your only legal / 2nd Amendment right to use what are legaly speaking Biological Weapons of Mass Destruction (WMD) on people you don't like. Which might account for why he works from home...

Clive RobinsonJanuary 7, 2020 10:13 PM

@ ALL,

The thing that supprises me about many of these devices is just how complicated they make them. Any *nix admin who has ever integrated a UPS system usually has all the knowledge required to implement an auto shutdown system. Early UPS's used a switch on one of the serial port lines such as "ring detect" to take advantage of the already in built "modem capabilities" and finding info on this via a web search should be fairly easy [Linux com port ring detect] will get most admins what they need.

Although many laptops nolonger have direct serial ports any longer, the FT232 family of RS232 to USB chip devices are both numerous and very inexpensive and miniture PCBs that will plug directly into a USB port are available from many places including those that support "Raspberry Pi" or Arduino SBC or other "maker" projects.

The information in this document should give people a starting point to think on,

https://www.linux.com/news/adding-ups-desktop-linux-machine/

But don't ask me for support...

meJanuary 8, 2020 6:57 AM

@Alan
> decryption key is stored on a bluetooth or wifi device
yeah and leaking key/data over the air to whoever can intercept wifi.

@Phaete
> why not a USB stick with your data/os/bootkey instead of just a cable?
This is much better, and that's my question too: why not a normal usb pen drive?
everyone has one of them in house without buying expensive custom stuff, you can attach a rope on it instead using a cable.
you can set the pc to lock screen and shutdown afer a minute like @Wilson said instead of deleting everything so false positive is not a problem and if someone turn off they will need fde password and maybe keyfile on usb.

QJanuary 8, 2020 10:28 AM

Why would someone be dealing with sensitive data on a laptop in a public place in the first place?

A CCTV camera or a deliberately placed hidden camera could capture your screen display and/or your typing of passwords and whatnot. And that is without anyone snatching it from you.

A real solution to the problem of a snatched laptop is to not have it powered-up at all. Then the FDE will provide adequate protection, and the RAM contents will have long ago dissipated away to insignificance.

Clive RobinsonJanuary 8, 2020 12:19 PM

@ Q,

... and the RAM contents will have long ago dissipated away to insignificance.

Maybe, maybe not.

Ever hear of "burn-in" it os at the end of the day a form of "wear".

RAM in general use is one of two kinds "Dynamic" that uses a capacitor and a FET and has to be "refreshed" every so often, and "Static" which uses a feedback mechanism to hold two or more FETs in a reinforcing feedback condition where a logic gate output is forced into one or other of the supply rails and kept there.

In either case it is "assumed" that on average each bit of memory will hold as many ones as it does zeros, therefore any ware will be forst in obe direction then the other aproximating even.

Unfortunately like most "assumed" things it's often wrong. One example is the storage of crypto key information where with the likes of FDE it's often an unchanging bit pattern stored at the same location, thus burn in is likely to happen there.

The thing is that once the wear settles in with a fixed bit pattern it can become detectable long after the power is removed as permanent bias etc.

Thus part of the design consideration should be to constantly change the bit pattern's by XORing with totally random bytes where any keymat is stored.

HJohnJanuary 8, 2020 1:06 PM

@Clive Robinson • January 7, 2020 10:08 PM

@ HJohn,

Long time no comment, I trust you and your family are well, I'm guessing the little ones are getting on for shoulder hight now.
________________

Wife is well, twins are growing up very fast, about to turn 11 already.

I still read the blog every day, I just don't participate like I used to. Much busier nowadays. Still, I learn more reading than typing.

Hope you and your family are well, that you had a great Christmas, and your new year is off to a great start.

Best,
HJohn

vas pupJanuary 8, 2020 1:32 PM

@Anders • January 7, 2020 6:58 AM
How about usb drive which delivers emp to computer with power enough to destroy this one data altogether?
Is emp working on solid state drives?
Your and Clive's opinion would be clarifying. Thank you.

Clive RobinsonJanuary 8, 2020 2:34 PM

@ vas pup,

... which delivers emp to computer ...

The problem with EMP especially E1 is firstly it follows what many call the low resistence path. But secondly an E1 EMP event has picosecond rise times and E field measurments in the tens of thousands of volts per meter.

Which in effect means a great deal of it's energy is up in and beyond the microwave bands. As all conductors have both inductance and capacitance they have an effective impedence at which they behave like a transmission line in which energy is stored not disipated. The better the match between the transmission line impedence and the load the more power gets disipated by the load resistive component and the less gets reflected to be close coupled to other conductors or reradiated.

The result is you know the EMP energy is only going to go to some part of the circuit but not all, and worse you have no idea where it might go.

Thus it's entirely possible that a chip used for data storage might have it's bond wires melt like fuses and some of the devices in the bond out pads blow, but the actuall AND/OR or OR/AND storage array survive intact.

Thus anyone who can decap the chip and repair the bond out or probe past them could get at the data in.part or in whole.

It's one of the reasons why certain parts of the Intelligence Community has looked at miniture shaped charges for "self destruct" They get built in the chip package, pressed up against the chip surface. So the plasma jet does melt chip features fractionally before the shock wave shatters the chip into micro fine or smaller pieces.

It's recognised that data destruction of in chip stored data is one of the hardest things to do. Hence the reason why more modern "black boxes" have built in chip memory that can survive 100G type loads and are way more reliable than the old wire recorders. Such chips tend to be the same as those used in Flash drives for thumb drive format, however the are slightly better mounted and supported than traditional thumb drives.

vas pupJanuary 8, 2020 3:24 PM

@Clive: Thank you for your input! It is amazing how smart you are and I have blessing to read your posts in this respected blog.

EvilKiruJanuary 8, 2020 3:59 PM

@MGD: A quick Google search reveals that Kensington locks won't deter a determined criminal.

PhaeteJanuary 9, 2020 4:56 PM

Some focused bursts of gamma radiation will fry that chip very nicely and its data.
Though considering the needed equipment/protection it might be a bit of overkill.

Most anti tamper devices with sensitive chips that i know of (several ATM POI/biometric scanners etc) use power in caps or batteries to destroy the keys etc inside once tampering has been detected.
Those chips have improved current handling capabilities in those functions to avoid blowing bond wires afaik.

AndersJanuary 9, 2020 5:24 PM

@vas pup

Hard to do on the USB flash drive level.
Not enough space.
The current attack used simple voltage multiplier
ladder.

AndersJanuary 9, 2020 5:57 PM

@vas pup

I think even this merely just reboots the computer :)

hackaday.com/2016/10/12/become-very-unpopular-very-fast-with-this-diy-emp-generator/

AndersJanuary 10, 2020 5:16 AM

@Clive

I link for you also the original address

habr.com/en/post/268421/

There's more images, click on "Ещё много картинок."

mgdJanuary 13, 2020 7:03 PM

Replying to EvilKiru ...

Wouldn't a Kensington cable at least slow down a 'snatch and run' attack?

EvilKiruJanuary 14, 2020 2:21 PM

mgd: If all you want to do is slow down a "snatch and run' attack, then a zip-tie will do the job.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Sidebar photo of Bruce Schneier by Joe MacInnis.