Canary For USB Ports

If you’re a paranoid system admin, [errbufferoverfl] has your back with software that keeps track of whenever someone plugs in or disconnects an USB-based device from a workstation.

Christened USB Canary, [errbufferoverfl’s] tool is written in Python. However, even though Python is cross-platform, USB Canary only works on Linux currently. But, fret not: [errbufferoverfl] is already working on Windows and Mac versions.

Primarily, USB Canary watches USB connectors for any activity and logs anything it sees. Moreover, when a USB device is plugged in or unplugged, USB Canary can alert the owner of the workstation via an SMS message courtesy of the Twilio API, post a message in a Slack channel or even make a noise to alert a nearby sysadmin. Additionally, USB Canary can be configured to only run when the workstation is locked (if you’re not completely paranoid).

[errbufferoverfl’s] USB Canary was born out of dissatisfaction with current workstation monitoring tools. You see, most tools only notify users after someone has logged on. [errbufferoverfl] points out that there are means to automate attacks without logging in, and we can think of many unsavory things that can be done when logged out.

While USB Canary won’t protect you from -220V , it might at least warn of a BadUSB attack. But, for the really paranoid, why not try GoodUSB?

[via bleepingcomputer]

12 thoughts on “Canary For USB Ports

  1. So this is for the people that fall somewhere between “Oh, I wonder what is on this random USB drive I found in the Parking Lot” and “All my USB ports are filled with Binary Epoxy” on the paranoid scale?

    1. Mwah sounds like this is only for logging. For some protection, look up “Beamgun”, it blocks new network adapters / usbsticks, and locks your PC on new keyboards.

  2. Almost all corporate security software does this already. The Symantic software we use at the company here keeps detailed logs of every single thing done to each workstation and laptop. I can even tell you the EDID data for any monitor or projector plugged in with time stamps. and the make and model of every USB device used and when it is plugged in used and removed. USB storage has a list of filenames copied to or from it as well.

  3. Hi all I think the one thing that wasn’t really captured in the original article and seems to be something that will probably address some of the criticism i.e. there are better tools that do this, why would you do it this way etc. was that I made this for personal use, as something to keep me busy in my time off between jobs and get me back into python.

    Some of the stuff I found on Github only alerted you after you had logged in, and for some people that’s good enough but wasn’t really ideal for me because I still use USB (no epoxy plz) and worked in a co-working space (like I did) and I wasn’t really up for carrying my laptop out to lunch or to the bathroom with me. I didn’t want to pay dollerydoos for something I could try to write up myself, thus why it was only Linux supported.

    I never wrote it up thinking or hoping it could be deployed to a corporate network or anything because MDM software as well as a lot of other tools have this ability and let’s face it one person maintaining a repository isn’t really what corporate software is made of.

    Originally I planned on only doing OSX support as well as Linux because now I use a Mac and again why not try and write it yourself, but a friend also asked if I could make a Windows copy to try out. I published it to Github because I thought it was something cool I made and maybe some other people would get a kick out of it.

    tl;dr I wrote a tool while funemployed to keep me busy, I never expected it to blowup like this – it’s not perfect.

    1. i think it’s great. the tool “beamgun” mentioned above is windows only which sucks because i’m a nix kid, and rather than hack together a hardware usb condom i think notification is enough to warrant further inspection. thank you for sharing this tool to the community!

  4. Add to this the “autosack”, that takes a picture of the eejit that violated policy and sacks them via script with time, date and copy of the offending device manufacturer ID and CRC32 of the data in the MBR.
    Some companies have software that does this automatically for timekeeping violations and is completely beyond human control so cannot be reversed even by senior management.

    I still like my idea of reversing USBkill to fry connected devices on both headphone AND USB ports to ruin any attempts at data exfiltration.
    Seems that stealing data via headphone ports is doable at a whole 1kBaud and I had a long argument with an ex-employer about this exact method, it requires entering less than 3 lines of text and saving in Notepad as a NTLDR.dll (!)

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.