USB Canary Sends an SMS When Someone Tinkers with Your USB Ports

[CrAKeN]

 

A new tool released on GitHub last week can help paranoid sysadmins keep track of whenever someone plugs in or disconnects an USB-based device from high-value workstations.

 

Called USB Canary, this tool is coded in Python and currently, works only on Linux. As its author told Bleeping Computer in a private conversation, work is already on its way for Windows and Mac versions.

 

The tool works by watching USB connectors for any activity while the computer is locked, which generally means the owner has left his desk.

 

If an USB device is plugged in or unplugged, USB Canary can perform one of two actions, or both. It can alert the owner by sending an SMS message via the Twilio API, or it can post a message in a Slack channel, which can be monitored by other co-workers.

 

Created as a fun project, USB Canary may prove quite useful

USB Canary was created by a security researcher that goes online by the nickname of @errbufferoverfl. The tool was later improved with the contributions of @assurance, @chkconfig, and @ducksecparty.

 

"I started writing it when I was between jobs, I had just finished up in a security operations role where I was doing a lot of compliance and developing tools," errbufferoverfl told Bleeping Computer.

 

The developer says he was disenchanted with similar tools because they only notified users only after someone had logged on. As there are means to automate attacks without logging in, this wouldn't be very useful, errbufferoverfl said.

 

"I didn't really expect it to be picked up when I finished it, but after seeing the community response I started working on a version that should hopefully work on Windows and OSX so more people can use it," the developer added.

 

A must-have for enterprise IT staff

USB Canary can prove to be a very useful tool for large organizations that feature strict PC policies. For example, if you really want to enforce a "No USB drives" at work, this could be the tool for the job.

 

Similarly, if USB Canary would support a local logging feature in the future, it could be secretly deployed on air-gapped computers and allow sysadmins to find out when employees connected USB flash drives to isolated systems.

 

Projects in the same category as USB Canary include USB Kill (waits for a change on your USB ports and then immediately shuts down your computer) and Silk Guardian (waits for a change on your usb ports and then wipes your ram, deletes precious files, and turns off your computer).

 

Errbufferoverfl has open-sourced the USB Canary source code on GitHub

 

Source

[Sylence]

those 2 tools suggested at the end do not support Windows OS, which majority of people use, so their developers can go F themselves. errbufferoverfl was smart enough to feel the need to make it for Windows OS as well.

[straycat19]

Wasting their time developing it for Windows.  By the time you read the SMS message the damage has already been done and your network has been infected with whatever bad thing the individual wanted to put there.  Takes less than 10 seconds to plug a usb drive in, let it automatically inject its thing into the network and unplug it.  It really is just that fast.  The only way to secure a workstation is to disable the usb ports.  In most secure organizations this is standard since all data is maintained and backed up on the network and not on individual usb devices, which would create another security problem.  A computer program never takes the place of a good security program that alleviates the need for a computer program to begin with.

[Togijak]

I am waiting for the windows version (my Linux AirGap is full encrypted and has some more protections). Constructed situation = thy take your notebook at the airport to a back office and want to implement  some spyware = the damage is done but you are informed / some secret service visit your home in a time where you are at work and do the same bad things ore just want to mirror your hard drive = you are informed