Preventing Evil Maid and Rubber Ducky style attacks on Linux

So you are running Linux and you think that perhaps you are relatively secure compared to Windows right? Well actually there’s not much difference when it comes to security of either platforms because there are certain attacks that your operating system will never be able to defend against unless you pro actively take the right security measures to prevent it.

What am I talk about here? Let’s start with hard disk encryption, and let us assume that we are on Linux. So, you have encrypted your default Ubuntu partition with a really strong passphrase during installation (Luks + Dmcrypt) and you must be thinking man am I secure. Well that is true to some extension but the catch here is that your boot partition needs to be left un-encrypted so that it will be able to unlock your drives after entering the correct password.

So here is the dilemma, even on Linux we have an un-encrypted boot partition therefore it is in a way a vulnerability waiting to be exploited. Someone can just mess around with the contents of your boot partition while you are away and perhaps even write a simple shell script that will log the password and send it back to the author?! This is what you call an Evil Maid style of attack. There are not many ways that you can defend against such an attack but a good measure would be to have your boot partition somewhere else, perhaps on a USB drive. Thus whenever you go outside you can keep that USB with yourself at all times and have the peace of mind that the laptop at your home will not be messed around with because all that is there is just a block of encrypted data whose contents can not be tampered with. Today I will not go into details on how you would go about making such a setup because trust me doing this manually will take a lot of work especially if you are on a Distro like Gentoo!

But let me tell you of another attack that is quite common these days and not many people know about it. Have you heard about the USB rubber ducky? If not, go out on the web and Google around a bit. Or if you wanna save time, let me tell you.

Basically, the USB rubber ducky looks like a regular USB…even has a similar size but when you plug it in, it acts as a HID (Human Interface Device). HID is usually reserved for mouse or keyboards, so basically posing as USB and being able to act as a keyboard allows it to interact with an active system in a way that you would least expect. It can own you in a matter of seconds if you haven’t taken the right precautions, especially on a Distro like Ubuntu that allows anything to be automatically mounted by default. This is not just a big threat for Windows but also for Linux.

Perhaps the USB rubber ducky could run as a background process that would spawn a shell and try to sniff the password that you type when you login to your device, after it receives the password it could automatically call home with the new gained credentials.

So I looked around for a bit on how to stop such an attack on Linux, and to my surprise I found that the Linux kernel provides an easy to call interface that would disable the USB ports.

So you could just paste this script and it would disable your USB ports, depending on the number of USB ports you have you may need to modify those commands and follow the instructions in the comments. This script if set correctly, would basically disable USB ports on boot so that you don’t have to worry about manually disabling them (you might forget).

Also you can add this code to your .bashrc or .zshrc, so that you can enable or disable USB manually when necessary.

# Disable usb devices to mitigate rubber ducky style attacks

usboff(){echo 0 > /sys/bus/usb/devices/usb*/authorized_default}

 

#Enable usb devices

usbon(){echo 1 > /sys/bus/usb/devices/usb*/authorized_default}

 

You will need root permission to use these functions so don’t forget to add sudo.

Anyway, this concludes my today’s post and I hope that this will be helpful.

Cheers!

Advertisements