USB Kill Switch / Dead Man’s Switch

Introduction

In 2013, federal agents arrested Ross Ulbricht in a San Francisco public library. They waited until he had his laptop open and was actively using it because the moment it locked or shut down, the encrypted drive would be inaccessible.

If your threat model includes the possibility of a sudden, physical encounter with someone who wants access to your machine whether that’s law enforcement, a thief, or anyone else, you need a way to shut everything down fast. Faster than pushing the power button.

The Project

I wrote a small Python script that monitors USB devices. When a selected USB drive is unplugged, it immediately triggers a full system shutdown.

The idea is that you use a metal USB stick with a carabiner attached to your belt loop. The USB stick plugs into a female USB A to USB A adapter, then a short USB cable goes from there to your laptop. When the program is running it monitors the USB port you selected for changes. When a change is detected it immediately sends a shutdown command.

Why

Full disk encryption is only as good as the moment the machine is powered off. A running, unlocked machine with an encrypted drive is just an unlocked machine. The encryption is irrelevant until the system is off and the keys are out of memory.

ToDo

RAM wiping. When a machine shuts down normally, encryption keys and sensitive data can be in memory and a cold boot attack can recover that data. A more hardened version of this tool would overwrite RAM before triggering shutdown, using something like shred on /dev/mem or invoking a tool like sdmem from the secure-delete package. I need to look into how TAILS implements their secure shutdown.

Shredding the encryption key header. For LUKS encrypted drives, the key header is what ties your passphrase to the encrypted data. If you shred it the data becomes permanently unrecoverable, no passphrase will ever work again. A panic mode that shreds the LUKS header before shutdown would mean that even a powered off drive is now bricked.

The Code

The project is here on my github or copy paste https://github.com/CyberDiary2/USB-Kill-Switch-Dead-Man-s-Switch/tree/main if you do not click hyperlinks.