Comment by andrewla
1 year ago
I had a friend who worked in federal law enforcement who once described a vampire device that they used. It would clamp around a power cable and inject a UPS in the mix so that an electronic device could be removed without turning it off. Seemed like a useful little trick.
If nothing else, would let you move a Frogger machine.
More seriously, I have wondered if you can detect these kinds of external interference. Auto lock the machine if power/network/wifi/Bluetooth/USB conditions change.
Nabbing an unlocked laptop was how they got the Silk Road guy (though they probably already had sufficient evidence elsewhere).
https://arstechnica.com/tech-policy/2015/05/sunk-how-ross-ul...
One trick you could use is to abuse the fact that law enforcement often plugs in a mouse wiggler on an unlocked desktop and kill your server the moment you see a new HID device (make sure to run some kind of desktop on your server so they think they can keep the session open, best to do it in a VM).
You could also monitor the ethernet link. They can move your server but they can't move the entire network, set up an encrypted tunnel between two distant physical servers and self destruct the moment that tunnel gets disrupted.
Some computers come with gyros/accelerometers built in. My old HP laptop had some kind of head crash prevention that used that hardware. I know this, because Gnome thought it was a tablet style sensor and turned my screen upside down if I didn't disable the sensor. Maybe getting a HP server can already get you a whole bunch of movement sensors.
You could probably figure out if the server is being moved by measuring capacitance of the case, measuring accelerometers, maybe add a GPS dongle. Or you could add an LTE connector and measure any signals you may receive that you shouldn't from inside a server room. You can probably measure _something_ in the server room, though, so to make sure your LTE dongle doesn't get interrupted, also measure whatever reliable signal you can find to detect Faraday cages.
Lastly, you could put a video camera in the case on all sides and measure changes. Detecting law enforcement badges probably isn't that hard with opencv if you're dedicated enough.
You have to hide your security measures and never tell anyone, though, or they'll just leave the server as-is and use the classic rubber hose exploit to make you give up the key material.
> Or you could add an LTE connector and measure any signals you may receive that you shouldn't from inside a server room.
Incoming Bluetooth Low Energy announcements should have a receive power level associated with them. Stick a beacon (like say a standard ble temperature/humidity sensor) somewhere, and you should be able to tell if the distance to it changes.
https://github.com/defuse/swatd
[flagged]
Maybe attack the problem from a different angle: use an accelerometer. Or spend a little bit more money to add a gyro and make a real, if very low accuracy, IMU.
That is a great suggestion. I think Android just implemented a “snatch detection” system for phones. Although, I like the idea of not requiring additional hardware. I guess when I start running a drug empire I will have to pony up for the extra dongle.
BusKill was created for this, USB with a magnetic attachment to a keyring that can be configured to take action on disconnect.
Some HSMs I've used (payshields) have tamper sensors that can detect motion for this reason.
> The ADXL362 accelerometer in the PayShield 10K acts as a "Motion Sensor" detecting tilt movements. An alarm triggers an alert if the HSM is moved (for example, slid out of the rack)
That's a great idea. Authorizing any kind of physical change should be a default security measures.
Seems like an mems accelerometer would be all you need. Rotation isn't really a threat...
1 reply →
If they’re seizing your laptop and your laptop will only work inside your house, wouldn’t they just seize your whole house?
It is a secret one way lock. Disturbing the machine and it locks/encrypts/sheds data. Bringing the machine back to the safe zone would not decrypt the data.
They absolutely would
> detect these kinds of external interference.
Easily. Bolt the machine to the floor in such a way where the case has to be opened and a trip sensor activated to actually move the machine.
You can switch my power source without noticing? Who cares. The attack is taking the machine where it is not supposed to be. That's a problem we've been solving since forever.
Wifi would probably be the easiest. Either hide a dummy AP in the house or use a combination of multiple neighbors APs. If you don't see any beacon frames from the dummy SSID for a 30 second period then lock/shred the computer.
Wifi 5/6 sometimes rake up to a couple of minutes to get online (DFS and whatever) so 30 seconds is like smoking near an open can of gasoline: mostly fine but when it's not...
Isn’t that kinda what they used for Ross Ulbright’s computer? I know it was a laptop but they probably didn’t want to take chances given if that thing shut down the entire thing would be encrypted?
I thought they had an attractive agent distract him for a moment while another agent grabbed his still-unlocked-and-open laptop to prevent him from locking it or closing it up. At least I think that was the cloak-and-dagger story I heard.
two agents posing as a couple feigned a raucous quarrel that distracted him, while a third agent sitting across the table yanked the laptop at the precise moment he was distracted
1 reply →
Someone successfully did this for copper gigabit ethernet and presented at one of the security conferences - but with a few milliseconds interruption in signal.
That is why you put in special outlets that communicate with the PC over the power line encrypted.
You would need to drill holes in the concrete wall to get to the power lines in the wall in order to take the outlet along and hope that there isn't an additional device in the breaker panel.
So it would emulate a UPS?
So they could just remove the existing UPS?
what is inject a UPS?
Its a parasitic tap that connects to the mains power cable going into the device. It then phase locks an inverter with said mains power, allowing the mains power cable to be unplugged and the whole lot transported elsewhere on battery power.
How do you reliably get to the copper without shorting it?
7 replies →