panic button / panic shutdown / BusKill - The USB kill cord for your laptop

TNT_BOM_BOM · June 8, 2022, 11:16am

"Why BusKill?

BusKill is a Dead Man Switch triggered when a magnetic breakaway is tripped, severing a USB connection. "

Has articles about qubes as well:

Sound an interesting project.

maltfield · June 8, 2022, 3:42pm

Hey @TNT_BOM_BOM, thanks Here’s the explainer video, which I think unpacks the idea of the cable better than words can convey

What is BusKill (Laptop Kill Cord)? - YouTube

BusKill from Crowd Supply on Vimeo

We’re just finishing the first production run thanks to a successful crowdfunding campaign on crowdsupply, and the cables should be shipping to backers in the next 1-2 months.

BusKill is finally here - BusKill

Of course, you can also make your own cable (it’s all open-source)

https://docs.buskill.in

Right now the cross-platform GUI app just locks your screen, but on Linux you can make it shutdown or self-destruct (wipe your LUKS header) in just a few seconds (see the guides linked-to above). It takes 5.2 seconds from cable-separation to shutdown in Ubuntu

LUKS Header Shredder (BusKill Self-Destruct Trigger) - BusKill

Let me know if you have any questions about BusKill

Patrick · July 3, 2022, 12:41pm

RAM wipe on shutdown to defeat a cold boot attack seems to be a related feature.

Does BusKill already implement RAM wipe on shutdown? Does the dracut module cold-boot-attack-defense (by security-misc) seem interesting / sanely implemented to you?

Patrick · July 3, 2022, 12:45pm

I guess that is:

Will be posting there.

Patrick · July 5, 2022, 3:13pm

I will be interpreting this forum post as a development todo ticket to implement a:

panic shutdown script
panic button
panic shutdown start menu entry
panic shutdown on user action such as removal of some USB device (similar to BusKill) / USB kill cord

maltfield · October 26, 2022, 3:57am

Sorry for the super-delayed response.

Does BusKill already implement RAM wipe on shutdown?

We just added a soft-shutdown to the app (currently CLI-only) in our latest release (v0.6.0). It does not include a RAM wipe.

Sorry, but I generally do not consider RAM wiping our highest-priority request atm. To quote from our article LUKS Header Shredder (BusKill Self-Destruct Trigger)

As far as I know, there is no evidence to suggest that a single political prisoner was caught or convicted by an opressive regime due to the results of a cold boot attack. At the time of writing, cold boot attacks exist in a purely academic realm.

Nevertheless, a welcome improvement to this BusKill self-destruct trigger would be to add a step to overwrite the RAM prior to shutdown. But such an implementation should be very carefully tested to ensure that it actually functions as intended across all linux distros–and that it doesn’t prevent the machine from being able to actually power-off. Otherwise, a poor implementation could actually make your self-destruct sequence less secure.

If your risk model is high enough to require defenses against cold boot attacks, you should thoroughly consider switching to TAILS–which has a well-tested implementation of RAM shredding.

Or you could just use an ultrabook with RAM soldered in-place. Or get yourself some superglue.

If you are aware of a case where cold boots were actually used IRL against a victim, please do let me know and I’ll prioritize it…

panic shutdown on user action such as removal of some USB device (similar to BusKill) / USB kill cord

@Patrick Is there any reason you don’t just use the BusKill app? Are there any features that would be required for you to consider adding it to Whonix?

btw, one of our users recently submitted an RFP on Debian:

Bug#1021693: RFP: buskill -- app for arming/disarming/configuring the BusKill laptop kill cord

But it would be pretty cool to see the BusKill app come OOTB in Whonix. Please let me know what you’d like to see to make that happen

Patrick · October 26, 2022, 1:24pm

Might be more suitable for the host operating system. That means Whonix-Host and/or Kicksecure.

Inclusion into packages.debian.org.

RAM wipe is very hard to properly implement. We’ve been working on this too but it stalled foor now. Initramfs has an initrd but what’s needed to wipe RAM on shutdown is an exitrd. Dracut has both an initrd and supports exitrd but it doesn’t properly unmount the luks root disk on shutdown. Therefore a dracut RAM wipe module that runs at very end of the boot process cannot fully wipe the RAM either. If you’re ready / wish to discuss this further lets move to the Whonix RAM wipe development forum thread, your github, dracut github or so at any time.

Wipe LUKS Disk Encryption Key for Root Disk from RAM during Shutdown to defeat Cold Boot Attacks

opened 05:18PM - 29 Dec 20 UTC

adrelanos

enhancement

**Is your feature request related to a problem? Please describe.** Defeat Col…d Boot Attacks by wiping LUKS disk encryption during shutdown. What is a Cold Boot Attacks? See: * https://www.youtube.com/watch?v=JDaicPIgn9U * https://en.wikipedia.org/wiki/Cold_boot_attack * https://blog.f-secure.com/cold-boot-attacks/ * https://www.usenix.org/legacy/event/sec08/tech/full_papers/halderman/halderman.pdf **Describe the solution you'd like** Run `cryptsetup close` at end of shutdown procedure. Quote `cryptsetup close` (previously `cryptsetup lukseClose`) man page (bold added): > close > Removes the existing mapping <name> and **wipes the key from kernel memory**. Maybe `cryptsetup close` could be done during `dracut-shutdown`? This would not wipe all secrets from RAM to defeat a cold boot attack but at least remove one of the most important secrets, the root disk LUKS encryption key. **Describe alternatives you've considered** Linux kernel feature: This issue can probably not be redirected at the Linux kernel. While a generic solution `Wipe RAM to defeat Cold Boot Attacks` (https://github.com/systemd/systemd/issues/17242) probably belongs into the kernel, this does not. For the kernel to be able to wipe the memory, encrypted LUKS devices need to be properly closed first. `cryptsetup close` does that. systemd feature: systemd does not wipe the LUKS disk encryption key for root disk from RAM during shutdown. And as I understand systemd developer @poettering Lennart Poettering, this isn't up to systemd either. It's up to the initrd / initramfs. (https://github.com/systemd/systemd/issues/17887) Quote myself (https://github.com/systemd/systemd/issues/17887#issuecomment-750340608): > Avoiding all sidelines, keeping this simple, for my understanding and for the record and please correct me if I am wrong... Summary: > > `"cryptsetup close" of root device during shutdown` is already implemented. Quote systemd developer @poettering Lennart Poettering (https://github.com/systemd/systemd/issues/17887#issuecomment-751252894): > > `"cryptsetup close" of root device during shutdown` is already implemented. > > iff your initrd/distro of choice do so. For the root disk it doesn't matter what systemd does, it matters what the initrd/distro do. hence ping the maintainers of those.

If your risk model is high enough to require defenses against cold boot attacks, you should thoroughly consider switching to TAILS–which has a well-tested implementation of RAM shredding.

I am afraid this isn’t applicable or easily portable to other non-Tails Linux distributions. Tails doesn’t encrypt the root disk. They don’t need to. The contents of the root disk are the same for all users (except because in rare cases of customized self-made builds). Tails encrypts only the persistent storage. I didn’t check if that encryption is is properly unmounted at shutdown but might be easier. Unmounting an lvm, luks encrypted root disk is much harder.