When Things Go Sideways: Resisting Device Seizures

With anonymity networks, compartmentalization, and decent safety practices, remotely attacking a well configured Linux machine is no easy feat. It can be expensive, and requires good contextual awareness on the part of the attacker. In this space, projects like Qubes and Tails offer security promises that give us a lot of hope. However, needless to say, if your adversary is resourceful enough nothing is out of reach: you should assume that if you get in the crosshair of a motivated intelligence service, most security guarantees of your system of choice could fail you. In that case, airtight operational security will likely be your best bet. However, if your adversary is instead a typical law enforcement agency, you might have more room for maneuver.

Disk Encryption and Physical Attacks#

One of the most impactful security measures you should adopt is Full-Disk Encryption (FDE). It is widely available on all Linux distributions, it doesn't require any particular technical expertise to adopt and, if coupled with a reasonably strong passphrase, it is virtually impossible to crack. Because of this, encrypting your data at rest on disk should be your very first step. This means that, for example, the Police will not be able to just come knock your door, unplug your computer and walk away with the data. FDE introduces a significant obstacle your adversary needs to account for and attempt to subvert.

Faced with FDE, and excluding remote exploitation, an attacker has realistically two options:

1. Perform an Evil Maid attack during a covert house visit in order to backdoor your BIOS, bootloader or OS, leave unnoticed, and come back at a later time having intercepted your passphrase you meanwhile unsuspectingly entered.

2. Attempt to seize your computer while powered on. If it's seized unlocked, prevent it from locking, and copy off all data. If it's seized locked, employ some attack strategies to attempt to recover critical information from running memory, possibly the disk's decryption key.

Evil Maid attacks are real and a lot more trivial than people might think. They are however not in the scope of this text. We will talk more about Evil Maid and mitigation strategies in future posts.

Instead we will focus on device seizures, which are commonplace.

Of course, if you are exposed to a hightened level of risk, best practice dictates that you never leave your computer unattended, and that you never operate your computer from an untrusted location. However, respecting these restraints religiously is hard, and they might be incompatible with some other risk assessments you've made (for example, you might be required to be constantly on the move).

There are documented cases where authorities have gone to great lengths to ensure they seize laptops powered on. Perhaps most famous is the case of Ross Ulbricht, the infamous Silk Road founder, whose arrest was timed when Ulbricht was connecting with his laptop from a San Francisco public library, enabling the Police to seize the laptop turned on and unlocked.

Or more recently we see the case of two anarchists arrested in Munich, also in a public library. Quoting the article:

"As we learned in the meantime, N and M were arrested on 26th February in the municipal library HP8 (Neues Gasteig neighbourhood) close to the Brudermühl bridge. Both of them were sitting in front of a computer when they were tackled to the ground by plainclothes cops."

"The timing of the operation seemed to be carefully chosen: they waited until the comrades had logged in to the computers, which likely gave the nosey pig spies access to their encrypted e-mails."

In a scenario like this, where you can be forcefully and rapidly separated from your computer, there's very little you can do. You are unlikely to have time to even keep the power button pressed long enough to poweroff your computer, let alone shut it down cleanly.

SIDENOTE: along with obtaining data from service providers, records show that authorities are particularly fond of hidden GPS trackers, microphones and cameras. We would not exclude the possibility that Police might do a covert house visit and install cameras whose footage might later be used to capture your disk encryption passphrase (or your phone unlock code). Similarly, if you operate your computer from a public place you should consider authorities might be able to recover footage from surrounding security cameras. Sounds silly, but building some muscle memory entering your passphrase blindly with your laptop lid tilted might be a worthy exercise.

In light of these threats we started working on a little tool to provide an extra layer of security during these types of physical seizures.

Enter Killjoy#

Killjoy is a simple emergency and tamper-response utility for your Linux computer.

Killjoy monitors for changes in peripherals, such as plugging of USB, FireWire, Thunderbolt devices, or removal of Power Supply. Additionally it can also watch for manual triggers, for example from a keyboard shortcut, or trigger after a period of inactivity. The idea is to protect the computer from tampering when separated from the user, as well as give the user the opportunity to execute an emergency sequence in case of need. Killjoy aims to provide an additional layer of security when all else fails.

This tool tries to address two scenarios:

1. Your computer is seized locked but powered on. The adversary attempts to perform an attack through some external programmable device (such as FireWire or Thunderbolt), abuse Direct Memory Access and leverage unmediated access to the computer's memory in order to unlock it or steal encryption keys. Modern systems are much more resistant to DMA attacks thanks to IOMMU, which brokers and restricts devices' access to the computer physical memory. However, occasionally vulnerabilities emerge that bypass these protections.

2. Your computer is seized from you unlocked. The adversary does not have root privileges, but attempts to plug in an external device such as a USB storage to copy files off to, or a Rubber Ducky to automate some malicious actions, or a Mouse Jiggler to prevent the computer from locking while it is being transported away. With Full-Disk Encryption protected by a strong passphrase, these days adversaries are particularly incentivized to attempt to separate your laptop from you in this state, and online reports describe cases just like this.

With killjoy running, you can instruct your computer to execute a pre-configured set of emergency commands when triggered. Perhaps you might want to trigger an immediate poweroff in order to restore the device to a fully encrypted state and reduce chances of data recovery.

Check the dedicated page for more details on configuration and usage.

General Recommendations#

• Always use Full-Disk Encryption (FDE) and pick a strong passphrase. Plenty of online resources provide instructions on what makes a passphrase good. Read up on this.

• Be cautious of your surroundings when entering your FDE passphrase. You don't want that captured by a security or hidden camera.

• Access your computer's BIOS settings (you can do so usually pressing Enter, F1, or F2 during the manufacturer splash screen at start-up). Look in the security settings for an option to enable a BIOS password. Set one, of course different from your FDE passphrase. BIOS passwords can be bypassed, but they are an additional obstacle to early boot tampering.

• Also in your BIOS settings look for options to disable peripheral ports and devices. You should get rid of anything you don't plan to use. So, for example Thunderbolt, Firewire, and even Bluetooth. This helps reducing your potential attack surface. Naturally this doesn't apply if you use Tails, but if you don't, you could consider disabling boot from USB or anything other than your hard drive.

• Still in your BIOS settings you might want to ensure that your hard drive has boot priority over anything else.

• Whenever you are not actively using your computer, shut it down.

• Ideally always carry your electronics with you. If something prevents you from doing that, store them safely and look into how to make them tamper evident.

• Always lock your screen any time you step away from your computer, even if for a brief moment. You may need to screen lock rapidly, so clicking around with your mouse pointer might not be the best idea. Read up on how to configure a keyboard shortcut to lock your screen on your window manager and memorize the shortcut. Be cautious of you surroundings when entering the unlock password.

• Make sure your window manager is configured to auto-lock when inactive and when the laptop lid is closed.

• Keep your software up-to-date. Security vulnerabilities get patched all the time, and privilege escalations are particularly sought after on Linux systems.

• Setup killjoy. Do some trial runs to make sure killjoy activates and behaves as expected. Enable it especially when you are operating your computer from an untrusted location.

• In case of emergency, don't panic. If you are running Tails try to unplug the Tails USB disk. This will trigger a rapid shutdown of the system, and perform some wiping of the memory to prevent Cold Boot Attacks. You could also consider tying your Tails USB disk to your wrist with a leash. If you are not running Tails:

  • If you have killjoy activated with monitoring for power supply, pull the power plug.
  • If you think you have time to forcefully poweroff the computer through holding the power button, you can try but it could be a risky choice.
  • If it's a laptop, close the lid. In any case, try to activate the screen lock.