Implementing BusKill with udev

July 30, 2023    Article    624 words    3 mins read

If you work in security or you like to pretend you work in security (we all do, friend, we all do), you must’ve heard about BusKill. Every infosec person going to a Defcon (or like some of us call it, NSA Job Recruitment Fund) has one of those because it’s so cool pretending to be a 133t hacker and their threat model definitely requires an immediate shutdown of the computer, else the nefarious actors (APT21, APT22, APTsqrt(69)) will retrive their porn stash. And nobody want to lose their porn stash.

funny, heh?

But just in case you think it might be interesting to have a way to shut down (and lock, if it’s encrypted) your laptop in case somebody snatches it from your hands (hello USA, get well), keep reading because I have a solution that doesn’t involve paying those BusKill people your hard-earned pennies.

You will need an USB disk drive (any capacity, better left empty and/or unformatted, or even better, you can put several /dev/random dumps disguised as files named NATO_protocol.docx, PiZZ@G@t3.doc and Nuclear_Launch_Codes_v4.5.pdf, just for the kick of it). Don’t keep important stuff on the drive because the trigger is system power off and the data on the drive might (read WILL) get corrupted.

Make sure it fits an empty USB port on your laptop (if the laptop has USB-C ports, get a USB-C drive, if it has USB-A ports, get a USB-A drive, it’s not quantum physics).

Using udev over the BusKill app has some distinctive advantages:

  • you don’t need no application, you don’t need no thought control, no dark sarcasm in the classroom, etc.
  • it’s run automatically without having to do anything (like arming the application in case of BusKill).
  • you can trigger whatever events you would want and can think of.

We’ll start by identifying the USB device. Run the following command and plug the USB device afterwards.

$ sudo udevadm monitor --kernel --property --subsystem-match=usb

Look for the PRODUCT line (it’s ok if there are multiple lines, the product code is the same) and make a mental note of the code. In my case it was bda/109/959.

Next create a udev rule file named 5-buskill.rules (you can name it 6-obamacare.rules if you want) and place it inside the /etc/udev/rules.d/ directory. The contents of the file is this:

ACTION=="remove", SUBSYSTEM=="usb", ENV{PRODUCT}=="bda/109/959", RUN+="/sbin/poweroff"

ACTION is the action on which we want to trigger the command, in our case we want to trigger it on the removal of the USB device. SUBSYSTEM is obviously USB, the PRODUCT is the USB device’s product code as identified from the previous command and the RUN part is the action that should be triggered, in our case to power off the system. If you’re using a Linux distro with systemd, the line should be /usr/sbin/poweroff. Don’t use just poweroff, use the full path.

You can do anything here, send an email, ping a server, trash the LUKS header from your drive (please don’t unless you’re Julian Assange), post a tweet (sorry, I meant a Xeet), a toot (it’s a kind of Mastodon post, I’m not sure how you can trigger udev actions to your colon) etc.

Don’t forget to reload the udev rules after you saved the file.

$ sudo udevadm control --reload
funny, heh?

At this point, if you remove the USB device the computer will immediately power off. Keep in mind that someone might find your dog-humping-usb-drive funny and attempt to pull it out to look at it, so make sure you don’t do anything destructive unless your threat model requires it.

Extra bonus points if you use a carabiner and steel cable to tie the USB device to your pants.
Extra extra bonus points if you got the Pink Floyd reference.

Peace out!