USB Connector

A new tool released on GitHub last week can help paranoid sysadmins keep track of whenever someone plugs in or disconnects an USB-based device from high-value workstations.

Called USB Canary, this tool is coded in Python and currently, works only on Linux. As its author told Bleeping Computer in a private conversation, work is already on its way for Windows and Mac versions.

The tool works by watching USB connectors for any activity while the computer is locked, which generally means the owner has left his desk.

If an USB device is plugged in or unplugged, USB Canary can perform one of two actions, or both. It can alert the owner by sending an SMS message via the Twilio API, or it can post a message in a Slack channel, which can be monitored by other co-workers.

Created as a fun project, USB Canary may prove quite useful

USB Canary was created by a security researcher that goes online by the nickname of @errbufferoverfl. The tool was later improved with the contributions of @assurance, @chkconfig, and @ducksecparty.

"I started writing it when I was between jobs, I had just finished up in a security operations role where I was doing a lot of compliance and developing tools," errbufferoverfl told Bleeping Computer.

The developer says he was disenchanted with similar tools because they only notified users only after someone had logged on. As there are means to automate attacks without logging in, this wouldn't be very useful, errbufferoverfl said.

"I didn't really expect it to be picked up when I finished it, but after seeing the community response I started working on a version that should hopefully work on Windows and OSX so more people can use it," the developer added.

A must-have for enterprise IT staff

USB Canary can prove to be a very useful tool for large organizations that feature strict PC policies. For example, if you really want to enforce a "No USB drives" at work, this could be the tool for the job.

Similarly, if USB Canary would support a local logging feature in the future, it could be secretly deployed on air-gapped computers and allow sysadmins to find out when employees connected USB flash drives to isolated systems.

Projects in the same category as USB Canary include USB Kill (waits for a change on your USB ports and then immediately shuts down your computer) and Silk Guardian (waits for a change on your usb ports and then wipes your ram, deletes precious files, and turns off your computer).

Errbufferoverfl has open-sourced the USB Canary source code on GitHub.