andrewla
7 days ago
I had a friend who worked in federal law enforcement who once described a vampire device that they used. It would clamp around a power cable and inject a UPS in the mix so that an electronic device could be removed without turning it off. Seemed like a useful little trick.
0cf8612b2e1e
7 days ago
If nothing else, would let you move a Frogger machine.
More seriously, I have wondered if you can detect these kinds of external interference. Auto lock the machine if power/network/wifi/Bluetooth/USB conditions change.
Nabbing an unlocked laptop was how they got the Silk Road guy (though they probably already had sufficient evidence elsewhere).
https://arstechnica.com/tech-policy/2015/05/sunk-how-ross-ul...
jeroenhd
7 days ago
One trick you could use is to abuse the fact that law enforcement often plugs in a mouse wiggler on an unlocked desktop and kill your server the moment you see a new HID device (make sure to run some kind of desktop on your server so they think they can keep the session open, best to do it in a VM).
You could also monitor the ethernet link. They can move your server but they can't move the entire network, set up an encrypted tunnel between two distant physical servers and self destruct the moment that tunnel gets disrupted.
Some computers come with gyros/accelerometers built in. My old HP laptop had some kind of head crash prevention that used that hardware. I know this, because Gnome thought it was a tablet style sensor and turned my screen upside down if I didn't disable the sensor. Maybe getting a HP server can already get you a whole bunch of movement sensors.
You could probably figure out if the server is being moved by measuring capacitance of the case, measuring accelerometers, maybe add a GPS dongle. Or you could add an LTE connector and measure any signals you may receive that you shouldn't from inside a server room. You can probably measure _something_ in the server room, though, so to make sure your LTE dongle doesn't get interrupted, also measure whatever reliable signal you can find to detect Faraday cages.
Lastly, you could put a video camera in the case on all sides and measure changes. Detecting law enforcement badges probably isn't that hard with opencv if you're dedicated enough.
You have to hide your security measures and never tell anyone, though, or they'll just leave the server as-is and use the classic rubber hose exploit to make you give up the key material.
tbrownaw
6 days ago
> Or you could add an LTE connector and measure any signals you may receive that you shouldn't from inside a server room.
Incoming Bluetooth Low Energy announcements should have a receive power level associated with them. Stick a beacon (like say a standard ble temperature/humidity sensor) somewhere, and you should be able to tell if the distance to it changes.
gosub100
6 days ago
Onavo
6 days ago
[flagged]
amluto
7 days ago
Maybe attack the problem from a different angle: use an accelerometer. Or spend a little bit more money to add a gyro and make a real, if very low accuracy, IMU.
0cf8612b2e1e
7 days ago
That is a great suggestion. I think Android just implemented a “snatch detection” system for phones. Although, I like the idea of not requiring additional hardware. I guess when I start running a drug empire I will have to pony up for the extra dongle.
TimeBearingDown
7 days ago
BusKill was created for this, USB with a magnetic attachment to a keyring that can be configured to take action on disconnect.
mcpherrinm
6 days ago
Some HSMs I've used (payshields) have tamper sensors that can detect motion for this reason.
> The ADXL362 accelerometer in the PayShield 10K acts as a "Motion Sensor" detecting tilt movements. An alarm triggers an alert if the HSM is moved (for example, slid out of the rack)
TeeMassive
7 days ago
That's a great idea. Authorizing any kind of physical change should be a default security measures.
adgjlsfhk1
7 days ago
Seems like an mems accelerometer would be all you need. Rotation isn't really a threat...
amluto
7 days ago
Rotation itself isn’t a threat, but if you want to directly estimate displacement to distinguish between earthquakes and someone stealing the machine, without relying on heuristics, actual inertial measurement would do the trick. And inertial measurement involves tracking the direction of acceleration, which involves tracking rotation.
dullcrisp
6 days ago
If they’re seizing your laptop and your laptop will only work inside your house, wouldn’t they just seize your whole house?
0cf8612b2e1e
6 days ago
It is a secret one way lock. Disturbing the machine and it locks/encrypts/sheds data. Bringing the machine back to the safe zone would not decrypt the data.
lobsterthief
6 days ago
They absolutely would
akira2501
6 days ago
> detect these kinds of external interference.
Easily. Bolt the machine to the floor in such a way where the case has to be opened and a trip sensor activated to actually move the machine.
You can switch my power source without noticing? Who cares. The attack is taking the machine where it is not supposed to be. That's a problem we've been solving since forever.
MertsA
7 days ago
Wifi would probably be the easiest. Either hide a dummy AP in the house or use a combination of multiple neighbors APs. If you don't see any beacon frames from the dummy SSID for a 30 second period then lock/shred the computer.
justsomehnguy
7 days ago
Wifi 5/6 sometimes rake up to a couple of minutes to get online (DFS and whatever) so 30 seconds is like smoking near an open can of gasoline: mostly fine but when it's not...
cruffle_duffle
7 days ago
Isn’t that kinda what they used for Ross Ulbright’s computer? I know it was a laptop but they probably didn’t want to take chances given if that thing shut down the entire thing would be encrypted?
andrewla
7 days ago
I thought they had an attractive agent distract him for a moment while another agent grabbed his still-unlocked-and-open laptop to prevent him from locking it or closing it up. At least I think that was the cloak-and-dagger story I heard.
gosub100
6 days ago
two agents posing as a couple feigned a raucous quarrel that distracted him, while a third agent sitting across the table yanked the laptop at the precise moment he was distracted
thebruce87m
6 days ago
And they had to improvise as the cafe he was originally going to visit was too busy and he went to a library instead. Super interesting story!
immibis
6 days ago
Someone successfully did this for copper gigabit ethernet and presented at one of the security conferences - but with a few milliseconds interruption in signal.
sschueller
6 days ago
That is why you put in special outlets that communicate with the PC over the power line encrypted.
You would need to drill holes in the concrete wall to get to the power lines in the wall in order to take the outlet along and hope that there isn't an additional device in the breaker panel.
user
6 days ago
the_real_cher
7 days ago
So it would emulate a UPS?
So they could just remove the existing UPS?
what is inject a UPS?
amiga-workbench
7 days ago
Its a parasitic tap that connects to the mains power cable going into the device. It then phase locks an inverter with said mains power, allowing the mains power cable to be unplugged and the whole lot transported elsewhere on battery power.
amelius
7 days ago
How do you reliably get to the copper without shorting it?
madars
7 days ago
With special equipment and by half-pulling/disassembling the power outlet. See https://wiebetech.com/products/hotplug-field-kit/ and https://www.youtube.com/watch?v=-G8sEYCOv-o
aaronmdjones
7 days ago
Careful application of a box cutter for the outer sheath followed by something resembling a scotchlok connector for line and neutral.
Edit: If the machine is plugged into a power bar / power strip / whatever you want to call it, this is much easier still: Plug the vampire UPS into the power bar as well, wait for it to sync up to the grid, and disconnect the bar from the outlet. The UPS continues to feed power into the bar and thus keeps the machine powered.
pests
6 days ago
Power strips make this easier of course, but every outlet usually has two plugs and most* of the time they are wired together. You just need to plug into the other plug.
* In case they are split for whatever reason (switched plug, different circuit) whatever, just take off the faceplate, pull out the outlet, and now you have direct access to the screw terminals and copper wiring on the outlet. You could wire into the plug using the second set of terminals or via the other connection method (one being the screw terminals, the other being the "insert into the hole" depending on which is used) and take the whole outlet with you.
aaronmdjones
6 days ago
That would apply in North America yeah; that wouldn't apply over here (UK).
The insulation on plug pins prevents you pulling the plug far enough out of the socket to use a plug pin capture device; if it's far enough out of the socket to expose the uninsulated portion of the pins, it is no longer far enough into the socket to be receiving voltage, and you've just interrupted the power, which is precisely what you don't want.
The design of our wall sockets is such that there is no separate faceplate assembly; you'd have to take the entire socket off of the wall. Excepting some exotic sockets (like the MK Logic Plus Rapid Fix), there is only one recessed insulated screw terminal for line and neutral and no holes to push conductors into [1], and loosening that screw to put another conductor in would also risk interrupting the power.
Furthermore, most sockets are on ring circuits, and removing the socket from the wall creates a dangerous potential for an overcurrent condition on the now-incomplete ring, which the breaker will not respond to, as it can't know that the ring is no longer complete.
In order to safely do socket surgery in this scenario, you'd first have to connect both lines and both neutrals together using something like a scotchlok connector. Then you can cut one of the line and neutral conductors from those to the socket. Finally, you can crimp onto the flying socket line and neutral from the vampire, and then cut the other line and neutral when the UPS is ready to feed the socket. This leaves exposed mains-potential conductors behind the wall which should be capped off by some form of scotchlok or crimp connector for occupant safety, and an exposed mains-potential conductor which should be capped off for officer and technician safety. [2]
I dare say this is more involved and riskier than simply carefully cutting into the equipment power cord. Also, good luck finding enough slack conductor behind a wall socket in order to pull this off.
pests
5 days ago
Oh interesting. Do you have outlets with two plugs that are internally wired together?
aaronmdjones
5 days ago
We do, but that doesn't help you much if e.g. they have two computer systems plugged into the same double socket outlet and you want to seize both of them without powering them off, or you fear that the computer system plugged into one socket will react badly to the loss of power of whatever device is plugged into the other one alongside it. Almost all of our sockets are also switched, so you're playing with fire every time you put your hands on it -- you might knock the switch and kill the power to that socket just by trying to take it off of the wall.
giobox
6 days ago
As far as i'm aware, often times they just plug into an open socket on an existing powerstrip that are so often used for PCs, no vampire-ing required. You can then unplug the powerstrip from the wall, it stays powered, inputing electricity through one of the sockets instead of drawing.
I guess a more elaborate version of the same idea can be done if the computer plugged directly to an outlet with two sockets too, removing the socket from the wall.
The only time I can forsee vampiring the cable being a thing would be if computer is directly plugged into a single socket outlet on the wall?