When USB came out I was working in the defence sector. We closed the vector off with cages for the PCs with tied looms under desks, epoxy in all the holes we didn’t want people to use and with threat of being in deep shit.
When I was frequently using things like this on coworkers in red teaming (back when being in an office was a thing) putting my own desktop in a steel cage with a good lock proved effective against retaliation.
Then we moved on to attacking the firmware in each others keyboards.
Since this has generated some discussion on locks and picking, there's been some interesting developments on "unpickable locks" that sidestep the tolerance problem by decoupling setting the pins from testing them. I.e. pins are tested all at once after they are physically decoupled from the key & keyway, eliminating state space reduction attacks (aka picking one pin at a time) leaving only brute force.
One such effort features locks made by Stuff Made Here sent to Lock Picking Lawyer. According to LPL the locks are theoretically sound and he did not attempt to pick them, but these particular implementations had a couple (easily fixable) bypasses. Made for interesting videos on both sides:
Whelp it seems I recalled incorrectly this time, because LPL did pick the second one open, via a weakness in the design that he believes can be patched. I don't think my sentiment was totally off base, but clearly my statement about not being picked was factually incorrect.
I once saw a PC security case where instead of the lock cylinder retracting a bolt, it turned a screw thread and opened the case by about half a millimeter. It took the guy unlocking it a good fifty turns to get the PC out of it.
And there were two - one on each side. What's more, it was a tubular lock, so if you were single-pin picking you'd have to pick it 5 times per rotation.
Nothing that would stand up to a battery powered angle grinder, of course.
Tubular locks are trivial to pick and the lock turning the screw mentioned above would be just as simple with a tubular pick than with the original key.
Unfortunately, there aren't really all that many "good locks" on the market. The Lock Picking Lawyer on YouTube[1] has pretty much destroyed my faith in the modern lockmaking industry.
He can defeat just about anything, but he’s also exceptionally skilled. As a consumer of locks, I expect them to be defeatable by a skilled lockpicker. But I don’t expect them to be defeatable by a bic pen or by reaching in the keyhole with an oddly shaped wire to move the locking paul.
You can buy locks that don’t have easy bypasses, and can’t be easily drilled, and can’t be picked by beginners.
You can also buy locks that can't be picked by people like me who have been at it 20 years.
To keep people like me out for a while buy a Medeco. Pins not only need to be at the right height, but also the right rotation. They are a real pain in the ass to pick. I don't even know any locksmiths that can pick them. Good security for the money.
Bosnian Bill and LPL... Okay they can pick them, but they are like the 0.0001% in skill.
Still even then pay an extra $100 for really high quality disk detainer lock like a Protec 2 and you will keep even them out for quite a while.
That is what I use on my luggage. TSA has to call me to unlock them with my consent every time. The way I like it. Great tip I picked up from Deviant Ollam.
I have hundreds of locks and lock bypass tools. I make sure to pay for ones that are not quickly defeated when it counts.
LPL covers most locks in the wild which are bad, but locks like the Protec2 are quite strong and while it is implied one person in the world can beat it with custom tools (huxleypig)... even then not quickly.
Some of the best locks are very very hard to buy as well and still protected with weird export controls held over from the encryption export days.
I frequently use FF-L-2740 spec locks, which is the spec locks need to hit for use in classified government work, military contractors etc. They are very good locks I can't begin to defeat in any practical amount of time and don't know anyone who can. Particularly since they have timed brute force lockouts.
Problem is not a single vendor is allowed to sell locks of that spec to civilians by contract so you have to jump through lots of hoops to get them.
For most uses of a lock its job is to keep honest people out.
I have had doors kicked in, so these days I want the lock to be the weakest, not strongest, part of the door. So when it is kicked in it is a cheap lock that is destroyed not an expensive hardwood door (I like hardwood doors...)
> there aren't really all that many "good locks" on the market.
You can say that again.
I was once proud of myself for having thoroughly researched the market and I thought EVVA MCS was a safe bet[1].
Then someone showed me a YouTube video (published a year after I bought the locks) of someone picking it (not LPL, another YouTuber). Given the cost of EVVA MCS I was not a happy bunny.
but check out this one instead: https://youtu.be/sES_Hbj92BQ - ~2h to open fully (though the author of the video claims impressioning could speed up the thing; anyway, reportedly attacking the door is just easier in this case)
Guy who made the video here.
The lock mechanism itself isn't one of the easiest, but also not one of the hardest to pick skill-wise. However, it does take a very long time to pick through which means that the lock is doing its job very well. Also, I have read that this lock is very resistant to destructive attack as well. So combining pick resistance with physical resistance, you have a very good lock as long as it's installed on a good door and the building has all other security measures in place (no ground level unprotected windows, etc)
The lock doesn't even need to be that good. As you said, the name of the game is intrusion detection, not necessarily intrusion avoidance.
The Lock Picking Lawyer chronicled very nicely a technique for turning a KW1-keyed Kwikset core (extremely common here in the US) into something that is tamper evident. See the YouTube video linked herein.
I’m into locksport as well and would favor that kind of modification on a back door which is more likely to be targeted by thieves. Not sure I’d do it on a front door in case I put a family member actually locked themselves out and actually needed a locksmith to be able to get in.
When I had towers or pizza boxes I pretty much never touched them once it became normal to leave them on all the time, which was as soon as they were always downloading from the internet at 3.3 kbps.
If the case was locked in a cage I wouldn’t notice until I needed to put access the tower to plug in a usb, which might not be for weeks these days.
Being in an office is definitely still a thing. Let's be real, vaccinated adults working from home is a privilege. Mostly a white upper middle class one. Always was.
My school had a way to keep peripherals from wandering off, but if all you need to do is swap the cables then I’m not sure that would still work. Wrapping the cables into a wiring loom makes that process slower, assuming the loom is complicated enough. Did you ever use heat shrink? Or locking cable ties?
What the school did was run a steel cable behind the desks, then put a loop of the mouse chord through a steel washer and ran the security cable through all the loops. If you secure both ends you can’t get the cables separated even with slack.
The trick is that the hole in the washer had to be smaller than the connector so you couldn’t fish it back through no matter how much slack you get. That could still work for USB-A, but these days the connectors are getting smaller than the diameter of curvature of the cable, so you’d break it trying to do this. And on many peripherals you could destroy the chord without reducing the value of the device. One could cut the cable and install this Trojan one on many devices these days, the only telltale would be that the cable isn’t routed properly, which might be harder to notice immediately.
My anecdote was a bit old and I’m certain some of those devices had soldered cables, meaning that a sheared wire couldn’t be handled by buying a new chord or combining parts of two mice. Because I specifically looked for that a few times with no luck.
But they’re right, these days when you crack open things you often find a connector soldered to the motherboard and the cable is merely plugged in. I think it’s just easier to manufacture. Pick and place, bulk solder and then a machine to plug in the cable, fast as you like, maybe with a loop in it as a poor man’s strain protector.
> meaning that a sheared wire couldn't be handled by [...] combining parts of two mice.
Well, if you're stealing them, you only need parts from one mouse: cut the cable close to the mouse, untangle it from whatever crap it's locked to, take mouse and cable home with you, disassemble mouse, feed cable back though (I think it's called) grommet, strip cable, pick out wires, solder wires to approriate mouse internals, reassemble mouse, done. You have a working mouse with only slightly shorter cable than before.
The point of using soldered cables for security is that setting up a soldering iron near a computer is conspicuous, so you get caught if try to install a attiny85 inside the mouse that way. You can still steal stuff just fine.
Yeah just intentionally drill the head so those screws are not coming out again without power tools which should be obvious in the open where they are deployed.
All the cables were terminated inside the box and strapped every 1 inch with cable ties. Nothing was exposed that could be disconnected other than the monitor IEC lead.
I specifically don't recommend laptops that rely on USB C charging for applications where trust is critical -unless- they are running Linux with USBGuard or QubesOS.
That said I did make transparent and easily auditable USB type C condoms for one client that really wanted to use USB type C laptops.
Systems with security as a strong priority like the Librem 14 use barrel jacks for good reason.
I am in fact implying those that allow use of macbooks at coffee shops to directly access production systems at FAANG and fintech companies are taking a very inappropriate risk :-P
USB C charging happens well below the OS layer, using firmware that often isn't all that good. USBGuard or QubesOS won't help there (but will somewhat mitigate attacks trying to move up the stack)
The problem is not the charging. The problem is that a fake charger cable can run an HID attack over the +/- pins before it does a pass through to the power negotiation MCU for charging.
A tampered USB C to C cable on a conference room table can compromise people all day long.
If the USB C charge ports cut the data pins entirely then great, but I have not seen that be the case on any laptops yet.
