attach and detach scripts for OpenBSD's hotplugd(8) that lock all running X displays when a USB HID is attached.
Note: xlock formatting may vary accross systems
Human Interface Devices (HIDs) are input devices that allow humans to interface with computers. The most common HID used are keyboards and mice. A HID attack involves a malicious actor connecting a USB device into a target computer, and this USB device registering itself as a keyboard to the kernel, then playing back preconfigured keyboard keypresses in order to expose backdoors, change settings, and/or install programs - whatever a hacker can do with his hands on your keyboard, a malicious HID can (within reason). There are many platforms used for HID attacks, here are some of the more common ones:
- USB RubberDucky (hak5)
- Teensy boards are also commonly used
These scripts aim to protect users somewhat from HID attacks by immediately locking running X displays when a HID is attached; this means that whatever keystrokes a malicious actor wants to execute are hooked into xlock(1)'s password input instead of anywhere near running programs.
-
To enable hotplugd(8); as root type:
rcctl enable hotplugd -
Copy the
attachanddetachscripts included in this repo to/etc/hotplug/(create the directory if it does not exist):mkdir -p /etc/hotplug cp -iv attach detach /etc/hotplug # (optional) make sure the scripts are executable chmod +x /etc/hotplug/* -
For xlock(1) to work properly, it has to be called by the user of the X display; to do this doas(1) can be used, provided the following rule is included in
/etc/doas.conf:# note: this allows the root user to execute any command as any user without password confirmation permit nopass keepenv root -
Finally, restart hotplugd(8):
rcctl restart hotplugd
- Makefile/install script for easier installation
- Support for other lock programs