Goal
Master USB threat mitigation with usbguard, assemble a cypherpunk field kit for operational security, and apply physical security principles to real-world scenarios.
Prerequisites: Week 9b (Building Airgapped Systems)
This is Part 3 of 3 - Covers USB defense, field operations, and decision-making.
1. USB Threat Mitigation
Understanding USB Attacks
BadUSB (Firmware Reprogramming):
Attacker modifies USB stick firmware
→ USB identifies as keyboard (HID device)
→ Types malicious commands at lightning speed
→ Downloads and executes malware
→ All bypasses antivirus (it's "legitimate" keyboard input)
Rubber Ducky / Bash Bunny:
- Pre-programmed USB HID attack device
- Looks like innocent USB drive
- Executes payload when plugged in
Juice Jacking:
- Malicious USB charging stations
- Compromised USB cables with hidden electronics
- Exfiltrates data while charging phone
Defense: usbguard (Whitelisting)
# Install usbguard
sudo apt install usbguard
# Generate policy from currently connected devices
sudo usbguard generate-policy > /tmp/usbguard-policy.conf
# Review and edit policy
sudo nano /tmp/usbguard-policy.conf
# Install policy
sudo cp /tmp/usbguard-policy.conf /etc/usbguard/rules.conf
# Start and enable usbguard
sudo systemctl enable usbguard --now
sudo systemctl start usbguard
# Test: Plug in new USB device
# Should be blocked! Check with:
sudo usbguard list-devices
# Allow specific device temporarily
sudo usbguard allow-device <device-id>
# Add permanently to policy
sudo usbguard append-rule 'allow id <vendor:product>'
Physical USB Security
USB Data Blockers (“USB Condoms”):
Regular USB cable: Pins for power + data
Data blocker: Only power pins connected
Result: Charging works, data transfer impossible
Buy from reputable sources or make your own by cutting data wires.
Portable USB Write Blockers:
- Hardware device placed between USB and computer
- Allows reading USB but prevents writing
- Used by forensic investigators
- Prevents malware from spreading to USB
2. Building a Cypherpunk Field Kit
Essential Items
Digital Security:
[ ] Airgapped netbook (Thinkpad X220 recommended)
[ ] 3x Encrypted USB drives (LUKS, different passphrases)
[ ] USB data blocker / power-only cables
[ ] Portable hardware write blocker (optional)
[ ] YubiKey or hardware token (for GPG signing)
Physical Security:
[ ] Faraday bag for phones (blocks all wireless signals)
[ ] Privacy screen filters (prevents shoulder surfing)
[ ] Webcam covers (physical camera blocking)
[ ] Tamper-evident bags/tape for device storage
[ ] Lock picks (for physical security testing - check local laws!)
Backup & Recovery:
[ ] GPG key backup (paper + QR, sealed envelope)
[ ] Encrypted backup USB (full system image)
[ ] Paper copies of critical passwords/phrases
[ ] Emergency contact QR codes (encrypted)
Operational:
[ ] Portable battery bank (for extended operations)
[ ] Multi-tool with screwdrivers (hardware modifications)
[ ] Evidence bags (collect suspicious USBs)
[ ] Sharpie + labels (mark trusted vs untrusted devices)
[ ] Small notebook + pen (analog notes, no digital footprint)
Lab: Build Your Field Kit
Objective: Assemble a basic operational security field kit
Shopping list:
- 3x USB flash drives (16GB minimum) - $15-30
- USB data blocker - $10
- Faraday bag (phone-sized) - $15-25
- Privacy screen filter for laptop - $20-40
- Tamper-evident bags or tape - $10
- Small notebook + pen - $5
Setup tasks:
- Encrypt each USB drive with LUKS (different passphrases)
- Label them: “Personal”, “Work”, “Emergency Backup”
- Create paper backup of GPG revocation certificate
- Print important QR codes (emergency contacts, etc.)
- Test Faraday bag (put phone inside, try calling it - should not ring)
- Create field kit checklist (laminate it)
Deliverable: Functional field kit ready for use
3. Lab: usbguard Configuration
Objective: Set up USB device whitelisting to block malicious devices
Steps:
Plug in your trusted USB devices (keyboard, mouse, known USB drives)
Install and configure usbguard:
sudo apt install usbguard sudo usbguard generate-policy > /tmp/rules.conf sudo mv /tmp/rules.conf /etc/usbguard/rules.conf sudo systemctl enable usbguard --nowTest blocking:
# Unplug a trusted device, then plug it back in # It should still work (it's in the whitelist) # Plug in a new, unknown USB device sudo usbguard list-devices # Should show device blockedTemporarily allow the new device:
sudo usbguard allow-device <device-number>Add permanently to whitelist:
sudo usbguard append-rule 'allow id <vendor:product>'
Deliverable: Working usbguard policy that blocks unknown devices
4. Strategic Decision Making
Decision Flowchart: When to Use Airgap
Does the data need network access?
├─ YES → Don't use airgap (defeats purpose)
└─ NO → Continue
Is the data extremely high-value?
├─ YES → Consider airgap
└─ NO → Regular encryption probably sufficient
Can adversary physically access your space?
├─ YES → Airgap + physical security
└─ NO → Airgap alone may be overkill
Do you need frequent access to the data?
├─ YES → Airgap will be inconvenient, consider alternatives
└─ NO → Airgap is appropriate
Physical Security Threat Model Scenarios
Scenario 1: Journalist with State-Level Adversary
Threats:
- Border crossing device seizure
- Hotel room search
- Targeted surveillance
- Source identification
Defense Strategy:
- Airgap for source encryption keys
- Decoy laptop with clean persona for travel
- QR code transfer of encrypted documents
- Faraday bag when discussing sources
- Tamper-evident tape on devices
- Dead drop USB exchanges (no direct meetings)
Scenario 2: Security Researcher Traveling Internationally
Threats:
- Juice jacking at airport charging stations
- Evil maid attack in hotel
- Compromised conference Wi-Fi
- BadUSB attacks from “friendly” USB drives
Defense Strategy:
- USB data blocker for all public charging
- Devices in tamper-evident bags when left in room
- No sensitive data on traveling devices (SSH to home lab)
- Field kit with clean USBs for data transfer only
- Document tamper evidence before/after hotel stays
Scenario 3: Privacy-Conscious Individual (Personal Use)
Threats:
- Device theft (burglar, lost laptop)
- Domestic spying (roommate, family member)
- Corporate surveillance (employer-provided devices)
- Data broker harvesting
Defense Strategy:
- Full-disk encryption on all devices (LUKS)
- Encrypted USB backups stored separately
- usbguard to prevent unauthorized USB access
- Compartmentalized identities (work vs personal devices)
- Paper backup of critical credentials (safe deposit box)
5. Field Kit Use Cases
Border Crossing:
- Devices in tamper-evident bags
- GPG keys on airgap machine, not on laptop
- Laptop has decoy persona, no sensitive data
- If seized, nothing to find
Hostile Infrastructure (Hotel, Conference):
- Don’t plug devices into room USB chargers (juice jacking)
- Use data blocker when charging from unknown sources
- Check room for surveillance before discussing sensitive topics
- Faraday bag for phone when having private conversations
Dead Drop Exchange:
- Transfer sensitive documents via encrypted USB
- QR codes for verification keys
- Leave USB in agreed location, retrieve later
- Never meet in person (maintain compartmentalization)
6. Journal & Git Commit
echo "Week 9: Completed physical security labs - built airgap system, practiced QR transfer, configured usbguard, assembled field kit. Key insight: physical access defeats all digital security." >> notes/week09_journal.md
git add .
git commit -S -m "Week 9 - Physical security, airgaps, USB defense, field kit"
Week 9 Checklist
- Built or configured an airgapped system
- Removed or disabled all wireless hardware
- Practiced QR code encoding and decoding
- Set up encrypted USB transfer workflow
- Implemented cryptographic hash verification
- Installed and configured usbguard
- Tested USB device whitelisting
- Assembled field kit with essential items
- Created paper backups of critical keys
- Documented access logs for airgap usage
- Tested Faraday bag effectiveness
- Practiced secure data transfer scenarios
- Updated journal with physical security learnings
Additional Resources
Airgap Security:
- Air-Gap Research Page - Ben-Gurion University
- TEMPEST: A Signal Problem - NSA Document
- Building Secure Air-Gapped Systems - SANS Whitepaper
USB Security:
- BadUSB Research - SR Labs
- USBGuard Documentation
Physical Security:
- Physical Security for the Paranoid - Bruce Schneier
- EFF Physical Security Guide
Key Takeaways
- BadUSB is a serious threat - USB devices can masquerade as keyboards
- usbguard whitelists trusted devices - Blocks unknown USB automatically
- USB data blockers prevent juice jacking - Power only, no data
- Field kit = physical security readiness - Be prepared for hostile environments
- Threat model drives decisions - Match security measures to realistic threats
- OpSec is about workflows - Tools alone don’t make you secure