check_state will not catch changes that don't change the total number of mounted file systems

[jaseg]

canary.operating_system.helpers.check_state will fail to catch any change in mounted file systems that does not change the total number of mounted file systems (as seen by psutil).

• [ ] Feature Request
• [x] Bug Report

Expected Behavior

Consider a laptop with usb-canary running during screen lock, and the screen being locked while a usb disk containing a single ntfs partition is attached and that partition is mounted. Automount is enabled.

Now consider an attacker unplugs the ntfs usb disk and plugs in another ntfs-formatted, single-partition usb-disk. This other disk is auto-mounted. Note that this is a common scenario when a device has limited USB ports available.

usb-canary should immediately raise hell.

Current Behavior

usb-canary will not notice anything happened provided the change happened quick enough between two checks (likely).

Possible Solution

Properly compare states. Compare more than just device name, mountpoint, filesystem type and options. At least also monitor:

• Device path (usb port number and path through hubs)
• Device serial number from USB descriptors
• Filesystem UUID where available
• Partition and device UUIDs where available
• Other device parameters such as size and additional usb descriptor fields

Steps to Reproduce (for bugs)

(no poc provided)

Context

usb-canary at least on first glance looks like a security tool. Thus it should be secure.

Your Environment

This is independent of operating system.

[errbufferoverfl]

Hi @jaseg,

Thanks for submitting an issue, this has been put into the roadmap. Again thanks for taking the time to contribute to USB Canary.

[errbufferoverfl]

Began looking into this issue late last year, I believe I have a working improved solution, however along with changes to this I am making a number of other changes which may see the major increased.