Non-automounted filesystems are ignored

[jaseg]

usb-canary only monitors what psutil considers "physical", mounted partitions. This means any attached device that does not automount while usb-canary is active (e.g. while the screen is locked) will not be caught.

• Feature Request
• Bug Report

Expected Behavior

Consider the following setup: There is a laptop, with usb-canary configured to monitor while the screen is locked. Automounting is disabled. The user locks the screen, goes away. During her absence, a coworker of her goes near the laptop and finds a USB stick lying on the ground. Thinking the USB stick fell out, she picks it up and plugs it in. Later, the user returns to unlock her laptop. At this point, usb-canary will not have picked up on the additional device since it is not mounted yet. However, now that the laptop is unlocked, she or some automatism might inadvertently mount the filesystem of the usb stick.

Current Behavior

usb-canary does not pick up on the new device absent automounting.

Possible Solution

Monitor physical block devices, or even better, monitor physical USB devices instead of mounted partitions.

Steps to Reproduce (for bugs)

Context

usb-canary at least on first glance looks like a security tool. Thus it should be secure.

Your Environment

I'm no mac expert, but this issue will very likely persist on mac since this "list only mounted filesystems thing" is the documented behavior of psutil's list_partitions.

[errbufferoverfl]

Hi @jaseg,

Thanks for submitting an issue, this has been put into the roadmap. Again thanks for taking the time to contribute to USB Canary.

[errbufferoverfl]

Replaced psutil and hidapi to libusb1, while it does not have the same support for HID devices, but seems to be working well at listing them on OSX.

Further testing needs to be done on *nix with different devices.

The switch to this library has also modified installation method due to the following error when using sander-daemon or pydaemon:

The process has forked and you cannot use this CoreFoundation functionality safely. You MUST exec().
Break on __THE_PROCESS_HAS_FORKED_AND_YOU_CANNOT_USE_THIS_COREFOUNDATION_FUNCTIONALITY___YOU_MUST_EXEC__() to debug.
The process has forked and you cannot use this CoreFoundation functionality safely. You MUST exec().
Break on __THE_PROCESS_HAS_FORKED_AND_YOU_CANNOT_USE_THIS_COREFOUNDATION_FUNCTIONALITY___YOU_MUST_EXEC__() to debug.

OSX will now be "installed" via plist file in LaunchAgents directory and *nix will be installed via what ever their equivalent is. However, further testing is required before that point.