Do Not Disturb

Physical access (or "evil maid") attacks are some of the most insidious threats faced by those of us who travel with our Macs.
Do Not Disturb (DND) is a free, open-source utility that aims to detect and alert you of such attacks!
compatibility: OS X 10.12+
current version: 1.3.0 (change log)
zip's sha-1: 15037CC79AFE797EFFA3506914243E5DE8F71C68
source code: Do Not Disturb


One of the best ways to compromise a computer is with physical access. Many of us have likely left our laptops unattended (perhaps in a hotel room while traveling?). It'd be nice to know if somebody attempted to hack it! ya?
Interested in the inspiration for creating 'Do Not Disturb'? (it may or may not involve a Tinder date in Moscow, with a Russian 'spy')...

Read:
"This Ex-NSA Hacker's App Protects Your Mac From 'Evil Maid' Attacks".

Do Not Disturb (DND) continually monitors your system for events that may indicate a precursor of "evil maid" attack. Specifically it watches for 'lid open' events (idea credit: @thegrugq).

If you've shut your laptop (and thus triggered sleep mode), the majority of physical access attacks may require the lid to be opened in order for the attack to succeed. Such attacks could include:

Again, most of these attacks require a closed laptop to be opened...either to awake it (i.e. to process a malicious device) or for the attacker to interact with the laptop!
As with any security tool, direct or proactive attempts to specifically bypass DND's protections will likely succeed. Also any attack that does not require opening the lid of closed laptop will remain undetected.

Future versions will expand DND's monitoring and detection capabilities (perhaps alerting on power events, USB insertions, etc).

Do Not Disturb, can also detect unauthorized access by less evil adversaries...such as one's mother:


When an unauthorized lid open event is detected DND will locally log this event. It can be configured to:
  • Locally display an alert
  • Remotely send an alert to a registered iDevice
  • Execute a specified action (i.e. run a script, etc.)
  • Monitor for interesting events, such as new processes, USB insertions, new logins, etc.

Installing Do Not Disturb

To install Do Not Disturb, first download the zip archive containing the installer application. Depending on your browser, you may need to manually unzip the application by double-clicking on the zipped archive.

Then, simply double-click on 'Do Not Disturb Installer.app'. Click 'Install' to install the tool. A password is required, as Do Not Disturb installs a persistent launch daemon in order to provide constant monitoring and protection.


The first time the application is installed, a 'welcome' screen will be displayed. Clicking thru this will allow you to link DND with a remote iDevice.

Note this an optional step, and requires a separate iOS app that can be installed via on your phone via the iOS App Store:





The remote alerting and tasking capabilities are implemented in an iOS companion application created by Digita Security (an enterprise macOS security company I recently co-founded with friends).

To facilitate these capabilities, a swift framework, 'dnd' is linked into the macOS application. At this time, the source code for this framework is unavailable.

Please refer to Digita's documentation for details about the using the iOS application to remotely receive and respond to DND alerts!

Note that if you skip the (optional) step of linking an iDevice at install time, you may always link a device at a later time. This is done via the DnD (macOS) 'Preferences' menu, › 'Link' tab.



Clicking 'next' will generate a QR code that can be scanned via the DnD iOS application to register your phone to receive remote DND alerts!

Note that this process requires an internet connection...and yes, a bit of patience.


Once the QR code has been scanned, the phone registration completes automatically:


Again, this process is completely optional - but does allow you to receive and respond to DND alerts remotely! 😎

Once DND is installed, it will be running and is set to automatically start each time you log in. Unless configured to run without a status-bar icon, it will appear in the status bar:


Uninstalling Do Not Disturb
To uninstall Do Not Disturb, simply re-run the 'Do Not Disturb Installer.app' and click on 'Uninstall'. A password is required in order to stop and fully remove all components of Do Not Disturb.


To manually uninstall DND, first delete the DND helper login item. Do this by opening System Preferences, clicking on 'Users and Groups', selecting your user, and clicking on 'Login Items'. The delete the 'Do Not Disturb Helper' login item by selecting it, then pressing delete on your keyboard, or clicking the '-' in the UI:


Next, execute the following commands from a root terminal prompt (or via sudo):
"/Library/Objective-See/DND/Do Not Disturb.bundle/Contents/MacOS/Do Not Disturb" "-uninstall"

launchctl unload /Library/LaunchDaemons/com.objective-see.dnd.plist

rm /Library/LaunchDaemons/com.objective-see.dnd.plist

rm -rf "/Applications/Do Not Disturb.app"

rm -rf /Library/Objective-See/DND

killall "Do Not Disturb Helper"


Using Do Not Disturb
Once DND is installed, it aims to alert you any time an unauthorized user or attacker physically accesses your computer. As noted, this detection involves monitoring your laptop for lid open events. Thus, when you leave your laptop unattended - shut it!


Do Not Disturb, by design, does not differentiate between authorized or unauthorized lid open events.

That is to say, it will alert you any time your laptop's lid is opened (unless configured, to ignore upon a successful touch ID authentication event).

Do Not Disturb can be accessed via it's status bar menu:

Via this menu you can:
  • Enable or disable DND

  • View the log file

  • Open the preferences window


The preferences window allows you to configure Do Not Disturb. To open this pane, either open the main DND application (/Applications/Do Not Disturb.app), or via the status bar menu, clicking on 'Preferences'.

The preference pane has several tabs including general, action, link, and update.

The 'general' tab, contains various configuration options to control Do Not Disturb.


Enabling 'Passive Mode' will instruct the application to run without displaying any local alerts. One might select this option to avoid alerting a a would-be-attacker. DND will still log any lid open events, and (if configured) will deliver alerts to a remote iDevice.

When 'No Icon' mode is enabled, the application will run without displaying an icon in the status bar. Select this if you don't want DND taking up (visible) space in your status bar. Once enabled, you'll have to use the main DND application (/Applications/Do Not Disturb.app) to toggle it off or set other preferences (as with no status bar icon, there of course is no status bar menu).

If your Mac laptop has a touch bar (and you're running macOS 10.13.4+), you can enable 'Touch ID' mode. When this mode is enabled, DND will ignore any lid open events if proceeded by a successful touch ID authentication event within 10 seconds. The idea is that this allows one to tell DND to trust (or ignore) a lid event that is a result of you (vs. somebody else) opening your laptop.

Selecting the 'No Remote Tasking' option prevents registered iDevices from being able to remotely respond to DND alerts. If you have installed the DND companion iOS application and linked your Mac with iDevice, when a lid open event is detected - via the iOS application you are able to:
  • dismiss the alert

  • take a picture via the Mac's webcam

  • fully shutdown the Mac


Note that only registered iDevices can trigger these actions, and only in response to an alert. Still if you'd like to disable this capability, check the box next to 'No Remote Tasking'.

Unchecking 'Start at Login' will stop the login item from automatically starting when you log in. Note that the component of DND which monitors events will still be running (and may deliver remote events). If you want to fully disable DND, do so via the 'Disable' option in the status bar menu.

The 'action' tab allows one to further configure how Do Not Disturb should react when it detects any lid open event.


The 'Execute Action' option allows you to specify a command, script, or binary that will be executed upon a lid open event. For example you might have a custom script the performs an action such as sending an alert via email.

For example enter the following, to send an email every time the lid is opened (replacing 'your@email.addr' with your email address):

echo "lid opened" | mail -s "Do Not Disturb Alert" "your@email.addr"

Note: depending on your ISP and or email provider, this message may end up in your spam folder!

For a more complete approach, see Patrick Huber's (@ptrckhbr) DND mail script, which uses AppleScript to send out "an email from the default account in Mail.app" ... with DND's log file attached. Neat!


When enabled the 'Monitor' option, instructs DND to log interesting events that proceed a lid open event. Currently this includes the insertion of USB & Thunderbolt devices, new processes, and new file downloads, and new user authentication events. Monitoring will automatically stop if the alert is remotely dismissed, or after 3 minute.

The 'link' tab allows you to link (register) an iDevice for remote DND alerts.


As previously noted, the remote alerting capabilities and iOS application are provided by Digita Security. Once you have downloaded and installed their iOS app (search for 'Do Not Disturb Companion' or follow this link), click the 'Generate QR Code' button. Using the iOS application, scan the code in order to complete the registration. (Note that this requires an internet connection).

Once an iDevice has been registered, DND will remotely deliver alerts to this device.

If a device has been previously registered, this tab will show this (and any other) device. To register another device, click the 'Add Device' button. Unregister a device via the iOS application.



The 'update' tab, allows one to check for new versions, as well as disable the automatic check for new versions of DND.


Do Not Disturb iOS Companion App
One of the neat features of Do Not Disturb is it's ability to pair to a iOS companion application. Created by Digita Security, this optional iOS application allows one to receive remote alerts on a registered (linked) iDevice:


Once you have registered and linked an iDevice (by scanning the QR code either in the 'welcome' screen or via the 'link' tab in the Preference pane), lid open events will be remotely delivered.

On iPhone and iPads one can remotely respond to the alert as the iOS application supports the following:
  • dismiss the alert

  • take a picture via the Mac's webcam

  • fully shutdown the Mac


Please refer to their documentation for further details about the using the iOS application to remotely receive and respond to DND alerts.
Digita Security is an enterprise macOS security company I recently co-founded with several good friends.

While the iOS companion application is free, after the first week of remote alerts/tasking, one will have to subscribe to a monthly ($0.99) or yearly ($9.99) to maintain this functionality. The Mac application, is and will always be 100% free :)

The iOS companion application is completely optional, and only required if one is interested in receiving remote DND alerts.


Troubleshooting

Do Not Disturb has a handful of 'moving parts', especially when paired with the iOS companion application. Generally things work smoothly, but sometimes there are minor bumps!

If you're experiencing any issue, the following might help!
  • Make sure you're running the latest version of DND.

  • Make sure you're connected to the internet while generating a QR code (to link to a remote iDevice).

  • If an install (or upgrade) fails, try first uninstalling via the application, or manually.


If the following doesn't help, shoot us an email at bugs@objective-see.com, and include the following:
  • Description of the issue.

  • Version of macOS and DND that you're running.

  • Any DND output from the system log. To view this output, first open the Terminal /Applications/Utilities/Terminal.app. Then run the following command:

    $ log show | grep -i disturb





FAQs

Will Do Not Disturb detect all 'evil maid' attacks?
No! It is important to understand that instead of looking for specific types of attacks, DND monitors for lid open events, which are of part of many (but not all!) 'evil maid' or physical attacks. This also means that DND only works with laptops, and requires you to shut your laptop when you leave it unattended.

Do I need the Do Not Disturb iOS Application?
No! It is a completely optional component. However, it does allow one to receive and respond to notifications remotely (if a network connection is present).

I found a bug (or issue) with Do Not Disturb. Can you fix it?
Sure! If you encounter any bugs or issues, please shoot me an email at bugs@objective-see.com.

Want to support Do Not Disturb? ...you can via my patreon page!