Can I disable USB Ports outside of the BIOS?

Is it possible to disable a computer's USB ports outside of the machine's BIOS if the BIOS does not offer the option to disable the USB ports? Could this possibly be accomplished via a terminal command using a Live CD running a Linux distro such as Ubuntu?

I am attempting to disable them temporarily in order to run DBAN, so that it does not fail with non-fatal errors.

When I run DBAN in interactive mode currently, there are four devices that come up as "[????] Unrecognized Device". I am assuming that these "Unrecognized Devices" are referring to the USB ports on my machine, which is why I am attempting to disable them temporarily to run DBAN.

Currently the output I am getting when I run DBAN is:

DBAN finished with non-fatal errors.

*ERROR /dev/sde (process crash)

*ERROR /dev/sdd (process crash)

*ERROR /dev/sdb (process crash)

*ERROR /dev/sdc (process crash)

*ERROR /dev/sda (process crash)

The computer that I am attempting to run DBAN successfully on is a HP Pavilion M8530F Desktop PC.

Kevin Gurney

Posted 2011-09-05T20:51:46.397

Reputation: 319

6Fill them with epoxy glue. – user1686 – 2011-09-05T20:53:01.417

1+1 @Grawity - Whilst you may be joking, I had one client in a high security environment and this was an actual requirement/something we had to do as any software disables can always be undone!... However... he does say temporarily! – William Hilsum – 2011-09-05T21:21:48.017

Disable, or restrict access? – wizlog – 2011-09-05T21:29:10.237

Since the usb controller is normally part of the south-bridge, most modern operating systems will always be able to detect them and there's little you can do pre-boot if they can't be disabled in BIOS. If you can't disabled/fix USB directly in DBAN, you might be able to run it in Virtualbox and mount the disk as raw into the vm. – billc.cn – 2011-09-05T22:09:55.460

What is your Ubuntu version? – wizlog – 2011-09-06T04:04:28.820

@wizlog The live distro is Ubuntu 11.04. – Kevin Gurney – 2011-09-07T00:13:47.533

1@William: Wouldn't it be easier to just disconnect the ports? If they could get inside the case without triggering an intrusion detection system, then they could just as easily bring a $5 standalone USB jack to plug directly into the motherboard header anyway. In fact, if you wanted to be really vicious, you could boobytrap the USB ports to fry any thumbdrive that gets plugged into it. – Lèse majesté – 2012-04-10T06:48:27.087

@grawity - at one work site someone did this with Ethernet ports on the wall. Unfortunately it was a K-12 art classroom and they let the kids have hot glue guns... – Alex Hirzel – 2012-07-16T06:49:06.607

Answers

Apparently DBAN is rather buggy. Your problem is all too common.

See these forums for some solutions which may help. Card readers seem to be the main issue. http://forums.whirlpool.net.au/archive/1477473

http://sourceforge.net/projects/dban/forums/forum/208932/topic/3950282

Matt H

Posted 2011-09-05T20:51:46.397

Reputation: 3 823

Thank you for the information. It appears that according to the second link, one of them was able to get DBAN to work using an older version (1.0.7). Would you suggest this is a safe alternative, or would zero-filling or randomly filling my hard drive via a live distro instead be a more feasible solution? – Kevin Gurney – 2011-09-07T01:04:09.603

I would think using dd is just as easy. http://www.marksanborn.net/security/securely-wipe-a-file-with-dd/

– Matt H – 2011-09-07T05:51:09.367

I agree that it would work, but is it as secure as DBAN? Would you recommend using the shred command instead of using dd? – Kevin Gurney – 2011-09-07T23:35:05.583

@Kevin: shred will write pseudorandom data from /dev/urandom. Running dd if=/dev/urandom uses exactly the same data source. It is not as theoretically secure as the algorithms in DBAN, but for data densities of today's disks, two full passes of pseudorandom data is quite enough -- for flash memory even one pass might be okay, not sure. – user1686 – 2011-09-08T21:41:55.480

Or you could use hdparm to execute the ATA secure erase command--it's considered secure except on some SSDs, and it'll be a lot faster than anything that uses urandom. – rob – 2012-03-10T02:30:16.937

Destroy the drive if you're concerned. It's greater peace of mind than using a so called secure erase. – Matt H – 2014-03-06T21:39:52.930

Since you just want to destroy the data and a documented bug in DBAN (as pointed out by Matt H) is your main obstacle, I'd suggest just booting from a Linux Live CD and using hdparm to do an ATA secure erase. This will also write over bad sectors (which DBAN or other block-level wiping methods would just skip).

rob

Posted 2011-09-05T20:51:46.397

Reputation: 13 188

You can stop it during the bootup using this

sudo echo "blacklist usb-storage" >> /etc/modprobe.d/blacklist.conf

Ryu

Posted 2011-09-05T20:51:46.397

Reputation: 83

This answer doesn't work. – wizlog – 2011-09-05T22:09:38.253

Blacklisting modules might work, but it's better to do it on a lower level - such as the [aeoux]hci_hcd modules. Besides, it doesn't affect manual modprobe (I'm not sure who the protection is against). – user1686 – 2011-09-06T04:05:51.923

@wizlog: I just noticed the question edit about DBAN. My "will not persist reboots" comment may be irrelevant then. On the other hand, DBAN never had hal. – user1686 – 2011-09-06T04:14:14.763

To be honest I know nothing about Ubuntu. I just looked on the web. – wizlog – 2011-09-06T04:17:13.287

@wizlog I found an article on the internet as well here: http://www.howopensource.com/2011/08/how-to-disable-and-enable-usb-device-in-linux/, but it didn't seem to fix my problem.

– Kevin Gurney – 2011-09-07T00:15:03.943

If a card reader is making DBAN complain, open up the PC, find where the card reader is connected to on the motherboard, and disconnect it temporarily.

To fully answer the question for a more general situation without physically disconnecting the ports from the motherboard, in all computers and modern operating systems the USB controller is accessed via a driver. In Windows, find and remove this driver and the USB ports will not work. It might be part of Intel chipset drivers. You also might be able to do something with devcon from the Windows 2000(?) Resource Kit.

This strategy should work under Linux as well if you rmmod the right module (assuming USB support was compiled as a module, which in most distros it is). However under Linux, udev allows for scripts to be called during device detection, so you can likely intercept new USB devices and make the script fail on purpose or simply refuse to create a node in /dev.

LawrenceC

Posted 2011-09-05T20:51:46.397

Reputation: 63 487