Do Not Disturb User Guide

Introduction

Do Not Disturb alerts you to potential ‘Evil Maid’ attacks by notifying you of attempts to gain physical access your MacBook, perhaps without your consent or knowledge.
A screenshot worth 1000 words

The Do Not Disturb macOS app (DND macOS) continually monitors your laptop for lid open events, as a precursor to these “Evil Maid” attacks. If you’ve triggered sleep mode by closing your laptop lid, the majority of physical access attacks likely require the lid to be opened in order for the attack to succeed.

With Digita’s Do Not Disturb Companion iOS app (DND iOS), you can receive physical access alerts on your iPhone and respond to them in real time.

The following remote actions are supported:

  • Dismiss alerts
  • Use the MacBook camera to take a picture
  • Initiate a hard shutdown to trigger enabled FileVault disk encryption

… all with the touch of a button!

Locally, DND macOS can be configured to:

  • Display alerts using macOS notifications
  • Execute a specified action (e.g. run a script, etc)
  • Monitor for follow on/interesting events (e.g. new process, USB insertions, new logins)

The DND macOS app is free to download and use. The DND iOS app is free to download and includes a 7 day free trial with unlimited remote alerts and actions. Subscriptions for continued service (unlimited remote alerts and actions) are offered in-app and are brokered through the App Store. See the “Subscribing” section for more details.

Digita’s DND macOS is powered by Objective-See’s Do Not Disturb. DND iOS integrates seamlessly with both.

Threat Scenarios

Physical access is still one of the most effective ways to compromise a computer. Many of us have probably left our laptops unattended while at home, in the office, or on travel. In these scenarios, we highly recommend continuing to take appropriate precautions like locking your screen, closing your lid, and placing the laptop in a safe/secure location – but is that hotel safe really safe?.

If given physical access to your device, attacks scenarios include:

  • Logging in locally as root, by exploiting local bugs as seen with ’#iamroot’
  • Logging in via compromised credentials captured by a hidden camera (or similar)
  • Inserting a malicious device into a USB or Thunderbolt port.

In each of these scenarios a closed laptop lid is likely opened – either to awake the device so that it will process a malicious device or for the attacker to simply interact at the login prompt.

Getting Started

Both DND iOS and DND macOS will guide you through installation and pairing from within app. More explicit directions can be found below.

Install and Launch DND iOS

To begin using the iOS app, download and install DND iOS from the App Store. Upon launching DND iOS you will be prompted to download and install the DND macOS app on your macBook and follow the instructions to Pair your devices. If you have not yet installed DND macOS you can tap the “Download” icon. Tapping this icon will launch the “Share” actions enabled on your device, so that you can easily share this download link with your MacBook.

Click the “Link Device” icon on the DND iOS wecome screen to launch the pairing instructions and prepare to scan the QR code presented during DND macOS installation. See below for more details.

Welcome Screen
Sharing options
Pairing Instructions

Install and Launch DND macOS

To begin using the macOS app, download and install DND macOS from the download link at the top of this page.

Click ‘Install’ to install the app. A password is required, as Do Not Disturb installs a persistent launch daemon in order to provide constant monitoring and protection.

Install Prompt

Immediately after installation, a ‘Welcome’ screen is displayed by DND macOS. Following the instructions here will allow you to link DND macOS with DND iOS. Note that this is an optional step, as DND macOS can be run locally without remote notifications. Details about pairing devices can be found below in the “Pairing Devices” section.

Once installation is completed, DND macOS will be running and set to automatically start each time you log in. Unless configured to run without a status-bar icon (see “Preferences” section), it will appear in the status bar. The notification seen here, is presented on installation.

Installed Notification

Pairing Devices

Upon installation of DND macOS you will be presented with the following “Welcome” screen.

Mac Welcome Screen

Click “Next” and follow the instructions to pair your macOS and iOS devices for remote notifications.

Mac Pairing Instructions

Similarly, DND iOS you present you with the following “Welcome” screen.

Pairing Instructions

After clicking next on your DND macOS you will presented with a QR code to scan.

macOS QR Code Presentation

As the iOS Welcome Screen points out, this QR code contains secrets that allow your macOS and iOS apps to communicate securely. You should protect this QR code as you would any password, certificate, and secret keys. It is important to note that these secrets never leave your devices and are used to end-to-end encrypt any sensitive communications brokered by our service.

Real Example: The screenshot pictured here has a real, albeit “expired” client certificate that once allowed my iPhone to securely communicate with my macBook though the DND apps. Scanning it will reveal certain information about the certificates/secrets used, and other information about my device (e.g. hostname, already leaked throughout this documentation 😉 ).

On your iOS device click the QRCode icon and scan the barcode presented by DND macOS. You should be presented with the following screens, culminating with the “Device View” for the macOS you just linked.

iOS QR Scanning
iOS Registering Device Pairing
Success! Device View

DND macOS will now present the following screen indicating that your devices have been linked.

Mac Pairing Success

Be patient. This process is registering with our back-end services that broker the communications between your devices. Your secrets, however, remain only on your devices are not sent to the back-end services.

If you do not pair your devices during initial installation of DND macOS, or if you wish to pair more than one iOS device, you can link the devices following a similar procedure from “DND Menu” -> “Preferences”. We will cover additional “Preferences” in the “DND MacOS Configuration” section.

DND Menu Options

From the Preferences screen, select the “link devices” icon.

Preferences Link Screen

After following the instructions, clicking “Generate QR Code” and scanning the subsequent image, you will be presented with a screen listing your linked devices.

Device Successfully Linked

Subscribing

The DND macOS app is free to download and use. The DND iOS app is free to download and includes a 7 day free trial with unlimited remote alerts and actions. Subscriptions for continued service (unlimited remote alerts and actions) are offered in-app and are brokered through the App Store.

Upon expiration of the free trial (or an expired subscription), alerts from DND macOS are periodically delivered to the DND iOS app. These notifications include additional text that call your attention to your expired status and prompt you to subscribe in order to continue to receive real-time alerts. Once expired, not every alert triggers notifications – so you will be missing alerts in DND iOS. Note that they are still generated and recorded locally on your Mac.

Expiration Notification

From the menu sidebar (swipe right or select menu button to display), push the settings button, and then select ‘Subscription’ from the presented table. This page will offer you subscription options or show your current subscription status. If you’ve previously purchased a subscription, you can select ‘Restore Previous Purchases’ to sync your subscription to this device. If you have not previously subscribed, you will be presented with two options: a recurring Monthly or a recurring Yearly subscription.

iOS Menu Options
iOS Settings Page
iOS Subscription Settings

Once subscribed you will be presented with the option to ‘Manage Subscription’. Selecting this option will direct you to iTunes where you can make changes to your subscription (upgrade, cancel, etc). Please note the terms below for purchasing and managing your subscriptions.

  • Payment will be charged to iTunes Account at confirmation of purchase
  • Subscription automatically renews unless auto-renew is turned off at least 24-hours before the end of the current period
  • Account will be charged for renewal within 24-hours prior to the end of the current period, at the original purchase price
  • Subscriptions may be managed by the user and auto-renewal may be turned off by going to the user’s Account Settings after purchase
  • Any unused portion of a free trial period will be forfeited when the user purchases a subscription

Using DND

Once you get your devices paired, using DND is designed to be very simple. We will first discuss how DND notification and actions work by default. Then we will explore local configuration options for DND macOS and additional support information made available in DND iOS

Notifications and Actions

Quite simply, when the laptop lid is opened DND macOS creates a local notification to alert you to potential unauthorized physical access. As noted, this detection involves monitoring for laptop “lid open” events, so close your lid when leaving your laptop unattended!

Local Lid Notification

Do Not Disturb, by design, does not differentiate between authorized or unauthorized lid open events.

That is to say, it will alert you any time your laptop’s lid is opened – unless set to ignore due to a successful touchID authentication event.

DND macOS then encrypts sensitive portions of the alert and forwards it our services to be brokered to any paired iOS device. Our services then package and deliver an Apple Push Notification (APN) message to these paired devices. If you touch the alert notification on your iOS device, the DND iOS app will be launched and the appropriate ‘Device View’ will be presented. The details embedded in the push notification, such as the type of alert (“Laptop Opened” event) and the currently logged in user, are decrypted by the app and written to the timeline.

Alert Notification
Connected Device View
Device View with Actions

You’ll notice that the view also includes a “Laptop Connected” status for the MacBook. It will remain connected for 5 minutes from the last alert. While connected, the action toolbar icons are enabled. Touching any one of these will issue a command back to the DND macOS app to take the appropriate action.

Supported actions include:

  • Camera
    • Issues a command to DND macOS to take a picture using the webcam
    • Resulting picture is encrypted and shared back to DND iOS
    • DND iOS decrypts the picture and puts it into the timeline (click on the image to enlarge)
  • Dismiss
    • Issues a command to DND macOS to dismiss all local alerts
    • Turn off the blinking activity indicator on the iOS timeline
  • Shutdown
    • Issues a command to DND macOS to initiate a hard shutdown of the computer
    • Shutdown will trigger FileVault disk encryption (if enabled)

There is no opportunity to cancel commands once sent. Be especially judicious with the ‘Shutdown’ command. This is the equivalent of /sbin/shutdown -h now or holding down the power button until your computer turns off. Your running apps will not exit gracefully.

DND macOS Options

DND macOS can be accessed via the status bar icon. From this menu you can, enable/disable DND macOS, view the local DND macOS log file, and open DND macOS preferences.

DND Status Bar Menu

The preferences window allows you to configure Do Not Disturb. To open this pane, either open the main DND application (/Applications/Do Not Disturb.app), or use the status bar menu, clicking on ‘Preferences’.

The ‘Preferences’ view has several tabs including ‘general’, ‘action’, ‘link device’, and ‘update’.

The ‘general’ tab, allows you to configure DND macOS to hide its existence from a potential attacker by disabling local alert notifications and removing the icon from the status menu. Note that with these options selected, DND will still log any lid open events, and (if configured) will deliver alerts to DND iOS.

If you’re running macOS 10.13.4+ and have a touch bar, you can also configure DND macOS to ignore lid open events immediately (within 5 seconds) followed by a successful touchID authentication event. This allows you to effectively tell DND macOS to trust (or ignore) lid events that are a result of you returning to your laptop.

You can also disable remote tasking options (camera & shutdown) if you wish to sync an iOS device and get remote alerts but do not want to be able to take any response actions.

Finally, from this tab you can disable the login item from automatically starting when you log in. Note that the component of DND macOS that monitors events will still be running (and may deliver remote events). If you want to fully disable DND macOS, do so via the ‘Disable’ option in the status bar menu.

General Preferences Tab

The ‘action’ tab allows you to further define DND macOS behavior upon detecting an event. The ‘execute action’ option allows you to specify a command, script, or binary that should be executed, as the logged in user (if one exists), any time DND macOS alerts.

The ‘monitor’ option tells DND macOS to log interesting events that follow a lid open event. Currently this includes the insertion of USB & Thunderbolt devices, new processes, new downloads, and new user authentication events. Monitoring will automatically stop if the alert is remotely dismissed, or after three minutes.

Actions Preferences Tab

Included here for completeness, the “link” preferences tab is covered in depth in the “Pairing Devices” section of this document.

Link Preferences Tab

The ‘update’ tab, allows you to check for new versions, as well as disable the automatic check for new versions of DND macOS.

Update Preferences Tab

DND iOS Navigation and Device Details

You can swipe left on any ‘Device View’ to bring a ‘Device List’ and switch between Paired Devices.

Device View
Device List

To bring up the ‘Device Details’ view, simply touch the ‘Information’ Icon (i) next to a device name in its ‘Device View’ or select ‘Settings’ -> ‘Paired Devices’ and select a device.

The ‘Device Details’ view includes the hostname of the paired MacBook, the date of the pairing, IDs of the client and certificate used to securely communicate, a list of events, and controls to test connections, clear events, and delete.

Menu Options
Settings
Device Details

Deleting a Device Pairing

From the DND iOS app, touch the “Info” (i) button next the device name on the device view, or select “Settings” -> “Paired Devices” and select the device you wish to unlink.

Device View
Device Details View
Deleting a Device Pairing

Uninstalling DND

Now why would you ever want to do that 😉!? Well, just in case…

You uninstall DND iOS as you would any other iOS app.

To uninstall DND macOS, simply re-run the Do Not Disturb Installer.app and click on ‘Uninstall’ A password is required in order to stop and fully remove all components of Do Not Disturb.

Uninstall Do Not Disturb

Logging

All references to the logging features of DND macOS

  • Are conveniently viewable via the View Log menu item in the DND status bar
  • Are backed on disk by the log file /Library/DigitaSecurity/DND/DND.log
DND Status Bar Menu

Networking

Communications between DND macOS and DND iOS are brokered through Amazon AWS Iot (MQTT).

  • Host: a3e8cf05y1afif.iot.us-east-1.amazonaws.com
  • Port: tcp/443 (ios11+, macOS 10.13.4+), tcp/8883 (older OSes)
  • Note: All OS versions used tcp/8883 prior to DND macOS v1.2 and DND iOS v1.1

Alerts are delivered from AWS via Apple Push Notification Service (APNS) to your iDevice.

Photos are encrypted within the macOS app and are uploaded/retrieved from Amazon AWS S3. Note: Encryption keys are not known to the server and never leave your mac/iDevice.

  • Host: s3.amazonaws.com
  • Port: tcp/443

Version checks/upgrade availability for DND macOS is checked by contacting the Digita Security website.

  • Host: digitasecurity.com
  • Port: tcp/443

Available Subscription Options are queried from the Digita Security website by DND iOS.

  • Host: digitasecurity.com
  • Port: tcp/443

Subscriptions/Purchases are handled through Apple App Store services.

Troubleshooting

If you’re experiencing an issue, the following might help:

  1. Make sure you’re running the latest version of DND.
  2. Make sure you’re connected to the internet while generating a QR code (to link to a remote iDevice).
  3. Review the Networking section above and ensure your firewall allows access to our services
  4. If an install, upgrade or QR generation/sync fails, try uninstalling and reinstalling the app
    • Be sure to select the “Uninstall” option, the re-run the installer and select “Install”
    • This step has been especially necessary for those that participated in the “Beta”

If the previous steps do not resolve your issue, please send us an email at dnd@digitasecurity.com, and include the following:

  1. A description of the issue.
  2. The version of macOS and DND macOS that you’re running.
  3. The version iOS and DND iOS you are running (if applicable)
  4. Any DND output from the system log.
    • To view this output, first open the Terminal on your mac /Applications/Utilities/Terminal.app.
    • Then run the following command:
      $ log show | grep -i disturb

Also note, or screenshot your iPhone Device Token found in the iOS app (if applicable)

  1. Select “Settings” from the left side menu
  2. Select “Info” from the Settings table
  3. Capture the “iPhone Device Token” (the first 5-6 characters will suffice)

Finally, note, or screenshot your paired device information (if applicable)

  1. Select the information icon ⓘ located next to the device you are trouble shooting in the device view
  2. Capture the UUID, CertID, and CAID found in table (the first 5-6 characters of each should suffice)
  3. See iOS Navigation And Device Details for example screenshots

FAQs

Q: Will ‘Do Not Disturb’ detect all ‘Evil Maid’ attacks?

A: No! It is important to understand that instead of looking for specific types of attacks, DND macOS monitors for lid open events, which is a likely precursor to many (but not all) physical attacks. This also means that DND macOS only currently works with laptops, and requires you to shut your laptop when you leave it unattended.

Having lived in this world long enough, we are all fully aware that no mitigation is full proof. We simply aim to keep shrinking the attack surface. Future versions will expand DND macOS’s monitoring and detection capabilities to perhaps include alerting on power events, USB insertions, etc. This will continue to shrink the attack surface and potentially expand DND’s use beyond laptops.

Q: What is the difference between Digita’s DND macOS and Objective-See’s ‘Do Not Disturb’?

A: The differences today are very minor as all of the low level bits are shared between the two. Obviously various UI components and themes have been changed and digital signatures have been updated. Digita’s update capabilities also work a bit differently than Objective-See’s. As Digita’s DND macOS matures and we add additional enterprise features to the tool, it will almost certainly diverge in supported ‘extra’ features, but will continue to be powered by Objective-See low-level technologies.

Q: Why did Digita create its own macOS app in the first place?

A: We felt it was important to make a Digita branded and supported version of ‘Do Not Disturb’ available to users and enterprises alike. Some users will discover Do Not Disturb iOS in the App store and will not be familiar with Objective-See. Asking them to install an Objective-See tool on their macOS did not seem ideal. At the same time we understand that many users know and love Objective-See tools and will land here because of that. For that reason, the DND iOS app works with both DND macOS versions.

Q: Which DND macOS app do you recommend I install?

A: We strongly encourage enterprise users to install Digita apps and contact us with feature requests for making it more usable in an enterprise environment. For individual users, it is a matter of preference. Digita’s DND iOS app integrates seamlessly with both versions. However, Digita can only support issues and questions pertaining to its own apps.

Feedback? Suggestions? Corrections?

Please email us at dnd@digitasecurity.com or submit a new issue