Is there any way to safely examine the contents of a USB memory stick?

Question

Suppose I found a USB memory stick lying around, and wanted to examine its contents in an attempt to locate its rightful owner. Considering that USB sticks might actually be something altogether more malicious than a mass storage device, is there any way I can do so safely? Is an electrical-isolation "condom" possible? Is there a way to manually load USB drivers in Linux / Windows / OS X so as to ensure that it won't treat the device as anything other than USB mass storage?

After all, despite all the fear-mongering, it's still overwhelmingly more likely that what appears to be a misplaced memory stick actually is just a memory stick.

Follow-up question: what measures do/can photo-printing kiosks take to guard against these kinds of attacks?

Answer 1

I'd use a Raspberry Pi, the Model A/A+ without a network connection, as:

• It (or rather Linux) can read most types of filesystem on a USB stick.
• The only non-volatile storage it has is an SD card, which can be reformatted (or discarded if you're paranoid) afterwards.
• If the USB stick turns out to be electrically malicious, you've only lost $20 of hardware.
• It runs a somewhat non-mainstream OS on a non-x86 platform, which makes it less likely to be vulnerable to typical Windows malware.

This still leaves the question of what you'd do with any files you find on it - copying them to any other machine would obviously put that machine at risk.

Nothing is 100% safe, mind you. I can put it no better than James Mickens: "If your adversary is the Mossad, YOU’RE GONNA DIE AND THERE’S NOTHING THAT YOU CAN DO ABOUT IT".

Answer 2

The USB-killer wouldn't kill your PC if you connected it through an opto-isolated hub. They do exist, (search: "opto-isolated usb hub") but as I've never used one myself I'm not going to recommend a specific model. They're not cheap though. Here is an example:

Once you've dealt with the hardware aspect, you're then reduced to a more common problem. You've probably got more expert advice in other answers already, but my take is to unplug the hard drive (and all other writable storage) of a PC and boot it off a live CD or live USB stick (one which doesn't auto-run the contents of USB sticks of course). That's because it's maximum return for the effort given where I'm starting from. It would be sensible if you were going to make a habit of this to set even your live CD up to not auto-mount and not auto-install hardware, and to unplug the machine from the network. Booting with the suspect stick in place would also be a bad idea, in case it's bootable, but also because you may want to have access to event logs when you've just plugged it in.

Answer 3

If we assume that the stick could have been physically altered for maximum nastiness, then one must take into account the possibility that the alleged "memory stick" will spew out some anthrax spores or a cloud of plutonium oxide when inserted in a computer, so the answer to your question would be: there is no safe way to examine the contents of a memory stick (unless you can delegate the task to some underling who will do it in another building).

---

Conversely, if we suppose that the attacker will not be that thorough, then we are implicitly using a "threshold of nastiness" which is arbitrary in nature. If we rule out raw physical destructive effects (including trying to fry the host computer electronics), then there are mostly five ways by which an evil memory stick could harm the machine in which it is inserted:

• The memory stick could try to abuse a vulnerability in the USB controller hardware. That controller is a chip with its own firmware, that is also connected to the main data lanes in the computer, so there exists the theoretical possibility of exploitable holes. This would be very specific to a version of the controller and its firmware, and I am not aware of any such hole in the wild.

• The memory stick could try to abuse a vulnerability in the operating system code that handles the USB dialogue. This is basically what the PlayStation Jailbreak was doing: the device was, at the USB level, several devices, one of which sending slightly out-of-spec messages that triggered a buffer overflow in the OS code that detects and enumerates USB devices.

• The memory stick may be, in fact, not a memory stick, but another kind of device, possibly several of them simultaneously. E.g., the stick could be, from the OS point of view, a keyboard, and when inserting it, it could begin to type things. This happens in the wild.

• The memory stick could be a real memory stick, with a filesystem that exploits a vulnerability in the OS code for filesystems. Apart from direct buffer overflows, there can also be issues with, for instance, auto-run features (it is noteworthy that a number of existing, non-malicious memory sticks also emulate a virtual CD-ROM drive precisely so as to try to exercise such auto-running). A variant would be a stick containing pictures that exploit holes in picture-rendering libraries (that would get invoked by the host computer when trying to show "thumbnails" upon graphically exploring the directories and files).

• Last but not least, a human operator is involved, which opens lots of attack possibilities. Many attacks simply leverage the bottomless well of human gullibility. The stick contents could induce the human operator to carelessly launch what looks like a harmless executable. Or, even worse down that line, the stick could contain documents of a disturbing nature (some things cannot just be unseen), which still counts as "damage".

Your best bet for "safe exploration" of the stick would be to use a basic PC with an operating system with a good repute with regards to code quality, up-to-date with security patches, and, crucially, with as little plug-and-play support as possible. Ideally, an OS that will not try to do anything automatically with the newly inserted USB device (i.e. an OS which is exactly what modern OS like Windows, OS X or Linux are not). I suggest starting with OpenBSD or NetBSD, customized to deactivate any form of USB-related magic. Using uncommon software and uncommon hardware also offers some small extra protection, on the basis that low-grade, large-spread attackers tend not to bother writing exploits for, say, NetBSD systems running on old PowerPC-based Mac.

Answer 4

In all cases, keep in mind that there is no perfectly sandboxed system (hardware/electrical, software) that can prevent you from such possible infections for 100%.

On the other hand, your situation can depend on who you are and where you found it.

If you are a qualified worker, let's say, for a car company and you found the stick next to your workplace or next to your living place (you are targeted) then may be the the best thing you could do is to destroy that USB stick because the problem is that there is no way you can know in advance if the USB stick you found has firmware-embedded malware in which case nothing seems useful ('BadUSB' malware lives in USB firmware to remain undetected, unfixable). Such malware could lead to the infection of your BIOS which thing may be too difficult to get rid off (if not impossible).

If you're a Mr. X or Y and you found the USB stick in a random public place, then may be even if the USK stick is infected (by purpose or not) , the malware could not be that dramatic and in which case may be booting to your computer using a Linux Live-CD to boot and check the content of your USB may be a reasonable action.

Answer 5

One interesting approach to this problem is CIRClean, also described in a LWN article.

It utilises a Raspberry Pi (presumably fairly expendable in the face of overvoltage and other electrical attacks) into which the untrusted USB mass-storage and a trusted, blank USB mass-storage should be plugged in. And no other devices are plugged in - it's not connected to any network, or keyboard/mouse/monitor. And there's no writable permanent storage, or BIOS to be infected (and the truly paranoid can re-flash the boot SD card before each use if they desire, I suppose).

Power it up, and it will transfer files from one to the other, performing some automated scrubbing of known malware vectors (e.g. transforming PDF or MSOffice files to safer HTML). A visual and audible indicator shows when the process is complete, and the system can be powered down, leaving the user with a somewhat sanitised version of the original filesystem on the trusted storage, ready for transfer into the user's workstation.

If you plan to use CIRClean, I recommend checking its issue tracker for current defects - the LWN article notes (December 2014) that there was no protection against BadUSB keyboard attacks; I haven't determined whether that is still true. Looking at the kernel config file in the Git repository, it certainly looks like it could be locked down much more (Magic Sysrq, anyone?). Perhaps a project to get involved in, rather than (yet) a finished product.

Answer 6

While above the electrical aspects were covered many are concerned by a malware infecting your BIOS. Well, then plug it into a machine which doesn't have a BIOS and won't run anything on the stick: use a SPARC machine. I see Sunfire V100 machines on eBay for $50-60 in uncertain conditions, less than $200 for so called "seller refurbished". It is possible there were older thus even cheaper ones that had USB I just can't remember any. The V100 definitely has USB ports. I am sure if a three letter agency is aware of you using a SPARC they will be able to do something nasty with a USB stick but it'd be an extremely costly attack since they would need to do original research on how to do it. Here's the official Oracle page on mounting USB sticks under Solaris.

This forum topic talks about adding USB to Ultra 5/10 if you wish to bother with that but I do not see them much cheaper than the Sunfire V100.

Answer 7

The OP is referring to an electrical isolation because of the risk due to a USB killer device:

The device reportedly works by drawing power from the USB ports and using a converter until negative voltage is achieved. The power is then directed back into the computer, with the process looping until the machine's circuitry fries.

Unfortunately there's no way to defend yourself from this attack because it involves the electrical circuitry (unless you build your own customized USB ports!), but it seems very unlikely.

The most common vector of attack nowadays is a Windows virus auto-run when you insert the USB drive. Therefore I'd say that examining the content of a USB drive on a Linux machine is relatively safe. It's unsafe in theory, but in reality you won't risk much doing this, unless someone is targeting you or your company (there's a difference between a USB drive found on a random street and a USB drive found on the parking lot of your company).

Answer 8

Technically on Linux it's quite easy to stop udev and unload every usb-related kernel module except usb-storage. However, there will be two practical issues:

1. Your stock kernel may have the hid module build in, so you'll have to recompile the kernel to make it loadable.

2. Once you unload the hid module, the legit USB keyboards and mice will stop working as well. Find an old PS/2 keyboard, or use a virtual keyboard with touchpad/touchscreen (only works if those are not USB).

Answer 9

tl;dr: Doing something radical like using a "burner" PC or device that you will use one time to read the USB stick and then discard is an (almost) completely bulletproof way of seeing what's on the stick. But actually going to such extremes while investigating is overkill and a little silly. Except where it isn't.

---

Believe it or not, there is a nearly foolproof way to examine such a USB stick. Step-by-step:

1. Find some super-old, super-cheap, but-still-somehow functioning laptop/netbook on the Internet and buy it. (Any tablet large enough to have a full-sized USB port and with an OS that can use external storage on that USB port works also.)

   • Alternative #1: If, however, you also really care about not potentially infecting the USB stick via plugging it into some previously owned device of unknown security history you could just as well for, say, a $60-$70-ish bottom-of-the-barrel new Windows tablet with a full USB port. (They aren't hard to find on Newegg, Amazon, eBay, etc. and via sites like Dealnews.) Cheapest-of-the-cheap commodity hardware has its place.

   • Alternative #2: If you want to save a little cash and you already have an old, crappy, or old & crappy device you'd be happy sacrifice for the purpose of finding out what's on that USB stick you can certainly go that route instead. However, pretty obviously you'd want to make sure that there would be absolutely, positively no personal (or professional data) left on it of any kind before doing so. With a PC that has a classic hard drive you can very likely accomplish that by wiping it with a boot program that overwrites every bit of space on the disk with random data many times over, and then re-installing whatever OS you want. Probably. On the other hand, if you want to use a device that has solid-state storage....

2. When the package containing your device arrives, grab it, an appropriate charging cable that you're willing to sacrifice (you'll see why in a minute) and make a trip to a location that has power plugs but either (a) no wireless network availability or (b) at least no wireless networks that you've ever connected to before and in all likelihood will never connect to in the future. (A Panera or Starbucks on the other side of town that's far out of your nomal way works great). Just to cover the hypothetical case where some super-ultra sophisticated NSA-level malware present on the USB stick infects your device and then autonomously starts using its radios to try to breach any Wi-Fi, Bluetooth, etc. networks around it. Paranoia bonus: Also leave all other electronic devices of yours that have any kind of wireless connectivity at home. (Yes, including your smartphone. I know it's hard to be apart, but just this once.)

3. When you arrive at your location, unbox and plug-in your new device. Wait for it to charge a bit.

4. Turn on your device, wait for it to boot, and plug-in your suspect USB drive. Have a look at anything that's on it, its file structure, whatever characteristics you like. If you are in a place that does have public wifi, maybe connect and grab some tools from the Internet (if your old piece-of-junk will install & run them) and take a closer look. Do literally nothing else with the device.

5. When you have satisfied your curiosity, grab your device and your charger, go out to a field somewhere nearby, and give them a nice final sendoff by re-enacting that scene from Officespace. (Alert: Auto-playing YouTube vid, with probably NSFW language. Duh.)

6. Do whatever you've decided to do with the USB stick & any data on it.

(Okay, if you pride yourself with not being hugely wasteful and/or environmentally irresponsible, instead of destroying your "burned" device/PC in a fun manner you could recycle it, donate it to charity, or sell it for a pittance. If you go either of the latter two routes, should you tell the receiving party exactly why you're getting rid of the device? Well, let's maybe call that a cybermorality question for another day.)

The End.

Well, okay, I'm being a little facetitious. But only somewhat. The fact remains that if we're talking about examining a USB device with (nearly) zero security risk the only real option is to plug it into a system that (a) contains absolutely no sensitive info of yours, (b) you are willing to sacrifice should the USB turn out to be some electrically-malicious item, (c) you will never use again for any purpose that requires putting any kind of trust in its security, and (d) will not physically be able to connect to any networks or other devices to spread any malware infection it might get from the questionable USB drive. (Or to seek out any sensitive info that might reside on those devices and/or networks.)

In other words, a "burner" computer is your best bet. If you really, really, really want to examine the drive with almost* perfect safety/security, that is.

Now, if we're just talking about examining the USB stick with a "very likely good enough, given practical considerations" degree of safety/security, @Chris H's suggestion above is a good one: grab a desktop PC or a laptop machine (that you can actually open/service without professional tools), take out the storage drive/s, boot from a live CD/USB OS flavor you prefer, and plug in the suspicious/intriguing USB stick. Is there still a small chance that the USB could contain sophisticated malware that could execute when you plug the USB stick in and then flash your machine's BIOS/UEFI, or flash other writable firmware contained in things like your video card, your networking card, your USB controllers, etc.? Yes. (Although right now all the stuff besides BIOS/UEFI attacks remain very rare in the wild. And even BIOS or UEFI malware needs to be written specifically for the maker/version implementation used in a targeted machine.) Could the item that appears to be a USB memory stick in actuality be a USB-killer that will electricallyfry your motherboard? Well...theoretically, yes. But the probabilities against either of those things being true--especially the USB-killer one--are strongly in your favor. To paraphrase a good point you made in your question, most of the time a plain old USB stick is just a plain old USB stick.

Unless you, your employer, on another entity you are a part of could be considered a very high value target by some sophisticated attacker out there, that is. Then all bets are off. And in which case, a convoluted safety-above-all-else method like the one above might actually be the only appropriate one.

*Of course, there's no such thing as "perfect" security. But "almost perfect" security is close enough for our purposes here.

Answer 10

The other answers cover flashdrives which are malicious, I'll talk about the USB killer mentioned in your linked answer. (EDIT - they did when I started typing this)

A virtual machine won't help with these, it's still going to get power and attempt to fry whatever it's connected to. As far as I can tell, you have three options:

1. Open up the drive and see if it looks legit, or if its covered in a load of big capacitors.
2. Plug it into an old machine or an rPi etc. (something you don't mind getting fried)
3. Build a USB extension with some decent diodes in it, that have a high reverse voltage.

What you choose to do really depends on where you find the drive and how curious you are. Personally, if I found one outside work and absolutely had to check it, I'd plug it into an rPi. If I found one on the street, It's staying there.

Answer 11

You can make a Virtual Machine to act as a so called "condom". A couple of popular hypervisors include VMware Player and Virtual Box. If you crash your VM, you can just make a new one and try again. You can find ISO files on the web to make them with. Just google up some tutorials if you need a walk through, depending on the hypervisor you go with.

If you have a Linux machine, you can make the disk read-only, and may be easier, depending on what you have. You can do this via diskutil in Terminal.

Depending on the route you take, just comment, and I can go more in depth by editing this answer. Hope this gives you some ideas, and gets you closer to your goal.