Script / method to erase USB flash drive content after a certain number of uses

Question

I have a few bootable thumb drives with various OS's that I intend to let someone use. However, I need a way to ensure the USB drives can only be used once. Thus my question - is there a way to have a USB drive wipe itself after a certain amount of uses? Perhaps with a script or software / firmware on the drive itself?

I have done some research on the topic already, but my searches yielded little useful information.

Thanks ahead of time for assisting me with data rights management!

I'm not sure this is on-topic here. This is either a programming or an OS question. There is no direct connection to security. — schroeder, Dec 23 '15 at 05:32
Would you care if they copied the data off the USB drive to a dozen other drives and then used each of those drives? In that case they'd only be using your driving once. — Neil Smithline, Dec 23 '15 at 05:42
@Schroeder The security aspect comes in to play with the data on the USB drive itself - despite what this may be. Forgo the scenario, and this can be considered data protection. I want a way to ensure the drive is only used once. I am close to just doing it myself, as that may be the easiest route and will ensure complete data integrity. — Vandal, Dec 23 '15 at 07:38
@Neil Smithline I plan on encrypting the ISO within a partition on the drive. It may affect the usability of the drive, but I have yet to get that far. — Vandal, Dec 23 '15 at 07:39
You could probably do it by building your own self-destructing USB drives (maybe with a custom firmware), but otherwise no - it is possible to read a drive without being able to write back to it using something like https://www.cru-inc.com/products/wiebetech/usb_writeblocker/ in which case any software on the drive would have no way to store that it had been accessed. Software on the drive doesn't run on the drive itself, so still needs the computer to have write access. — Matthew, Dec 23 '15 at 08:48
You cannot rely on any OS or software measure for such control, since the anyone would be free to backup and restore the disk content at any time, thus resetting the use count. The only solution I can imagine would be an hardware or firmware system (as @Matthew mentions) limiting the number of read operations on the same data. — WhiteWinterWolf, Dec 23 '15 at 10:34
@schroeder: Do not hesitate to take a look at my [new post on Meta](http://meta.security.stackexchange.com/questions/2109/are-drm-related-questions-on-topic-here). Our topic is protecting assets from threats, here the OP wants to protect his intellectual property (asset) from piracy (threat), does make this question on-topic (even if there might be no affordable solution in this precise case)? — WhiteWinterWolf, Dec 23 '15 at 11:09
@schroeder The question is clear enough, and the poster isn't asking for an actual script, just if such a thing is possible. Please try to broaden your perspective on security as I see you questioning "on topicness" a lot. — Steve Sether, Dec 23 '15 at 15:10
@SteveSether and the answer to whether it is possible is a function of the USB driver, the OS, and then to be implemented in the script. The answer is in a specific domain of knowledge that is better served in other forums. — schroeder, Dec 23 '15 at 15:35
@schroeder If you can read the USB drive, you're hosed. All you have to do is copy the data somewhere else. You can't simultaneously give someone access to data, and prevent them from copying it. It's like making water not wet. — Steve Sether, Dec 23 '15 at 18:16

score 4 · Accepted Answer · edited Mar 17 '17 at 10:46

You want a DRM, not an "integrity" solution

First a small vocabulary precision. The "data integrity" term you use doesn't seem appropriate regarding your needs.

A data integrity method would ensure that the data on the flash drive is genuine and/or cannot be in a corrupted or incoherent state, but this do not seem to be your concern here.
A Digital Right Management (DRM) method, according to Wikipedia, "is a term referring to various access control technologies that are used to restrict the usage of proprietary software, hardware, or content.

So what you need is a DRM solution, and not a data integrity solution.

Possible, but only on an industrial or semi-industrial scale

There is no really viable protection relying solely on the OS or any data publicly stored on the thumb-drive. Indeed, it is trivial to dump the raw thumb-drive content and restore it later to put it back in its pristine state.

So, you can forget about self-deleting content, standard encryption which will be of no help against this, do not even think about storing a counter in some unallocated zone of the file-system (such tricks were used to protect CD-ROM's in the late 90's but will be of no help here).

Some other answers suggest the use of an Internet-based service. This is how DRM-enabled PDF documents work: the document themselves are encrypted and upon each opening the decryption key is requested to some Adobe server. This may work, but you have better ensure that your software requesting the key and the protocol it uses cannot be reversed or replayed, otherwise the end-user will be able to get around your protection. All security will rely on this, and given enough time and determination consider that your software will eventually be broken, it just a matter of profit vs. efforts needed.

The solution I suggest doesn't require any Internet access from the end-user and gives a good protection against reverse engineering attempts by keeping the security system out of the reach of end-users.

A firmware-based solution

You will need something not reachable to the user, and this will most probably mean you will have to customize your own firmware for the job.

Following my idea, the storage area of your flash drive should be divided in three zones:

One public and relatively small zones containing just enough material to initiate the boot procedure (it needs to be accessible to a standard BIOS),
One very tiny zone accessible only to the firmware (and never accessible to the computer) storing the counter and, possibly, some other configuration and/or authentication material,
The largest zone, accessible to the computer only after a successful internal authentication.

The boot process would go as follow:

The BIOS read the publicly accessible boot sector and initial boot executable,
This initial executable initiates some custom authentication procedure with your firmware to unlock access to the main data,
If the authentication is successful and the maximum number of allowed unlocks not reached yet, the firmware increments its internal unlock counter (stored in his private area) and then effectively unlock the main storage area,
Once the main storage is accessible, the boot process can continue as usual.

Potential weaknesses

First potential weaknesses I could see:

I do not know which application you intend to run on such thumb-drive, however an end-user may try to extract and copy the unlocked content (whether directly from the USB drive or from the mounted RAM disk) if your software allows him to do so (for instance if he is allowed to open a shell with root access). So you may want to restrict the user's privileges on the running system to prevent this.
Your initial boot executable may use some obfuscation technique to prevent the authentication procedure to be easily leaked. In the hands of determined attacker, expect dead and live analysis since they can for instance connect your thumb-drive to a virtual machine to simulate a boot process and analyze the exchange between the initial executable and the thumb-drive. The good news is that, even if the authentication process and secrets are reversed, this will not allow to tamper with the unlock counter or unlock an already locked thumb-drive.
Your firmware may be overwriteable. When selecting a provider for your chips, you must ensure that they offer the possibility to lock any further update or rewrite of your firmware code. This may not be obvious, but there is actually plenty of USB devices where the firmware can be rewritten by end-users, see BadUSB. Since your security relies on your firmware, this may be an important criteria for you.
If the value is high enough, a determined attacker may be willing to access directly the data stored in the NAND storage chips inside the thumb-drive. If this is a concern for you, you may want to implement on-the-fly encryption in your firmware so all stored data will be systematically encrypted.

Feasibility / credibility

Custom flash drive: A quick search let me find several open sourced USB keys with customizable firmware already available in retail and wholesale, however they were targeting the more profitable market of security tokens which mean they add a more costly cryptographic hardware to the key. Most chances are that cheaper already-made USB keys can be found at lower price.
Custom firmware: Creating his own firmware may sound highly technical, but I do not think it really is. USB chips provider also provide the associated development framework which include libraries acting as an abstraction level over USB low-level operations and placeholders for the user's customized code. As a sample here is a random documentation for such a library so you can get yourself an idea. The main prerequisites are to know how to write C applications, how to use an IDE, and have only a basic understanding of how USB works.
Divide the storage area and control access to each zone: This is not my invention, as far as I remember this is how the DRM extension for SD cards is implemented. To learn more on this topic, this specification is confidential however some part of it (at least) leaked on the Internet despite the non-disclosure agreements. I am not reinventing the wheel.
On-the-fly encryption: There are already USB token providing on-the-fly encryption, however to achieve good performance they bundle some cryptographic hardware. Since encryption is not your first goal here, and if you really need to encrypt the storage area (ie. if you fear that your users will take your flash disks apart and access the raw NAND chips content directly), you may still be able to do without such hardware but you will have to restrain yourself to very low resources algorithms. In fact, with a flash drive limited computing resources, you may go more toward some data obfuscation scheme than a true highly secure encryption algorithm.

Forgive me for being so uncouth with my vocabulary, but I am happy you were able to see past that. I thank you for your answer, and will probably take the customized firmware route. With your answer and others, you have all given me more than enough information to get this started. — Vandal, Dec 29 '15 at 07:35
@Spyder_Says_hi: Few time ago I went through [this DerbyCon presentation](https://www.youtube.com/watch?v=xcsxeJz3blI). It shows how the engineer maliciously altered a firmware to implement, among other things, a hidden storage space in a device which could be enabled only if the right trick was used. Since you want to do it on a legitimate basis, your work should be far more easier than his, but nevertheless since he has [published his work as open-source](https://github.com/adamcaudill/Psychson) it may still be useful to you. — WhiteWinterWolf, Jan 11 '16 at 11:20

score 2 · Answer 2 · edited Mar 20 '17 at 10:29

Maybe you're falling into the XY problem trap here. Are you sure the answer lies in how the USB self-destructs as opposed to taking some standard licensing measures? i.e. if you can confidently say the OS will rely on an internet connection - you can quite easily block it after the first use.

If, in fact, what you're actually asking is how you'd protect what's actually on the disk (i.e. the files mustn't be accessed) - they really, really shouldn't be on a USB drive you plan on distributing in the first place. To want people to read the file contents, but only once is impossible without a particular level of control over their machine.

zedman9991 · Answer 3 · 2015-12-23T15:00:33.303

If your booting system is going to have access to the Internet or an intranet you can positively control the process by completing the install with a network install initiated by the USB drive.

You would be doing a hybrid PXE boot install with the USB actually initiating the boot and first level install. Consider installing a minimally functional OS with the USB install and then pulling the real OS image from the network as an ISO file. If you need this instance to only run once you then move the network image to RAM and mount loopback.

The control of the number of uses would be delegated to the network server that passes back the ISO installation image.

This scheme also can be made to address the cases where the installation is aborted midsteam or one of the many things that can go wrong does. A one shot and your done plan needs a Plan B if there are many installations planned and this scheme could allow approving a second try without sending another USB.

JOW · Answer 4 · 2015-12-23T08:14:18.857

1

If the Entire OS boots up and resides in the RAM(like puppy OS), then You could (in theory), run a script at the End of startup, that runs a software like Disk Wipe or Shred to delete all the data in the Disk.

This is still very situational but worth a try.

edited Dec 23 '15 at 08:14

answered Dec 23 '15 at 07:58

JOW

2,319
2
16
24

3

How do you prevent the flash drive content from being copied, I mean *before* booting from it? Would I have such a disk, I would just backup its content, boot from the disk, then restore the disk content to retrieve it in its pristine state... – WhiteWinterWolf Dec 23 '15 at 10:31
@WhiteWinterWolf you are right. – JOW Dec 23 '15 at 10:37

score 0 · Answer 5 · answered Dec 23 '15 at 15:19

Ultimately the answer here has to be no, it's not possible to protect your data from being copied if you put it on a USB stick. Since the data is on a simple USB drive, anyone can simply copy the data from the USB drive to somewhere else without booting the system. Then the filesystem can be mounted read-only, and an attacker can take whatever data they please. Whatever protections you put on the bootable drive would be able to be circumvented by an attacker since they can copy it to somewhere only they have control over, and you don't.

You can protect it from anyone that isn't willing or able to do this, or knows someone that does. It's essentially the equivalent to a cheap lock on your luggage. It's far from perfect security and only takes a modicum of skill to circumvent, but that might be enough for whatever purpose you're intending.