Is there a secure way to transfer data outside the Internet?

Question

Since, recently, it has been proven that transferring data through the usb port is fundamentally flawed, I'm wondering if there are 100% secure ways to transfer data without using the Internet.

Suppose Alan has a computer system that has been offline for all of it's life. Alan wants to import some data from Bob. Can Alan do this and remain disconnected from the outside world?

My thoughts were, either Alan has to have complete control over the data being transferred (i.e. Alan knows 100% what he is importing), or Alan must know exactly (and I mean it) how data is being handled by his computer system. That is because, Alan might already have malware installed on his computer system, and this malware might use pieces of data from the data being transferred that might provide the communication between Alan's computer system and the outside world without actually installing any malware in the process of the transfer.

Edit:

Instead of "Alan wants to import some data from Bob", I should have written that Alan and Bob want to communicate bidirectionally while neither of them would be connected to the Internet during their communication.

When I wrote "security", I meant securing that Alan does not leak any data other than the data he intends to send. So, even if the data gets modified when it gets to Bob, and as long as the bits of data that were modified are not copied from Alan's system, it would qualify as 100% secure, for this type of security. Also, Bob is a regular user of the Internet for life with the possibility of going offline for some period of time (i.e. during the data transfer between the two).

When I wrote "Alan has to have complete control over the data being transferred", I meant that Alan has to have a way of checking bit by bit the information that is in transit, and in some way understand it precisely.

Just to be more explicit, Bob can have malware on his computer as well.

Answer 1

It really depends upon the specific threats you may be facing, the direction of your data transfers, etc.

USB specific dangers

You mention the dangers of USB. The main one is indeed related to its firmware opening the possibility of a BadUSB type attack. When you need to transfer data in both directions, you may therefore prefer to use SD-Cards which are not sensitive to such threats (if you use an external USB SD-Card reader, it should be safe but dedicate it to a single computer, don't share it!).

I insist here that I'm mentioning SD-Cards as a viable solution against USB firmware attacks only. In such attacks, a USB flash drive firmware may be corrupted in order to simulate rogue devices (fake keyboard, network card, etc.), such attacks are not possible with SD-Cards. I think this is the reason why we see Edward Snowden relying on SD-Cards in Laura Poitras' Citizenfour film when exchanging files between his own computer and the reporter's ones.

SD-Cards are also equipped with a read-only switch. While such switches are very convenient to prevent accidental modification of the card's content, they cannot be relied upon to prevent malicious modifications since read-only access is not enforced by the card itself but delegated to the computer's operating system.

Enforce a one-way communication

You talk about a possible leak of information by some malware on Alan's computer storing data in some hidden channel. If your transfers are mostly in one direction only and this is your main threat, then I suggest you use read-only media like CDs or DVDs. I don't know if there are still CD/DVD readers on the market, it would be the best since it would physically remove all possibility for Alan's PC to store any data on them, but even without that it would be by far harder to store any data discretely on such disk.

With some digging, you may also find some other alternatives, for instance in the thread how to protect my USB stick from Viruses you will see a discussion pertaining to USB sticks containing a write blocking switch (which works in a more secure way than the SD-Card's equivalent), the use of write blockers which are equipment normally designed for forensic purposes, etc.

Long distance communication

Implemented as-is, the solutions provided above suppose that Alan and Bob are in direct contact, which may not always be true. However, data transfers outside of any computer networks remains possible even on long distance, mostly by using usual postal mails, aka snail mail.

This method may be wrongly perceived as insecure by some people, while when used correctly it can actually present a very high security level. Such method is used by the industry when it is required to move a very large amount of data securely. Amazon provides his Amazon snowball service for such operation, Wikipedia's page about sneakernet also lists some other real-life usage examples, including funny experiments inspired from an April Fool's day RFC using carrier pigeon to carry the storage medium.

In our current scenario, Alan and Bob will need to take a few precautions to ensure everything goes fine:

• Alice and Bob will need to exchange their public keys. This may sound simple, but in the concrete world Alan and Bob may have no possibility to meet even once, may not know each other and may have no common trusted third party to vouch for each other's identity or provide escrow service. However, the whole security of this system relies on the fact that this operation must be done successfully. Fortunately, asymmetric encryption greatly helps, since the leak of these keys will have no deep impact, but it will be of no help against an impersonation or tampering occurring at this step.

• The chosen data exchange medium may have some importance since each may present different characteristics:

  • Firmware based storage devices are the most frequent nowadays, ranging from the hard disks with higher data volume to micro SD cards which can be very easily concealed. One may prefer to buy it from some physical store to avoid any initial tampering, but as we will see later the device will in all case be not trustable anymore once the first shipment occurred.

  • Non-firmware based device present obviously no firmware related issue, but depending on the exact needs of Alan and Bob they may present other issues in particular pertaining to anonymity: burned disks and printed paper for instance may contain unique identifiers allowing to link them to their author (such identifier does not allow the author location though, but once his equipment has been seized they can be used to prove that this equipment produced them).

• Of course the data will need to be properly encrypted and signed before being stored on the medium. I would tend to prefer an encrypted file which can be more easily manipulated than an using directly an encrypted partition on the medium.

• I strongly suggest for the data to be properly backed up before being sent. While such transfer is secure in the way that a potential opponent will not be able to access or tamper with the data even if he manages to intercept it, the data may still get lost or disappear (it can be the result of either a voluntary or involuntary action: it happens that parcels get lost or seized without any intervention from Big Brother, Murphy is very good at that too!).

• Methods to obfuscate the actual sender and recipient (from PO boxes to more advanced stuff), when combined with concealment of the storage device, can help to avoid interception.

• At least on the recipient side, I strongly advise to not connect the received storage device directly to the main computer, but instead:

  1. Connect the received media to a specially hardened minimal system (aka a sheep dip, the host itself may have no hard-disk and boot from a LiveCD) where you will be able to quickly inspect media content and the encrypted file (do not decrypt it on this host!),

  2. You may possibly want to copy the encrypted file to a more trusted support (here one case where using an encrypted file instead of an encrypted partition can be useful). Moving the encrypted file to another support may be especially useful if using a firmware base storage device since, once it went through the postal service, you cannot guaranty the firmware integrity anymore (while the encrypted data is signed, there is no signature you can check for the rest of the storage device).

  3. Then you can connect this most trusted support on your main air gaped computer where you will be able to safely decrypt it, making this step the end of the story :).

Answer 2

It is not reasonable to ever assume data you receive (including your operating system, BTW) from an outside source can be made 100% secure.

The most secure way to transfer something and all-but-guarantee no side-effects (e.g. the OS mounting an external drive) is to type in all the data by hand while you be sure you understand it all. Even then you still have no guarantees.

Fundamentally, the only way to achieve perfect security is to never let your computer do anything with anything.

Answer 3

It is impossible to achieve what you are asking for. You've specified in your criteria that Alan's computer can be pre-infected with arbitrary and unknown malware. In other words, Alan's computer is free to do anything it likes, using any of the hardware under its control. You've also specified that you want a method which is "100%" secure, and you didn't specify what you mean by secure. Are you concerned with data destruction, theft, tampering, or all of the above? You didn't specify some level of security less than 100% as being an option, so my answer will only be in the context of 100% security.

You've attempted to make the system more secure by disconnecting it from the internet, and by banning USB drives. That will give you greater security against certain types of attacks that rely on those mediums in order to gain control of your machine. But you already have arbitrary malware so it is already too late to protect against that.

It's also too late to protect against data destruction. Your malware can decide to destroy all of Alan's data any time it likes.

So the remaining major source of concern that you want to protect is probably data leakage. It doesn't really matter how you get data in to Alan's computer. Internet, USB, carrier pigeon with manual data entry - Alan's system is completely compromised, so it has access to everything.

So that leave's data going out. Again, you cannot 100% prevent the computer from communicating with the outside world, without stopping it from functioning as a computer. It probably has some combination of: fans, electric circuits, mechanical drives, speakers, monitors, power supply. Some of those are compulsory, and all can emit controllable signals for your malware.

To address two of your specific points:

either Alan has to have complete control over the data being transfered(i.e. Alan knows 100% what he is importing)

This is a bit non specific. Do you mean that he 100% trusts the source? That he can see 100% of the data stream as it enters his computer? That he can 100% understand the meaning of every bit of that data stream?

You might be able to achieve the first two. The third is impossible. The malware could be using any kind of arbitrary encoding to hide it's communications.

or Alan must know exactly(and I mean it) how data is being handled by his computer system.

This is impossible, by the criteria you have set, due to the malware.

Answer 4

Since the question doesn't specify what sort of computer system Alan has, I will assume for the purposes of this answer that it's not a typical desktop PC, but instead some form of embedded/project computer system.

So, Bob burns the data onto a ROM chip and sends it to Alan via "sneakernet". Alan plugs the ROM chip into his computer. Since it's a ROM, nothing on Alan's computer, not even the malware, can modify it.

To prevent the suspected malware from transmitting the data to someone else, disconnect all output devices from Alan's computer. No Ethernet, no WiFi, no serial or USB. Don't even connect a monitor, as the malware could flash the screen as a form of binary code to someone else. If there are any LEDs on the computer board, snip them just in case. And disconnect any loudspeakers as well, so the malware can't whistle to anything nearby.

Of course, the down-side of that is that you no longer have any way to tell what Alan's computer is doing, rendering it completely useless. But totally secure.

Answer 5

In your scenario of Alan retrieving data from Bob's computer safely, we need to consider a lot about security in general. The short answer is that for the most part, you'll be fine. Chances are high that you will not transfer malicious code (that would still function) if you are performing the data transfer with a simple USB thumb-drive(Sometimes called the sneakernet).

Long Answer: No, it is data and can always be compromised. If Alan imports data from Bob, and Bob's computer has seen the internet even for a second, there is a chance that malicious code could have been added to whatever data you are going to import (albeit the chances could range greatly from high to very small).

Most malware depends on internet connections and transferring data back and fourth but there are still viruses in the wild that, well, just want to destroy stuff. They do not care if your computer is connected to the internet or not.

Realistically, you're probably fine. Even if there is malware on the data being transported, a lot of the malicious code would cease to function on the separate machine. This is because, as stated above, a lot of malware contains some sort of dependability on a connection to the internet, and the code in the malware to get to Alan's machine would not be the same code that would work on yours. (Let me know if you want to know more on why this is, or read more on shellcode variations if that interests you at all).

In short, a simple USB stick transfer is probably fine, but remember that theoretically everything is hackable and nothing is 100% safe.

Answer 6

Connect the two computers using the serial port. Hopefully both will still have such port native instead of needing a usb-to-serial converter.

The interface is simple enough that the data sent and received can be inspected manually. Not just from one of the computers (if it's trustable) but also externally with an oscilloscope. While there it's a standard interface that won't require customizations to run.

They may want to insert a couple of current limiters (so the malicious hardware from one machine can't damage the other one) and/or a rectifier (to avoid a potential covert channel with a slightly different voltage), as well as normal steps like ensuring the security of the cable itself.

For extra paranoid security, you shouldn't place both computers in the same room, in order to avoid data being exfiltrated by a magnetic field or a microphone recording the other sound (eg. disk movements), as has been used to communicate air-gapped computers (they don't have wifi hardware, right?).

In a similar question, Thomas Pornin suggested the use of the sound card (speaker → microphone) for unidirectional communication between machines. I think the serial port is preferable for Alan and Bob, but you may find this alternative interesting, too.

Answer 7

You want to be 100% certainty you don't leak data from a computer that you control physically, but not operationally -- i.e. you can pick it up, disconnect the power and in all ways control the hardware, but the software is totally under someone elses control.

You can't be 100% certain because the person writing the software may have thought of a way to transmit the information that you may not know about.

In order to evaluate how much less than 100% certainty you should settle for, you need to determine (a) how desirable is the information you have, and (b) how close your your hypothetical attacker can get to their computer or the medium you are using to transmit the data and finally (c) how important is it to transmit the data vs not leak the data?

Data transmission is basically nothing more than making an observeable change. If you can control the environment enough to ensure that they can't directly observe their computer, the thing to do is to transmit the data from their computer to your computer and then on to it's final destination, while ensuring that your computer doesn't become their computer. If they can directly observe either their computer or the transmitted data from their computer, you probably won't be able to prevent them from leaking data.

Answer 8

Physical artifacts to transfer data

You seem want to use some medium that by definition can contain only data, and no executable code or unverifiable hardware. This asks for simple physical artifacts - for example, paper. This sill be obviously less convenient than digital data transfer but still possible.

For small amounts of data you may use simple text - print, scan, OCR; possibly with some checksums to prevent errors. This is auditable - you can see what exactly is transferred.

For larger amounts of data you may use something like http://ollydbg.de/Paperbak/ which claims to reliably encode 500 kB per A4 sheet of paper.

Do note that even in this scenario side channels still exist and can transfer extra data if both computers are compromised by advanced enough malware. For example, the printed data can contain very very light yellow dots that will be readable when scanned; there are systems that will use that to encode print metadata (serial number, time, etc) in every printout; the information is hidden from the user but reliably machine readable.

Answer 9

@WhiteWinterWolf already has posted a good method of transferring the data, but here's another one just for fun: Using an Ethernet cable to form a direct connection (intranet, NOT internet) from Alan to Bob.

If this is the only network interface on both computers, it prevents malware on either computer from contacting any external server. Alan can SSH onto Bob's computer (which only has port 22 open) using public-key authentication as a non-root user who has read-only privileges to a specific folder and is chroot'ed there.

Alan can then copy over the file (which should be an encrypted container). He can then decrypt the container using a pre-arranged password and pre-arranged TOTP with something like a YubiKey. If Alan wanted to avoid any USB device (even a trusted one), he could use a counter based OTP instead. This prevents an attacker from being able to decrypt files exchanged in the future, even if the attacker was recording your keystrokes.

Pros:

• Faster than physical media after initial setup (you can just add files to the directory).
• No USB devices required (unless you use something like a YubiKey).
• Not vulnerable to physical interception of media.

Cons:

• Difficult to setup.
• Requires pre-arranged keys.
• Not practical--what if Alan and Bob were even a mile apart?
• Not reliable--what if somebody cut the wire?
• Obvious--if you see a cable directly connecting Alan and Bob, you could easily guess that they are transferring information.

There is no foolproof method to transfer data completely securely--the best you can do is to make it as hard as possible to obtain the information or hope that the attacker isn't someone like the NSA.

Answer 10

A quick solution may be the ARM chip with decription software, let's say an AES256. Alan's PC will communicate with the CHIP, not the offline data transfer media like SD card. Alan and Bob must exchange a passphrase and the phrase itself ot a hash out of it will be a pre-shared encryption key. The key exchange must be in-person/in-real-life, not online. Then both sides can TECHNICALLY be sure, that any transfer-related issue will not be able to happen in this data exchange case. In case of requirement for security increase - use more AES(Rinjdael algorythm, actually) rounds to increase the cipher strength.

Answer 11

Ah look, a good old classic infosec debate over how to transfer data securely. And not only "As securely as can logically be achieved" but "100% securely."

I'll keep my answer short. Nothing is 100% secure 100% of the time, and therefore not only is there not any way to transfer it offline 100% securely, there is no way to transfer it online 100% securely either.

Rebut this if you must, but thus far there has been nothing to convince me that it could be possible, nor do I believe it ever will be.

With that being said, it has for many years been proposed that information can be transferred in a secure manner, by using OTP, or One Time Pad.

You might postulate an airgap?
http://www.jocm.us/uploadfile/2013/1125/20131125103803901.pdf - inaudible audio
http://arxiv.org/abs/1503.07919 - thermal
also on that same site, see article number 1411.0237 - example like stuxnet

Those links show a few ways around an airgap, but the bottom line is, it's all about how much you can confuse your attacker, how much resources do your attackers have, and how paranoid are you. The bottom line is that "secure" is nothing more than a point of view. What's "secure" to one person, is not secure to another, and that is due to paranoia.

If anyone can prove beyond rebuttal that I am wrong I long for this answer also, but alas, I already know, one does not exist.

Answer 12

You could transfer over a VPN using NonPublic IP Addresses and setting the server to only listen on the private IP. It make things by far more difficult.