4

I've got some flash devices. It is a bit like playing Russian roulette. The devices are of unknown origin containing information of unknown value. However, the potential value is great enough to be worth the effort to recover and exfiltrate the data to a secure network.

There is a high degree of risk the devices maybe loaded with malicious firmware but the risk of bad firmware is acceptable if the information proves valuable.

However, the issue still remains - what is the best way to screen high risk flash devices and bring valuable information to the secure network from one or more of the devices - including a compromised device - while ensuring the malware doesn't get introduced to the secure system.

Assume the malware is custom and unlikely to be identified by virus definitions.

Edit: I have more than one computer and access to live images. The hard drives are fully encrypted.

user148650
  • 126
  • 3

2 Answers2

1

Start with an optically isolated USB Hub: http://www.sealevel.com/store/hub7i-optically-isolated-7-port-usb-hub.html to protect against USB Killer.

Then you want a machine that malware is unlikely to target: Maybe a Sparc box running NetBSD? If the attacker is truly targeting you, this won't help, but if they are limited in their knowledge or effort it might protect you against driver/OS/firmware attacks.

Then you need to sanitise the data - hopefully plain text is sufficient - convert the data into plain .txt (stripping all the formatting).

Then write the plain text to a different USB stick/CD and it should be safe to use on your normal machines.

The only further risk is that the information is crafted to be convincing but false. (An attack on the wetware :-) )

Douglas Leeder
  • 1,939
  • 14
  • 9
  • I wasn't including USB killer in my calculus with my considerations of optical devices before... Some men just want to watch the world burn, I suppose. – user148650 May 18 '17 at 18:26
  • A USB killer is detectable through physical examination. Separate the plastic housing around the USB stick - a memory chip is a flat rectangle with almost no other components, and should look very simple. A USB killer is full of bumpy discrete capacitors and coils. Examination would also provide a simple way to avoid plugging in a BashBunny, RubberDucky, LAN turtle or other malicious USB device, all of which have more complex circuit boards than a memory stick. – John Deters Jul 06 '17 at 17:43
  • Do you really think that an attacker will exploit vfat for a netbsd system on sparc? Not only is a sparc a big ugly machine for which it is impossible to get replacement parts... It is better to just clip a few wires in an ethernet cable. TCP is not needed, not even UDP. Just ejaculate the data into this modified cable across a switch, using broadcast ping with payload (nping, hping2), and have a script parse the data. – user2497 Aug 07 '17 at 21:34
  • @JohnDeters all these MAJOR threats can be discovered with a single dmesg on an machine with static binaries (livecd); and turn off all that automagic crud - networkmanager etc. Suckless guys have a nice system just perfect for being a manual, minimalistic operator. – user2497 Aug 07 '17 at 21:40
  • 1
    @user2497 I think the OP should decide the attack model. I suggested netbsd on sparc precisely because it's unlikely to be exploited but a targeted attack might be possible if the target is valuable enough. – Douglas Leeder Aug 10 '17 at 05:59
  • @DouglasLeeder yes, he should of course decide – user2497 Aug 10 '17 at 07:16
0

The Beamgun open-source project can deal with

  1. Keyboard Human-Input Device (HID) actions against Windows OSes, such as via a rogue USB Rubber Ducky
  2. BADUSB and CDC-Ethernet connection attacks, such as via the LAN Turtle
  3. Mass-storage connection of USB disk for protection against unauthorized exfiltration of data

Note that Beamgun is only available for Windows, but certainly its techniques can be repurposed on other OSes.

atdre
  • 18,885
  • 6
  • 58
  • 107