4

At work we mostly use Windows 10, but some co-workers doing design work use Macs. Pen-drives lie around and the only way of knowing what's inside, is to stick it into a PC and read the content?

How high is the risk of getting viruses, backdoors, malware, etc into our computers?

What can be done to mitigate the risk, if high?

Jean McLein
  • 49
  • 1
  • 7
    Besides malicious file content and the somewhat academic USB kill you also need to be aware of USB sticks which emulate keyboards to take over computers. Make sure you mark your sticks and don't allow foreign ones. What is the reason your department does not use the LAN, maybe you can help here. And finally importing and exporting to customer USB drives should be done on a dedicated station only. Preferable hardened (not Windows) – eckes Jun 04 '17 at 19:08
  • 1
    When neither the content nor the owner of the pen-drive is known to anybody and no data is urgently missing then there's no reason to connect this device. Create a special space to store these devices and either destroy them after a while or give it to somebody who's fully aware of all the risks. – Noir Jun 05 '17 at 00:14
  • 1
    i have an old mp3 player which can browse thumb drive folders/files. it's great for such things since it can't be compromised by keyboard emulators, malware, or plain viruses. – dandavis Jun 05 '17 at 01:50

4 Answers4

5

TLDR: The risk is very real. It's the equivalent of giving someone with malicious a keyboard, a network interface, storage, etc... but not showing them the screen.

I think @eckes' comment sums it up nicely. True, a USB-kill dongle is of course a real thing, but has indeed limited "damaging" aspects.

If properly setup, USB Dongles can mimic anything USB related (keyboards, NIC's, etc) or a combination thereof. Tools such as the Hak5 rubberducky or Samy Kamkar's PoisoinTap show the possibilities. It can siphon out information, implant malware, etc; which is a significant concern (data, operations-wise), wa more than physical damage.

ndrix
  • 3,206
  • 13
  • 17
1

As already mentioned by CinisSec, the USB drive might not contain a real drive but a USB Kill that can destroy your computer. There are ways to mitigate this but they are usually not worth the time and effort and don't always remove the whole risk.

There are of course – as mentioned by others too – also risks involving software-related harm. From DMA-attacks through Rubberducky to simple "autorun"-like exploits the host might get infected. While you might be able to isolate the drive in a VM, that might not mitigate the risk completely. Also booting from a live CD will not protect you from malware written to your standard drive (so this requires you to unplug those) and exploits that target your motherboard firmware. These days the UEFI is so advanced that it can be easily reprogrammed to download malware onto your hard-drive before booting the normal operating system. A BIOS password might help here, but this mechanism is not designed to be watertight.

In a day and age where exploits can be purchased from the dark web (or even downloaded for free as part of penetration-testing suites) and USB drives are practically free, a "bad guy" can buy a few hundred of these drives and spread them in public. Since most people don't consider the risk and rather trust their anti-virus software to keep them safe, the yield will probably be amazing and pay off the cost for the drives and exploit.

So, a better way to find out what is on the drive without risking ruining your computer or data, is to use a burner computer, that you don't mind if it did get fried. That might be an old computer or a Raspberry Pi, that can be bought for a few dollars. Use that disconnected from the internet with separate accessories to examine the drive. If you think it is safe, you can then proceed to transfer data etc. Since in most situations the burner computer won't be permanently damaged, it can be reused for every time you are unclear about a USB drive. If the drive does contain malware, you can just reflash the SD card of the Raspberry Pi and start over.

comfreak
  • 260
  • 3
  • 8
  • How common are USB Kill devices? Not many people would spend money to harm you. – Jean McLein Jun 04 '17 at 20:39
  • @JeanMcLein You're probably right, but do you want to risk that? Either way, using a burner PC is the easiest and cheapest way of protecting yourself. – comfreak Jun 04 '17 at 20:42
  • 1
    Keep in mind that this "Raspberry Pi" is a device meant for poor people, not as a disposable device. For many, it's an expense to buy one, not "just a few dollars". This "burner computer" you mention, almost nobody has. Nobody that I know has working devices they truly care very little about. I mention this because burners are advised relatively often in the security world, but it's relatively unattainable advise for most. And even if you have the money, you need the skills and time. – Luc Jun 05 '17 at 17:16
  • @Luc If you can't afford a Raspberry Pi, then I wonder how you afford your current PC. What do you do, if that one fails one day? Don't exaggerate and say that "almost nobody" can afford a Raspberry Pi, that's just not true, $10 dollars for a Pi Zero with adapters is not too much for most people. Cheaper than having to replace your real PC for sure. If you can't afford that or it's not worth it to you, then don't plug in random USB drives you find on the street. Even if you ditch that idea of a "burner computer" all other solutions I can think of will be more expensive and more difficult to do – comfreak Jun 05 '17 at 20:28
  • @Luc I also want to add that the "burner computer" doesn't need to be replaced every time you find a USB drive. In nearly all situations you won't find a USB Kill and it will be a physically harmless device and the worst case will be that you need to reflash the SD card. – comfreak Jun 05 '17 at 20:43
  • @comfreak I thought they were $40 if you include shipping and sd card (assuming you have a monitor, keyboard, and other peripherals), but my info is apparently outdated. Indeed, a $10 test machine is better than a $40 one. Still, time and skills remain. And let's add availability: you're not going to have it with you all the time. I just think it's fairly overkill. Like locking your laptop to the desk when you go to sleep at night for fear of burglary, which is probably *more* common than "the USB killer". – Luc Jun 05 '17 at 23:12
  • @Luc I think time is a much more expensive factor than the cost of the burner computer, for most people that is, especially in a corporate environment. Also I don't think availability is a huge deal, you can always wait until you are back home if you find a USB drive. – comfreak Jun 05 '17 at 23:42
1

This will not prevent any hardware attacks, like a USB-killer, but this should stop (almost?) all software attacks, except for the very most advanced versions where a malicious program is somehow hidden somewhere in the motherboard or something similar.

You need:

  • A computer you can disassemble (must have a DVD reader, preferably NOT a combined reader & writher)
  • A one time burnable DVD (not a flash drive, those can be written too later)
  • A DVD burner (preferably on another computer)

What to do:

  1. Follow these instructions to make a bootable Ubuntu (Linux) DVD:

    https://tutorials.ubuntu.com/tutorial/tutorial-burn-a-dvd-on-windows#0

  2. When you have a bootable DVD (& have tested that it works), also preferably make sure that the BIOS tries to boot from the DVD reader on the computer that you will disassemble.

  3. then (unplug the power and) open the computer that you choose to disassemble & remove the hard-drive & any (wireless) network cards from the computer.

  4. Now insert the bootable DVD into the disassembled computer & start it up.

  5. Linux have an amazing OS that can run from the DVD, so now you should be able to insert the USB into a port on the disassembled computer.

Assuming that the USB is infected with all kinds of malicious software, now the malwares should not be able to store themselves anywhere, because the only places to potentially be stored at is:

  • the RAM memories (looses all data as soon as the power is turned off).

  • maybe some kind off boot-memory on the motherboard (requires a VERY advanced virus. probably specifically designed for EXACTLY that motherboard, since most motherboard types have slightly different programming).

  • some registers inside the CPU (can only hold a few bytes at a time, and probably(?) forgets everything when the power turns off).

BE CAREFUL with keyboards, mouses & screens that are connected to this computer because they might have some kind of memory inside them, so just assume that they are infected & don't use them anywhere else, I think it's a good idea to also use the oldest keyboard, mouse & screen you have, because I think it's less likely that they have a built in memory (unlike the latest Razor mouses & similar things).

When you are done, just unplug the computer & all memories should be cleared (the motherboard might have a "button cell battery" that keeps the clock ticking even when the computer is underpowered, this battery might also power some memories, so it could be a good idea to remove that battery too for a while (I don't know if this will clear any important "motherboard-booting-memories" or something, does anyone else know?))

Good luck!

Community
  • 1
Sebastian Norr
  • 169
  • 1
  • 1
  • 8
  • You can also pair this solution with a protection against hardware attacks (USB-killers) by using a "opto-isolated hub", but they are a bit more expensive but it's cheep compared to buying a new computer. See more here: https://security.stackexchange.com/questions/103088/is-there-any-way-to-safely-examine-the-contents-of-a-usb-memory-stick/103102#103102 – Sebastian Norr Aug 12 '18 at 16:02
0

Most people think they can only get their PC infected with something via auto-run or something similar but you can't forget USB Kill. Those pendrives charge on the USB port and then discharge everything back at once to fry your computer. Nothing you can do about it but cry if it happens.

You can always run a live USB (with physical write protection) on a computer disconnected from any network & HDD to avoid malware from spreading and then analyze it.

CinisSec
  • 31
  • 6
  • 1
    How common are USB Kill devices? Not many people would spend money to harm you. – Jean McLein Jun 04 '17 at 20:39
  • Indeed, but a best practice would be to just use an old system to try it out, leave it on for a few seconds to a minute depending on the USB port. Then you can swap to another system for analysis. – CinisSec Jun 05 '17 at 13:01