10

A customer provided an external drive (USB 2.0 and Firewire 800 connections), and wants me to copy files onto the drive. The drive is not new. I have no particular reason to suspect the customer would intentionally send a drive containing malware, but I don't know that the drive is clean.

I'm using Mac OS 10.8.3; is there a significant risk of malware transfer upon connection? Is there a safe way to inspect the drive before copying the files?

EDIT For clarification, I'm concerned about the risk of triggering malware transfer from the USB drive to my computer upon connection. This might be a real risk; I'm asking for confirmation that this transfer-upon-connection risk is real in this scenario, or imagined.

ANOTHER EDIT @Adnan answered the question as stated, and I agree with his answer. I now realize I was also interested in another possibility -- the device might mask its nature or purpose. The USB page on Wikipedia states that USB 3.0 supports a guest device initiating communication with the host upon connection, and that Fireware has always had this capability, while earlier versions of the USB protocol enforce a "speak-when-spoken-to" behavior on guest devices. An external drive is unlikely to initiate communication, but a malicious device might. So if you trust that the device is just an external hard drive, connecting that drive to a Mac OS or Windows computer (with Autorun turned off) is probably not risky by itself. But if the device is not just an external drive (i.e. it's something like the USB Rubber Ducky), there is some risk.

Eric Rath
  • 349
  • 2
  • 10
  • For the sake of sanity of all us paranoid types, you can also buy a brand-new spring-clean USB 2.0 external drive and give it to the client. :) – Deer Hunter May 06 '13 at 19:31
  • 1
    If you're very concerned, you could boot to a Live CD and copy the files that way. – John May 06 '13 at 19:55
  • 2
    Knowing that it doesn't answer your question, Windows users can hold down the key, until after the drive is mounted, this should prevent any autoplay and autorun scripts. – martinstoeckli May 06 '13 at 20:02
  • @DeerHunter, what about supply chain concerns? ;) john, you're halfway there... martinstoeckli, g2k but that's only one threat vector... – Matthew Peters Jul 31 '14 at 21:07
  • You also need to think about USB keys that are not just data devices. Take a look at https://hakshop.com/products/usb-rubber-ducky-deluxe for example. – Tennessee Leeuwenburg Oct 18 '17 at 23:45
  • @TennesseeLeeuwenburg this is mentioned in the question itself – schroeder Oct 19 '17 at 07:12
  • @DeerHunter, There is no such thing as a bought product that is guaranteed to be spring-clean. – Pacerier Mar 06 '18 at 08:02

7 Answers7

4

Respectfully, @Adnan is dead wrong in some key assumptions that it is relatively safe to open an unknown external drive.

As I answered here, it is not safe to connect any infected drive without proper safeguards in place.

In fact, the only way to be 99.99% (nothing in security is certain) sure it's malware-free is to actually do a forensic examination on it. At a bare minimum you should only attach an unknown external device using a proper VM. Ideally, you would take a forensic image of the drive and then examine it in the VM.

Note that you can do this 'safely' but only if precautions are followed.

Here is a simple article that outlines a few real-world examples.

Bear in mind that it is not just limited to autoplay features. There are sooooo many ways to hide things digitally and then execute them (leveraging OS/driver/buffer exploits for example).

Update: you may want to keep your ears peeled for more information on this as it's presented at Black Hat soon.

Edward Anderson
  • 103
  • 4
Matthew Peters
  • 3,592
  • 4
  • 21
  • 39
  • Re "Ideally, you would take a forensic image of the drive"; Isn't this hen-and-egg problem? How do you take a forensic image of the drive? – Pacerier Mar 06 '18 at 08:06
3

If you connect the disk, don't open it, and just send the files to it, then there's almost no risk at all. If your system is originally clean, malware cannot magically move themselves from the USB disk to your system. Plus, Mac OS X doesn't have an autorun capability for USB drives. It never has.

The only theoretical risk I can think of, is if the attacker had found a vulnerability in the way Mac handles the drive's names and was able to exploit it and execute some code.

Personally, I wouldn't worry about it. Just make sure you copy without opening it.

Note 1: When I say "don't open it", I don't mean that there's a magical way to get you infected if you open the disk, there isn't. It's just that if you open it, it's more likely that you'll click on something in it.

Note 2: Please don't run an Anti-Virus scan on a disk that is not yours unless you're asked to. Anti-Viruses tend to be stupid, they delete pen. testing tools all the time.

Adi
  • 43,808
  • 16
  • 135
  • 167
  • 1
    Was thinking over a Clancy-thriller-worthy scenario when a USB-connected storage device transmutates into something completely different... like a USB keyboard - and sends a crafted key sequence to the OS. – Deer Hunter May 06 '13 at 19:18
  • @DeerHunter for social engineering purpose i am using a prepared usb stick which is actually a mass storage AND a hid device... ;-) – Dr.Ü May 06 '13 at 19:39
  • @Adnan, you write "malware can magically"; did you intend to write "malware cannot magically"? – Eric Rath May 06 '13 at 20:30
  • @EricRath Yes, correct. This is the second time this happens to me today. – Adi May 06 '13 at 20:33
  • @Adnan, do you know if the risks vary between USB 2.0 and Firewire 800? I.e. the drive in question offers both types; would connecting with one present different risks than connecting with the other? It seems plausible that the two protocols provide different on-connection behavior. – Eric Rath May 06 '13 at 20:43
  • @EricRath - NEVER ever use [Firewire](https://en.wikipedia.org/wiki/DMA_attack)! – Deer Hunter May 06 '13 at 20:49
  • @Dr.Ü: out of curiosity, is that possible with stock windows drivers? Curious. – Sébastien Renauld May 11 '13 at 18:55
  • Shure... You are able to emulate different devices on on different endpoints. If you are interested in those things i recommend you to read travis goodspeeds blog. He's also into exploiting usb drivers. – Dr.Ü May 11 '13 at 22:16
  • @DeerHunter That's probably possible with a variant on the USB Rubber Ducky... – anaximander May 14 '13 at 12:14
  • @Adi, Are you sure Mac does not autorun on connection? Time Machine keeps bugging you whenever you do a connection, and drives are automatically scanned and mounted. – Pacerier Mar 06 '18 at 08:05
2

I believe all Mac OS 10+ versions disabled the auto run feature so even if there were a virus on it, if you are simply copying files it would never start unless you intentionally ran the program.

I would say you are very safe in attaching and copying the files with no ill effects. If it were Windows I say would there is a lot of worry.

If you are that worried, you can download Kaspersky's bootable USB antivirus and plug the drive in on reboot and scan it with that.

http://www.precisesecurity.com/tools-resources/free-antivirus/virus-scan-kaspersky-usb

Travis
  • 331
  • 1
  • 5
1

One possible scenario:

  1. boot a live distribution from stick (use your fav)
  2. mount your local disc as read-only
  3. copy files from the local disk to your costumers external drive
Dr.Ü
  • 1,029
  • 8
  • 16
1

Another scenario:

  1. Download, install and update a free anti-virus software
  2. Disable autorun from USB on your mac
  3. Connect USB
  4. Run a direct anti-virus scan against the USB drive
  5. Take only the files you require from the USB drive
AndyMac
  • 3,149
  • 12
  • 21
1

USB Thumb drives are super super cheap - you can play it safe by eating $2-15 depending on the quantity of data. Alternatively boot up a machine you can wipe, copy the files to it, copy the files, mount the customer drive on the temp box, copy files from temp box to customer drive, reimage (wipe clean) the temp box.

Ram
  • 119
  • 2
1

MacOS 10 does not autorun. You should be fine. Just don't go clicking and opening things from the drive of unknown history. If you have pre-Windows-7 Windows machines turn off autorun before connecting random drives to them.

Rod MacPherson
  • 1,057
  • 7
  • 11