How to write protect a USB key?

14

3

I'm looking for a solution to write-protect the contents of a USB key. The idea is to prevent its contents from being inadvertently removed by the user or changed by malicious programs -- not to restrict the re-cycling of the key for something else.

Here is a summary of my findings so far:

  1. Some keys have a switch which makes them read-only. Unfortunately this is not always the case.

  2. With a FAT32 filesystem the only solution seems to be setting the files "read-only". But this protection is too weak. There is a slightly stronger write-protection available for NTFS, which can be achieved by removing write privileges from "All Users" it will make the files read-only to every account, except "Administrator". Formatting the disk as UDF makes it read-only under Windows XP SP3, but read-write in Windows Vista, Windows 7, Linux and Mac OS X. Formatting as ISO9660/CDFS makes it read-only under Linux and Mac OS X, but unfortunately the contents are not readable anymore from Windows.

  3. With microcontroller-specific software is possible (if supported by the chip) to re-partition the key so it displays for example a write-protected and a read-write partition. The problem is that it is very confusing for the users: the write-protected partition can appear as a CD-ROM drive (which it is not), after insertion some drivers are apparently installed on the computer (in fact they are not really drivers), and it can lead to prompting for reboot. Besides, this solution cannot be applied universally because it requires knowing which chip is used in the drive, and the existence of publicly available tools to re-program the device.

  4. John Reasor mentions utilities able to fill all free space on the device, making it impossible to create new files (see below).

Does there exist a general solution to store non-modifiable contents on a USB key?

  • It protects the contents from modifications typically done from the shell (e.g. delete, rename, move) or from the files and folders being modified by a standard applications (e.g. save-as)

  • It should work with most of the devices

  • The user can still re-format the device into a regular key to re-cycle it for another usage (for example, with fdisk)

caas

Posted 2011-04-11T21:06:34.683

Reputation: 243

1You would need to buy a flash drive designed for this purpose, no way to retrofit an existing flash drive. It could be done by modifying Windows permissions of the files on the drive, but Unix, Linux would ignore these settings. I'm a bit confused, you want to protect data from users deleting it, but then you want users to format and recycle the drive?, you cannot have it both ways. – Moab – 2011-04-11T21:23:29.667

Yes, I don't consider using fdisk, format or the partition manager as something a user would inadvertently do. It's just this kind of action I want to prevent. – caas – 2011-04-12T21:48:13.520

Answers

2

Your findings are correct and there is no general solution that can help. Sorry.

I can only rephrase what you said:

Either they have a write protector switch or they don't

File System level protection that can vary between OSs and implementations

Microchip/key specific features, no easy way to know in advance - typically you would ask and get it manufactured to the specification e.g. I had one client who purchased some that were locked to read only after being duplicated. There was no way around this.

William Hilsum

Posted 2011-04-11T21:06:34.683

Reputation: 111 572

Ah, I was afraid of this. Thanks for your help! – caas – 2011-04-12T21:49:23.473

2

Here are some ideas that may help fill your needs.

Software Tricks – Last Resort

There are a few software approaches that you can use in a pinch, but they’re mostly Windows-specific and it may be possible to bypass them – even if it seems unlikely.

Looking for a USB Flash Drive with Read Only or Write Protect Switch describes how to create a customized U3 partition based on an ISO file that will mount as a virtual CD-ROM. This will prevent items from being deleted from that virtual CD, but is not ideal for a system cleaning disk because the second partition can still be written to and infected. In addition, changing the contents of the protected area is a multi-step process that involves creating/updating an ISO file that is then used to re-create the U3 area on the flash drive.

USB Flash Drive Write Protection describes how the Windows Registry DWORD value WriteProtect in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\StorageDevicePolicies key controls whether USB devices are writable or write-protected. A value of 0 (zero) allows writing to USB devices; a value of 1 blocks writing to USB devices. Changes may take effect after a logoff/logon, but will certainly take effect after a restart. There are several drawbacks to this approach: it might be possible for software to bypass it, it blocks writing to all USB devices, it doesn’t take effect immediately – it requires at least a logoff/logon and possibly a system restart and you have to undo your changes because it affects all USB devices not just your flash drive.

Several applications (shareware and free) and instruction sets simplify the process of write protecting by filling up the disk by simply creating temporary files to consume all available free space on the drive. If there’s no space to create even a small autorun.inf file, it’s difficult to infect the drive since it won’t run items by default when the drive is connected to a PC. This is probably better than nothing since it will stop some infections, but it may also give a false sense of security – it’s not complete security. One of the several sites with instructions for this is Raymond.CC’s Create Fake Dummy File on USB Flash Drive to Enable Write Protect and Prevent Modification.

I’ve seen instructions for protecting the files on a drive by reformatting to NTFS, then removing all permissions except a very limited set. Much like filling the drive to capacity, this may work against some malware but it’s not 100% protection. Setting this up also depends on the which version of Windows you’re running (assuming that’s what you’re using) – non-business versions may not provide access to the security settings needed, and non-Windows systems will likely either ignore the security or not be able to read the drive. This also makes it more important to tell Windows to eject the drive before removing it, because it’s more likely that Windows will be waiting before writing changes to the drive.

http://www.fencepost.net/2010/03/usb-flash-drives-with-hardware-write-protection/

N4TKD

Posted 2011-04-11T21:06:34.683

Reputation: 979

Thanks for the tip on the Windows regsitry WriteProtect DWORD or filling the device. I'll add them to my question for reference. – caas – 2011-04-12T21:56:19.813

+1 for "filling up the free space with dummy file(s)." – Mudassir – 2011-07-21T04:52:55.777

2

There are pendrives on the market (just like SD cards) which have this little button/switch on them that allows you to turn read only/write on and off. It seems to be the only solution on your case. There are many pendrives with it and I'm sure you can find one that suites your needs.

This site has a list of devices with hardware write protection.

For example:

MadBoy

Posted 2011-04-11T21:06:34.683

Reputation: 2 751

1Ok thanks, I was trying to find a solution which would work in general. It seems that none exists and it falls back to one of the three alternatives I've described: either you can do it in a strong way with a switch or a microcontroller tool (if your device supports it), or in a weak way with filesystem permissions (on any device). – caas – 2011-04-12T21:52:34.093