1That is a possibility, so +1. Does Windows Explorer (or Nautilus) do this even if you never view thumbnails? – EM0 – 2014-01-31T21:53:04.837

1@EM Could happen - recent versions of explorer might, for example, construct thumbnails in sub-folders for pretty folder icons at the root, even if those subfolders are set never to show thumbnails. – Tynam – 2014-02-01T00:03:14.243

Or maybe not try to display thumbnails, but rather some sort of metadata – That Brazilian Guy – 2014-02-03T20:08:36.943

1This is not specific to a USB mounted filesystem. If a file browser has a vulnerability it could be triggered by files downloaded to your computer through other means too, such as email attachments or downloads through browser. – HRJ – 2014-03-02T14:28:19.417

11Nice one, +1! In the scenario I had in mind the USB stick is known to be an actual storage device and I trust the person who gives it to me to not maliciously infect my computer. (I'm mostly concerned they may be the victim of a virus themselves.) But this is an interesting attack I hadn't considered. I suppose with a keyboard emulator like this I'd probably notice something weird going on, but there might be stealthier ways... – EM0 – 2014-01-30T20:42:59.850

3I approve of this answer. Makes the OP think :) – steve – 2014-01-30T20:49:09.480

1

fyi: https://www.youtube.com/watch?v=D8Im0_KUEf8 https://www.youtube.com/watch?v=CPEzLNh5YIo and other related talks. it might look like a simple usb-stick, but these suckers have their own cpu and their own firmware on board.

31+1 "The worst that can happen is limited only by your attacker's imagination." – Newb – 2014-01-31T00:39:46.387

Haha, I saw one of these at school once. Some dude would plug it into computers while we were using them and the mouse would start doing things of its own accord (someone was remote-controlling the device from across the room). – Thomas – 2014-01-31T02:36:36.130

9Hak5 - looks legit! – david25272 – 2014-01-31T04:00:40.700

looks like "BS-USB" from Cloudy with a Chance of Meatballs 2 made by villain inovator Chester_V – kmonsoor – 2014-01-31T11:08:04.957

5Apparently the USB connection protocol is quite similar to the older PS/2 port protocol, which is why USB is commonly used for Mice and Keyboards. (I could be wrong of course - I'm digging this up from my own memory, which features mostly lossy compression) – Pharap – 2014-02-01T13:14:23.743

1This kind of attack is probably a good reason to not give administrator privileges to your usual account, even with UAC set to maximum. Since it emulates a keyboard I presume it could easily say "yes" to any UAC prompt. – EM0 – 2014-02-01T15:01:27.793

1Windows actually can be crashed just by inserting a badly formatted drive. I did it a couple of times (and that made me really angry) – Display Name – 2015-10-18T12:32:52.257

+1 That would be a neat and entirely possible exploit – steve – 2014-01-31T01:52:57.427

18There is a whole level further down. Not only do file-systems have bugs, but the whole USB stack has bugs, and lots of that runs in the kernel. – Fake Name – 2014-01-31T06:09:09.720

4And even your USB controller's firmware may have weaknesses that may be exploited. There's been an exploit of crashing into Windows with a USB stick merely at device enumeration level. – sylvainulg – 2014-01-31T15:57:34.303

8As for "linux trying to mount anything", this is not the system's default behaviour, but is linked to your file explorer proactively trying to mount. I'm sure spelunking manpages could unveil how to de-activate this and return to "mount only on demand". – sylvainulg – 2014-01-31T15:59:00.997

@sylvainulg: I meant about the filesystem types. While Windows only mounts three or four FS types, Linux will try whatever it has available, which can be a lot of filesystems. – Zan Lynx – 2014-01-31T17:11:33.760

For a moment I thought you were saying that a hacker could write a program that would move your Linux kernel to the USB drive, which would be and awesome (and horrific) way for the malware to defend itself. – Brian – 2014-01-31T18:54:05.240

6Both Linux and Windows try to mount everything. The only difference is that Linux might actually succeed. This is not a weakness of the system but a strength. – terdon – 2014-02-02T15:25:49.500

4ockquote>

The ONLY way to truly be safe is to boot up a live Linux distribution, with your hard drive unplugged… — nope, a rogue software can also infect firmware. They are very poorly protected nowadays.

3Even if AutoRun is disable there are still exploits that exist that take advantage of certain truths. Of course there are better ways to infect a Windows machine. Its best to scan unknown flash drives on hardware dedecated to that task, which is wiped daily, and restored to a known configuration if rebooted. – Ramhound – 2014-01-30T18:59:28.147

1This is true. Hackers can be great at what they do. It leads back to my previous suggestion that the OP doesn't want to hear... Its safer if you don't trust what is not to be trusted. – steve – 2014-01-30T19:01:25.693

1@Steve- Even the Linux solution has flaws. You won't catch every known malicious file, I would even say, a significant amount will not be caught. The drive should be scanned by several programs. A solution like Hiren BootCD is a start since it gives you access to multiple tools, would not be persistant, and could not infected other systems ( a Linux host can infect a Windows machine ). – Ramhound – 2014-01-30T19:11:55.410

That is also indeed true. I do not claim to be a securty expert as the people that I see at defcon every year manage to drop my jaws every time. That being said your answer is much more complete and should be the accepted answer if you write one. My thought is, if I have to go through such steps just to check it, the answer of if it should be trusted is obvious :) – steve – 2014-01-30T19:14:12.890

2For your final suggestion, you may want to include disconnecting the network too, if the Live CD instance does get infected it could go infect other machines on the network for a more persistent foothold. – Scott Chamberlain – 2014-01-30T19:15:57.167

sorry, as I assumed that would be implied. How ever seeing as though the question is being asked, I guess it would not be. :) – steve – 2014-01-30T19:19:07.363

@steve - You answer is fine. I am not going to post an answer because you already say everything I would have said. There are a few technical points missing but its good enough for this question. – Ramhound – 2014-01-30T19:36:53.973

6Ramhound, I'd like to see examples of the exploits you mentioned (presumably patched by now!) Could you post some as an answer? – EM0 – 2014-01-30T20:46:55.357

1@steve - is it possible for a bad agent to screw up your firmware even when using your 'truly safe' method? (albeit a harder thing to do) – Merk – 2014-01-30T23:47:48.900

@Merk that IS a possibility... if I were an epic hacker... I would target firmware (such as your sound card) that would still be accessible no matter what. I have read only a little about the research into this possibility... best to assume if you can imagine it, smarter people have tried. :) – steve – 2014-01-30T23:54:28.243

1I am not going to talk about patched nor unpatched exploits. They exist and involve tricking Windows into doing things using it shouldn't. Some have been patched others have not been. U3 which has been retired was a horrible idea. Windows treats optical disk differently from removable disks. I will end with that note. – Ramhound – 2014-01-31T04:01:06.483

5

@EM, there was a zero-day exploit a while ago that took advantage of a vulnerability in how the icon was displayed in a shortcut file (.lnk file). Just opening the folder containing the shortcut file is enough to trigger the exploit code. A hacker could have easily put such a file on the root of the USB drive so when you open it, the exploit code would run.

This video hurts my soul. – k.stm – 2017-04-14T00:45:10.887

3

Yes they do. Almost all of them have small resettable fuses. I found this http://electronics.stackexchange.com/questions/66507/usb-fuse-to-protect-usb-ports to be kind of interesting.