Is there any way to prevent a USB flash drive from being written to?

9

2

I see lots of articles about preventing a specific computer from writing to a USB flash drive or preventing malware from getting from a USB flash drive to a computer; what I can’t find anything for is how to prevent any system from writing to a USB flash drive.

I work at an I.T. help desk and as such I work with some devices that have some form of malware. From simple adware, to more advanced kinds of infections it varies. I have a USB flash drive with a bunch of tools I use day to day to fix some of the more common issues. I want to lock this USB flash drive down and prevent it from being modified. I know some viruses will try to infect a USB device, and this is exactly what I want to avoid. I don’t want to use a USB flash drive on one users computer and then plug it into the next ones and infect them.

Is there an effective method—that is OS independent—to prevent a USB flash drive from being written to? I could use a disc to do this, and use a USB powered disc drive where optical drives are not present in the laptop, however this is not as convenient of a method, so I’d prefer to use a USB flash drive if possible.

ComputerLocus

Posted 2015-03-12T22:48:38.927

Reputation: 968

Question was closed 2015-03-17T06:32:22.010

1You say, “USB drive” and “USB device” but you never say, “USB flash drive.” I assume you mean USB flash drive, but just adding a comment to make sure. – JakeGould – 2015-03-12T23:17:30.357

1@JakeGould yes, I do mean flash drive. – ComputerLocus – 2015-03-12T23:25:34.560

this question on security.stackexchange seems related

– Silveri – 2015-03-13T07:24:13.933

Also How will I make a pendrive write protected?

– Peter Mortensen – 2015-03-13T20:44:34.523

Everyone is clueless... this can be done with the oem tools leaked all over the internet... – Hydranix – 2017-05-05T08:34:58.393

Answers

14

Is there an effective method that is OS independent to prevent a USB from being written to?

Not really unless you are using a device that explicitly uses a forensic write blocker/controller or something similar that blocks data writes on a controller level.

Read and write permissions/restrictions on the vast majority of devices out there are inherently, physically read and write capable—like USB flash drives—is a logical OS-based construct. When something gains malicious access to a device, it simply doesn’t care about such circumventable logical restrictions. Remember: Code—such as viruses and malware—that can infect a system will basically operate on “root”/“admin” level at all times and can just do whatever it wants.

So even those SD cards that have those little write-protect switches are fairly useless since anything that gains deep system access can just ignore that “don’t write to me” setting. For example, look over this list of various ways to disable/circumvent write protection to SD cards on various systems; a simple adjustment to registry settings for StorageDevicePolicies from 1 to 0 in Windows will essentially tell the system to ignore the write-protect switch.

This kind of “hack” is no deep secret and even openly discussed/advocated by Microsoft support—such as in this official support thread—when providing support to users who have legitimate reasons to bypass write protection on USB devices.

Your best bet—if preventing unauthorized write access is a goal—is to use media that physically blocks write access like CD-R’s or DVD-R’s after they are burned.

I could use a disc to do this, and use a USB powered disc drive where optical drives are not present in the laptop, however this is not as convenient of a method, so I’d prefer to use a USB flash drive if possible.

Honestly, the use of truly read only media—like a burned CD-R or DVD-R—is the only simple and practical way to ensure malicious writing access is stopped at a deeper level. It might seem inconvenient, but the way I would approach this is simple:

  • CD-R/DVD-R Master of Tools: Create a CD-R/DVD-R with all the tools on need on it. Use that as the master. Maybe burn a few copies to have as backups.

  • Create a USB version of the CD-R/DVD-R Master: Now with that CD-R/DVD-R created, create an exact clone of the contents of that CD-R/DVD-R on a USB flash drive. The logic being that you can use this USB flash drive daily and if somehow it chokes or gets infected, you can then “downgrade” to the CD-R/DVD-R.

Now all that said, there is such a thing as a forensic write blocker/controller. These devices mainly provide an interface between a SATA or IDE drive and a USB connection that will allow one to mount and access a SATA or IDE drive without risk of data being written to it. And as the term “forensics” implies, these devices are mainly intended for legal and/or law enforcement purposes to ensure that a device in a “chain of custody” cannot be tampered with.

So if a “bad guy” is arrested, law enforcement might take their laptop, remove the hard drive and connect it to a forensic write blocker/controller to gather evidence for whatever purpose they need in a way that assures the courts and others that the data was not tampered with.

That said, these forensic write blocker/controller devices are not cheap—they run around $200 to $300 (U.S. dollars)—and mainly have interfaces that are USB to SATA or IDE; not USB to USB. But wait! I was able to find this “ToughTech m3” enclosure that claims to have a “Unique WriteProtect read-only mode”:

It features a unique WriteProtect read-only mode that "locks down" your data and prevents someone from accidentally deleting or modifying it. This is a handy way to protect your drive when loaning it to a client or someone else to distribute files or data.

A quick search online shows that this enclosure can be had for less than $50 (U.S. dollars). And if it does what it claims—in the same manner a forensic write blocker/controller works—then this could be a good investment for someone like you. But I have no direct experience with this device so I cannot speak for it’s true ability to protect data from inadvertent/accidental/unauthorized write access.

JakeGould

Posted 2015-03-12T22:48:38.927

Reputation: 38 217

And is there an effective method to determine if a USB flash drive has been infected? – ComputerLocus – 2015-03-12T23:28:15.393

@Fogest The only effective way to check if a USB flash drive is infected is via malware/virus detection and removal tools. But that is a whole other concept and question. Just be sure the systems you use the USB flash drive on have protection that scans the USB flash drive or make sure to scan for malware/viruses when you head back to your desk. – JakeGould – 2015-03-12T23:30:26.750

Okay sounds good! Thanks for the help. Since the USB drive doesn't contain much on it, would it be a bad idea to just reformat the drive after every use? Essentially just have an "image" for the usb? – ComputerLocus – 2015-03-12T23:39:02.633

'those SD cards that have those little write-protect switches are fairly useless since anything that gains deep system access can just ignore that “don’t write to me” setting' -- Can you provide me a link that backs this claim? – That Brazilian Guy – 2015-03-12T23:40:36.703

@ThatBrazilianGuy Sure. Just edited my post to provide details on how Windows can have registry settings adjusted for StorageDevicePolicies to make Windows ignore USB device read/write restrictions. Did see your answer and the Kanguru drives seem interesting, but am unsure how they enable write protection. My gut tells me if what they are doing truly blocks writes, then why isn’t that functionality on every USB flash drive in the world? That said a forensic USB write-blocker might work. Wonder if there is a USB to USB one out there?

– JakeGould – 2015-03-12T23:55:52.627

@Fogest FWIW, I just edited my answer to provide some details on how the Windows registry can be edited to circumvent write protection and add some info on forensic write blocker/controller controllers. There might be a way for you to use a device with a forensic write blocker/controller to achieve an OS independent way of blocking writes. But I don’t think a basic USB flash drive can be protected this way. Kanguru has some devices that claim to have a “Physical Write-Protect Switch” but I have no personal experience with them.

– JakeGould – 2015-03-13T00:13:57.533

Okay sounds good. If it has a physical write protection switch, isn't this preventing it at a level in which the computer actually can not alter? Like I mean it just doesn't seem like it would be physically possible to mess with that from a software level. – ComputerLocus – 2015-03-13T01:49:49.973

@Fogest Not all devices are the same so it depends on what that switch is connected to on the USB drive. Like I said, those Kanguru USB flash drives claim to block writes from a hardware controller level, but as you can see in my link about SD card switches, most of those switches just translate to an OS flag and not a hardware setting. And adjusting the Windows registry can get it to just ignore that SD card switch anyway. So this is not cut and dry to say the least.

– JakeGould – 2015-03-13T02:02:57.237

3

More than that, the physical switch on most SD cards isn't electrically connected to anything. It's literally a little piece of plastic that the hardware can optionally detect and respond to, often with an optical sensor. Some readers don't have that sensor (e.g. the lock detection of the reader on a Raspberry Pi isn't connected to anything on the PCB side).

– Bob – 2015-03-13T06:23:36.197

1I learn new things everyday, and today it's about the write-protect switch on SD cards... – h.j.k. – 2015-03-13T07:34:21.880

@Fogest: What about a checksum as a way to detect infection? If you have a reliable, uninfected base system a checksum ought to be a pretty reliable way to know if or not anything on your USB flash drive got changed by the infected system it was inserted into. Not sure but that's why I think. Maybe a sha or an md5sum – curious_cat – 2015-03-13T11:00:08.997

1@Fogest It wouldn't be a bad idea to reformat and re-image after every use except that humans forget! Once in a while you'll absent mindedly forget to re-image and then you have a disaster. – curious_cat – 2015-03-13T11:05:33.000

@JakeGould Yes, there is a USB-to-USB one, I have seen a pic once, and a sales page on a site, but I can't remember the name and after 5 pages of google searches I gave up :/ – That Brazilian Guy – 2015-03-13T14:56:03.297

11

Is there an effective method—that is OS independent—to prevent a USB flash drive from being written to ?

Yes, there are a few.

  • You can use a forensic USB write blocker such as this one:

enter image description here

From the product description:

The compact USB WriteBlocker connects to USB storage devices and protects their contents during an investigation. To use, simply connect the WriteBlocker to the suspect device.

The USB WriteBlocker connects to most USB storage devices: USB thumb drives, digital cameras, cell phones, or most anything with a USB connection.

  • Some USB flash drives have physical write-protection switches (Important: Many devices will have "logical" switches that can be bypassed by the software, read @JakeGould's excellent answer for more in-depth info):

enter image description here

  • Some IDE/SATA-to-USB adapters have write-disable locks:

enter image description here

That Brazilian Guy

Posted 2015-03-12T22:48:38.927

Reputation: 5 880

Asked: 2015-03-12T22:48:38.927

Viewed: 4 165 times

Active: 2015-03-13T20:56:16.163