USB "condom" to allow USB storage, but protect from (hidden) keyboards and power spikes

There is plenty of evidence that you should not let other people connect their USB devices to your computer. But I would really like to allow untrusted people to attach a USB-storage device to my laptop, and allow me to attach my USB-storage device to untrusted servers.

I have found a USB condom for safe charging that prevents syncing (by cutting the datalines), but what I am looking for is something that will allow USB-storage, but nothing else.

I can see how you could build such an adapter: Have a chip that understands the USB storage protocol. Only forward commands (and replies) that this chip understands. Include a fuse to prevent the USB-killer from frying your laptop.

Does such an adaptor exist?

Ole Tange

Posted 2015-06-06T11:40:05.927

Reputation: 3 034

Nice. Though "shopping recommendations" are off-topic here, I think that any answer that recommends a specific product in fact implicitly answers the question "does it exist". And that would indeed be very good to know, and any name of a product will help finding up-to-date answers for future visitors. As an aside, the "only forward commands that this chip understands" is indeed important, even for brand new devices that could have been infected in the factory...

– Arjan – 2015-06-06T11:51:34.567

Luckily the USB Slayer funding failed on Indiegogo...

– Arjan – 2015-08-16T11:38:56.923

Answers

https://github.com/robertfisk/USG/wiki

The USG is a firewall for your USB ports. It connects between your computer and an untrusted USB device, isolating the badness with an internal hardware firewall.

Ole Tange

Posted 2015-06-06T11:40:05.927

Reputation: 3 034

Regarding the problem of allowing other people to attach their storage devices to your machine, it may be easier to simply separate your computer from the USB devices.

Why not use a minimal PC/Raspberry etc. with Linux to provide USB ports and share the storage contents over the wireless network. The number of attack vectors should be reduced and you can always check the processes running on this machine.

Alternatively just take an old WiFi router with USB-host functionality to avoid having to set up the Linux machine. The different architecture might even lower the probability that something is executed.

In both cases you will get rid of any USB killer problems and your PC will only see the USB storage.

Martin

Posted 2015-06-06T11:40:05.927

Reputation: 945

Now, please make your first idea a tiny device and you've got your first customer ;-) As for Wifi routers: I'd not expose an active router to unknown USB devices, but indeed a standalone dedicated old one might be nice for every office that needs to use USB storage.

– Arjan – 2015-08-16T13:22:55.340

If size matters, just take something like the Intel Compute Stick. There surely are cheaper and less powerful alternatives. As for the old WiFi router - you can always reflash the firmware after each user, besides I was thinking of just using it as a WiFi-client so it will not be routing traffic anyway.

– Martin – 2015-08-16T13:33:51.400

A common scenario would for me be at a conference: "Can I have a copy your slides?" "Sure, do you have a USB-stick?" Lugging along a device the size of a router + a car battery will not really work. – Ole Tange – 2015-08-16T16:09:16.950

I remember seeing some *wireless usb hub" - maybe something along this http://www.intenso.de/produkte_en.php?kategorie=32&&produkt=1372663819

– bdecaf – 2015-08-17T17:58:15.680

3At a conference: "Can I have a copy of your slides?" Is there some reason this person doesn't want to put them in the cloud (e.g. Dropbox) or send them via email? => Carry around some business cards in your pocket. – aparente001 – 2015-08-19T11:41:38.630

1@aparente001 yes: They forget. – Ole Tange – 2015-08-23T04:18:18.683

There is project called USBGuard, which is basically some kind of Firewall on USB, which will allow you to protect you against rogue USB. Basically it shows you dialog before the communication with each part of USB is established.

I know that this doesn't solve your problem for Windows, nor the problem with connecting to "untrusted" server. Also I am not sure about "voltage-killer" USB, how do they present themselves and if this is sufficient protection.

Jakuje

Posted 2015-06-06T11:40:05.927

Reputation: 7 981

Nice, I didn't know that OS-level protection is possible. I thought the standards were just too insecure. Now curious why Microsoft and Apple don't have something similar. – Arjan – 2015-08-22T21:27:43.090

I believe, it is just because people don't expect from USB to ask before connecting. People expect USB just to work, which means "allow everything". There must be some API to do the same on Windows or Apple, but I don't know about anything now. – Jakuje – 2015-08-27T21:06:55.803

I wouldn't mind a *"You connected a (or: a second) keyboard, enable?"* prompt when I plugged in a USB drive, but I can see how it might be difficult to answer such prompt when no mouse or keyboard has been approved yet... Also, I thought USB was prone to direct memory access attacks, but apparently that's Thunderbolt and all. But I'd not mind prompts for Thunderbolt either. So your link at least proves some restrictions might be possible, but it might be harder than we think...

– Arjan – 2015-08-27T22:32:46.620

For the voltage-killer thing, a usb hub is a great solution.

It has it`s own usb "chip". This chip will burn out long before it can " transmit " the power to the host computer.

JohnThePipe

Posted 2015-06-06T11:40:05.927

Reputation: 51

I wonder if this is true. I'm not an expert (not at all), but as the components are very small (and as signal traces are often being very close to each other on printed circuit boards), I wonder if the high voltage won't be able to go beyond the first (burned) components? – Arjan – 2015-08-23T10:07:51.690

Not an expert either, but i remember some highschool phisics and i can research . : For 1 meter electric arc we need 3.4Mv ( 3,400,000 volts ). Considering Paschen's Law ( wikipedia will provide enough information on this ), the voltage needed to arc is not directly proportional, so a rough ( read empirical ) calculation would translate to ~3400v/mm. Even at 0.1mm we still need 340volts. – JohnThePipe – 2015-09-16T10:52:30.867

-4

The security risks with USB are not so easily overcome. You need to run antivirus software and disable autoplay to start. Encrypting the drive is also good, but most of all, don't let your own drives out of your sight, and don't let friends plugin their drives into your systems. Ideally, setup a system in a DMZ and use it to scan unfamiliar drives before connecting them to systems on your internal network.

The issue with data transfer devices is that data is being transferred. This is why it's essential to have a good antivirus application installed and running that can scan removable media as it becomes available to the system. An application like Spybot Teatimer (Free version 1.6) can monitor the system for edited files. It's a classic that still works.

Disabling autoplay is also a good move. There's an app called USB immunizer that does this. You can also do it from within Windows, but it's a bit hacky.

Microsoft doc on disabling autoplay. https://msdn.microsoft.com/en-us/library/windows/desktop/cc144204%28v=vs.85%29.aspx?f=255&MSPPError=-2147217396

Use this method. I checked the registry changes, they're clean. The download under "To Disable AutoPlay for CD/DVD and Removable Media Drives for All Users" http://www.sevenforums.com/tutorials/216706-autoplay-enable-disable.html

Spybot https://www.safer-networking.org/mirrors16/

Edit: Sorry for not being clear. No, this adapter does not exist. Kickstarter a project. You'd get millions if you could prototype one that works, but there's a reason Kingston, Lexar, or San Disk haven't built such a thing into their keys.

Alex Atkinson

Posted 2015-06-06T11:40:05.927

Reputation: 2 845

2I have addressed the concerns you have by using GNU/Linux. While these tips are useful for Windows users, it does not address the concern that Arjan mentions. And it is concerns like that which I would like the device to address. – Ole Tange – 2015-06-06T12:19:40.443

5How does this answer the question? – Arjan – 2015-06-06T16:32:56.347