18

Say you find a usb drive on the street and you want to be 100% sure it hasn't been tampered with, neither via software nor by modifying its hardware (adding or modifying components, etc.), so that there is zero risk of malware.

Is fully formatting it enough to be 100% certain no malware remains? If so, is fully formatting it with the standard slow process from within Disk Utility in Tails 3.2 enough to do so?

Asume the highest possible technical ability from the attacker. Not just reasonable or plausible scenarios.

Norbert
  • 291
  • 1
  • 3
  • 6
  • 40
    If the scope of your question is to "assume the highest possible technical ability from the attacker" then the answer to your question is simple.....how to be 100% certain: _don't_ pick up a random USB drive on the street and insert it into your PC. Other than that there is no such thing as 100% certainty. – n8te Oct 26 '17 at 04:25
  • 6
    Throwing it into a fire should be 100% certain. – aroth Oct 26 '17 at 10:58
  • 2
    Do you want to 1) clean up the stick to safely use it afterwards, _or_ 2) copy any data off from it safely without triggering any malware or hardware "traps" on it, _or_ 3) just find out if there was indeed something suspicious on it or not? I think the the answers to these are at least slightly different. The Q linked by @KamilMaciorowski seems to be about (3). – ilkkachu Oct 26 '17 at 11:14
  • @n8te How does that make you 100% certain there is no malware on it? If me and you are walking down the street and we notice it and you don't pick it up can I then safely have it? Going by your logic you'd be 100% certain there is no malware on it. – RyanfaeScotland Oct 26 '17 at 12:03
  • You ought to have asked this question on https://security.stackexchange.com/ – Mawg says reinstate Monica Oct 26 '17 at 12:53
  • Suggest reverse engineering the traces using an electron microscope. Be aware testing may be destructive. And yeah, Information Security is the better place to ask. – timuzhti Oct 26 '17 at 12:53
  • 2
    @Mawg While I don't think this question is necessarily off topic for [su], I do agree that it may be worth migrating it to [security.se]. – Stevoisiak Oct 26 '17 at 13:11
  • That's where the experts hang out ;-) Seriously, we cover a whole gamut here. If a question like this is about niche X and S.E has a dedicated X site, then a technical answer on a specialist site is likely, but not guaranteed, to be better than one on a generalist site. On the flip side, the generalist site will probably get more views, and most of us haunt multiple sites. It's a close call/how long is a piece of string? – Mawg says reinstate Monica Oct 26 '17 at 13:15
  • 1
    What makes you so certain it is in fact a USB drive? It's a rectangular piece of plastic with a USB plug on it -- it could be literally anything that uses USB. – Tristan Oct 26 '17 at 14:32
  • @StevenVascellaro of a question is on-topic on the SE site where originally posted, convention says we don't migrate it, even if it would be on-topic elsewhere. – I say Reinstate Monica Oct 27 '17 at 12:14

4 Answers4

30

There is no way to be 100% sure the USB is safe, and that it will not harbour malware even if wiped. (If I were that way inclined, and had the knowledge, a small chip with malware, not active, with a decent size stick with random crap - after X number of power cycles, switch chip).

You should be very wary of plugging any USB key of unknown origin into your system as USB killers are a thing, and will kill your USB port, and possibly system - to get round this you might be able to use a sacrificial USB hub.

Unfortunately most USB sticks are cheap and easy to open - someone with some skill could easily replace the insides of one with no externally visible indications.

davidgo
  • 68,623
  • 13
  • 106
  • 163
  • 1
    https://www.elie.net/blog/security/what-are-malicious-usb-keys-and-how-to-create-a-realistic-one talks about an attack which makes the USB look like a keyboard - this attack would not be thwarted by wiping the disk as the nasty payload does not present as a disk. – davidgo Oct 26 '17 at 05:11
  • 3
    put the untrusted one in a blender and by a new one from a trusted vendor, it's the only way to be sure. – ratchet freak Oct 26 '17 at 09:39
  • 8
    @ratchetfreak Unless the drive is spiked with anthrax or something and the blending disperses it into your lungs :P 100% certainty is nonsense. If you find a flash disk with something illegal, it doesn't have to contain malware to cause you a great stream of troubles, for example; and formatting wouldn't really delete the data either. – Luaan Oct 26 '17 at 10:28
  • you don't need another chip, just reprogram the controller that's in the stick - https://www.bunniestudios.com/blog/?p=3554 – Pete Kirkham Oct 26 '17 at 13:43
  • @davidgo You could see that it's an HID device (keyboard) instead of a MSC device (drive) pretty easily though – endolith Oct 26 '17 at 15:11
  • +1 for pointing out that there are things that look like USB sticks but aren't (killers, disguised HID devices). Even if they don't contain malware (for example, if they are not a data carrier at all), they can still be very malicious. – TuringTux Oct 26 '17 at 15:32
9

You assume that it is tainted.

You cannot be betrayed if there never was any trust to be betrayed.

And you will not suffer harm if you assume that harm is what will happen and prepare to meet it.

Remove hard-drives, disconnect from the network, use a bootable drive

If you are hellbent on examining this USB drive and want to avoid malware, you can do so by taking a computer, removing all its hard-drives, unplugging it from all networks (including WiFi) and then boot it up using a bootable USB drive. Now you have a computer that cannot be tainted and that cannot spread the contents of the found USB drive.

By now you can mount the found USB drive and examine its contents. Even if it is tainted, the only thing the malware reaches is an "empty" computer with an OS that you do not care if it gets infected anyway.

Determine your level of paranoia

Do note that even this is not entirely "safe". Assume that this is The Perfect Malware™.

  • If you boot from a writable media (USB stick, writable CD/DVD), then this may become tainted too if it is writable and remains in the computer as you insert the tainted USB drive.

  • Practically all peripherals have some kind of firmware that can be updated. Malware can choose to nest there.

  • You could end up with a corrupted BIOS that compromises the hardware for good even after you have removed the tainted drive and powered down.

So unless you are prepared to throw away all the hardware afterwards, you need to determine how badly do you want to examine this found USB stick and what price are you willing to pay to 1) stay safe and 2) take the consequences if things turn out bad?

Adjust your paranoia to reasonable levels according to what risks you are willing to take.

MichaelK
  • 199
  • 3
  • 3
    You'd be better off booting from a Live DVD rather than USB stick. Otherwise once you plug in the "suspect" USB you end up with _two_ possibly tainted USB drives. Boot from a read-only media. – Mokubai Oct 26 '17 at 08:07
  • 3
    @Mokubai Surely there are live images that allow you to boot up and then remove the medium you booted from? – MichaelK Oct 26 '17 at 08:09
  • 12
    Disconnecting the network and all drives is not enough. There is a lot more permanent storage inside your computer, e.g. the EFI NVRAM, the EFI Flash EEPROM, microcontroller Flash EEPROM on your keyboard and your mouse, firmware Flash EEPROM on your graphics card, the CPU's microcode, and so on, and so forth. I don't think malware that patches the CPU microcode is publicly known (which, however, doesn't mean that it doesn't exist), but all the others have at least been demonstrated and some even actively used in attacks. It's not enough to disconnect all drives, you also need to basically … – Jörg W Mittag Oct 26 '17 at 08:27
  • 10
    … throw away the computer afterwards. – Jörg W Mittag Oct 26 '17 at 08:28
  • 1
    @MichaelKarnerfors there may be, but you didn't mention removing the USB you booted from. I agree with Jörg though, there are a lot of other non-volatile storage devices than what you boot from in the computer. – Mokubai Oct 26 '17 at 08:39
  • +1 for actual giving ways to improve the situation instead of just "don't do it". – Fabian Röling Oct 26 '17 at 10:47
  • @Fabian: I'm not sure that *not* saying "don't do it" is improving the situation. There *may* be ways to do it safely, but frankly, someone who would be able to perform this operation safely, wouldn't be asking on [su], he'd be a gold badge member on [security.se]. – Jörg W Mittag Oct 26 '17 at 11:14
  • I said "instead of **just** saying 'don't do it'", because he did say "Do note that even this is not entirely 'safe'." This would not be a good answer if he had just pretended that everything would be fine if you do what he says, but at least he doesn't stop at "It's not a good idea, so I won't give hints to make it less dangerous." He still says that in the worst case, you have a piece of scrap metal instead of a PC, but with his tips, it's at least possible to try out the stick without infesting your network, your drives, your important data, all of the interwebz or whatever. – Fabian Röling Oct 26 '17 at 11:18
  • 1
    @JörgWMittag, I suppose one could create custom hardware without no reprogrammable memory to work as a USB host to safely copy the data out of the drive to some less suspicious media, if that's what is needed. Some microcontroller might do to start with. – ilkkachu Oct 26 '17 at 11:18
  • @ilkkachu maybe, but is it worth the effort? Even if you are a gold badge member on InfoSec, it's still going to be easier to just trash it and get a new, far less suspect one. – Baldrickk Oct 26 '17 at 15:52
  • @Baldrickk, oh, of course, if you want a stick to use. But if you want the data on the stick without exposing your computer, and assume a threat that would be serious enough to target the firmware on said computer, something like that would come to mind as a workaround. – ilkkachu Oct 26 '17 at 19:33
4

As far as a hardware hack, an absurdly advanced electrical specialist with a specific target could make a logic circuit that checks for you finishing running your cleaning software, then injects something into the host computer and the flash drive. They might even be able to make the drive look somewhat normal internally, to a casual observer. Just remember, theoretically nothing is secure. Security is all based on the effort people put in to hacking you, and the effort you put in to stopping them.

matterny
  • 71
  • 4
  • 1
    thought for you - security is based around layers of protection, and the time/cost/inconvenience to implement vs break those layers. – davidgo Oct 26 '17 at 04:56
  • 7
    You don't need to be "absurdly advanced electrical specialist" to be able to do that. – glglgl Oct 26 '17 at 08:00
1

In security, the answer to any question which contains the phrase "100%" is always a big fat NO.

Simply formatting, overwriting, erasing, or whatever else you can come up with, is not enough. Why? Because in all of these cases, you always have to go through the stick in order to do that. But, if I am an evil USB stick, and you tell me to erase myself … why would I comply? I could simply pretend to be busy for a while and then tell you "I am done", without ever having actually done anything.

So, for example, the stick could simply ignore all write commands. Or, it could perform the write commands on a scratch flash chip, wait for you to verify that the write really did erase everything, then swap in the real flash chip. The USB stick could contain a USB hub and actually be two drives, one of which only gets inserted very briefly while you are erasing the other one (which takes a long time, and thus it stands to reason that you are going to leave your computer and grab a coffee or something like that, so that you have no chance to notice).

Also, the USB drive might not even be a USB drive at all. It could be a USB keyboard which extremely quickly types some commands into your computer. Most operating systems do not verify the identity of attached keyboards. (Yes, this attack does actually exist in the real world.)

Or, it could be a USB 3G modem … and boom, your computer is connected to an open unsecure network again.

It could possibly not even be a USB device. It might be a microphone or a camera, and simply use the USB port for power.

Or, it might not be trying to install malware on your computer, but simply aim to destroy it, e.g. by putting 200V on the data lines.

Jörg W Mittag
  • 2,670
  • 2
  • 23
  • 20
  • It could also be a USB drive *and* a camera/microphone/whatever - so that everything would appear to be working fine, no malware on the drive... while all your data is slowly being encrypted :P USB is flexible, and flexibility isn't always a good thing... – Luaan Oct 26 '17 at 10:37