How to plug in a 'strange' USB device? \ stacker news ~security

5679 sats \ 26 comments \ @elvismercury 16 Feb security

Most people around here probably know that using USB peripherals is a giant security risk; however, in normal life it's pretty hard not to use them, at least if you're interfacing with the rest of humankind.

So imagine this scenario: someone, who is probably a good actor gives you a USB drive with some data on it. You want to transfer this data to your computer. You have modest ability to be paranoid, e.g., you could have a spare computer, some kind of dongle, whatever. You don't, however, have the ability to be extremely paranoid (e.g., you get a disposable computer for each USB you plug in.)

What should you do? I'm looking for practical advice to solve a practical problem.

view all related items

599 sats \ 4 replies \ @OriginalSize 16 Feb

Boot up the latest Tails and open from there. Copy and paste desired files from dirty drive to clean one.

If you're super-paranoid repeat with a different OS with different hardware (like OpenBSD on a Raspberry Pi) to copy from clean drive to a new, even cleaner one.

50 sats \ 0 replies \ @kepford 16 Feb

Great answer. Not an expert but I would also feel better if the hardware device was not connected to any network when the drive is inserted. For sure not the Internet.

10 sats \ 2 replies \ @elvismercury OP 16 Feb

The worry for this is if it's a device that poses a physical attack via a capacitor or something -- you've probably seen the videos of how they actually fry the circuity of the computer you plug them into.

331 sats \ 1 reply \ @OriginalSize 17 Feb

Hmm, not an electrical engineer but maybe a USB hub? The capacitor thing seems far less likely than normie who's machine is silently infecting peripherals.

0 sats \ 0 replies \ @elvismercury OP 17 Feb

That seems plausible to me, too -- any actual EEs care to weigh in if one of those weaponized electrical charge USB sticks would still kill your computer through a hub?

755 sats \ 0 replies \ @Undisciplined 16 Feb

Lend it to a government worker, let them plug it in at work and report back about what happened.

It's a win-win.

326 sats \ 0 replies \ @sovereign 17 Feb

Qubes OS is highly recommended for securely handling USB drives due to its robust isolation capabilities. It segregates applications into separate virtual machines, ensuring that malware from a USB cannot compromise your entire system. This isolation helps maintain security without sacrificing usability, making it a top choice for those concerned with digital security.

Alternatively, using a bootable OS like Tails or a live Linux distribution provides a temporary, secure environment for safely checking and transferring files from a USB drive. These systems don't affect your main operating system, as they run independently from a USB or CD and automatically erase traces of their use upon shutdown.

237 sats \ 1 reply \ @oliverweiss 16 Feb

I would use a cheap raspberry pi for such cases.

Your question reminded me yet another useful small device for safe charging, a usb condom like this one https://www.paralelnipolis.cz/en/shop/usb-condom/

11 sats \ 0 replies \ @elvismercury OP 16 Feb

Ha, I never heard of such a thing before -- thank you! That solves a different problem I didn't think to ask about :)

237 sats \ 1 reply \ @Wumbo 16 Feb

https://en.wikipedia.org/wiki/USB_dead_drop

Come on! You know can not resist to see what is on me.

10 sats \ 0 replies \ @elvismercury OP 16 Feb

That's a person who understands my kryptonite.

212 sats \ 0 replies \ @UCantDoThatDotRugged 16 Feb

I'm guessing, from what I've read in passing from people who know what they are talking about, I'm not an expert. Get a weird device, that is unlikely to have anything the exploit is expecting. Load an OS with a sandbox mode. Keep a bunch of testing software on that device. I think there's some way to see if the data's state has changed before and after plugging it in, or an OS that doesn't allow it's state to change.

110 sats \ 2 replies \ @brandonsbytes 16 Feb

I haven't used a USB stick in years? Is that because I'm a Apple and Cloud software sellout?

But, I miss using USBs. And, though I know it's bad, if I found a USB, I would be so tempted to find out what's on it.

I'd say, have an old laptop that you truly don't need, spin up Kali Linux, and have a go!

31 sats \ 1 reply \ @elvismercury OP 16 Feb

And, though I know it's bad, if I found a USB, I would be so tempted to find out what's on it.

We're in the same shameful boat, I admit. Part of the reason I needed to ask this question in the first place :/

21 sats \ 0 replies \ @037447d9ca 17 Feb

Don't confuse old laptop with old software. You definitely want to run the latest version of whatever you run.

30 sats \ 0 replies \ @k00b 16 Feb

I have a bunch of old usb sticks given away at conferences that I've never plugged in because I've never thought to ask this.

10 sats \ 3 replies \ @Signal312 16 Feb

Help me out - what's the specifics of what a compromised USB peripheral might do?

927 sats \ 2 replies \ @chairman_pretense 16 Feb

Execute any code on your machine. Because of the way USB has access to pretty deep hardware internals, whilst OS software tries to prevent this, it's a massive security issue.

The stuxnet worm famously infected Iranian machines which were air gapped because CIA agents left usb sticks on the ground in car parks near nuclear facilities. All it took was one curious researcher to pick one up and plug it into their machine.

336 sats \ 0 replies \ @ek 16 Feb

Execute any code on your machine. Because of the way USB has access to pretty deep hardware internals, whilst OS software tries to prevent this, it's a massive security issue.

Yes, this.

Basically, for the OS, something you plug into an USB slot can be anything which includes keyboards. The OS has to trust the device plugged in that it is what it says it is. Since there is basically no way to prevent plug and play without making the UX abysmal¹, USB sticks can pretend to be keyboards and execute keystrokes when you insert them which includes opening reverse shells. With a reverse shell, the attacker now has full control of your machine (except root if you have a strong root password etc).

This is what rubber duckies do: https://shop.hak5.org/products/usb-rubber-ducky

If you are really plugging in a keyboard, you just want it to work immediately since you might have no other human interface device. ↩

0 sats \ 0 replies \ @031ef7d322 17 Feb

CIA agents left usb sticks on the ground in car parks near nuclear facilities. All it took was one curious researcher to pick one up and plug it into their machine.

That was long thought to be the attack vector, but new information recently became public: Dutch Engineer Used Water Pump to Get Billion-Dollar Stuxnet Malware Into Iranian Nuclear Facility

10 sats \ 0 replies \ @0xbitcoiner 16 Feb

open in a sandbox environment

10 sats \ 3 replies \ @antic 16 Feb

You lost me at "strange" usb device. 😂

10 sats \ 2 replies \ @elvismercury OP 16 Feb

Your coworkers or friends never hand you a USB drive? I'm not talking about picking it up from the floor of a Russian brothel.

10 sats \ 1 reply \ @antic 16 Feb

haha--no, I tell them to drop the file in the cloud and I'll get them that way. I work with people remotely anyway :)

10 sats \ 0 replies \ @elvismercury OP 16 Feb

Ah, yes. That would be preferable.

0 sats \ 0 replies \ @turker 17 Feb

I have a cheap solution. I have Kali Linux installed on my 8GB USB drive. When I get something like that, I'm disconnecting my SSD from my hardware, plugging my Kali USB, booting the Kali from USB and after that I'm using "strange" USB. I also have another layer of security on top of that. After I finish my job, I'm booting from my security HDD to scan things and see everything is well. After that, I'm booting from my main SSD. I got a switch for these type of things.

Footnotes