
CIRCLean – USB key sanitizer - adulau
https://www.circl.lu/projects/CIRCLean/
======
ckastner
This seems a bit misleading to me. From README.md:

    
    
      This project aims to be useful when you get/find a USB key
      that you can't trust, and you want to look at its contents
      without taking the risk of plugging it into your computer
      directly.
    

Its method of operation is given as:

    
    
      The content of the untrusted key will be copied or/and
      converted to the second (blank) key following these rules
      (based on the mime type as determined by libmagic)
    

This process does _not_ make the key trustworthy. From the BadUSB intro:

    
    
      Once reprogrammed, benign devices can turn malicious in
      many ways, including:
    
        1. A device can emulate a keyboard and issue commands on
           behalf of the logged-in user [...]
    
        2. A modified thumb drive or external hard disk
           can [...] boot a small virus, which infects the
           computer’s operating system prior to boot.
    

Assuming that the first USB stick can infect the second USB stick, CIRClean
will not protect you against these attacks.

~~~
leni536
They can mitigate against badUSB by only whitelisting the generic USB mass
storage class driver. No keyboard, no mouse, etc... I am not confident they do
this though.

~~~
A1kmm
Looks like they don't, but they turn off usbhid on that particular port:
[https://github.com/CIRCL/Circlean/blob/master/circlean_fs/ro...](https://github.com/CIRCL/Circlean/blob/master/circlean_fs/root_partition/etc/udev/rules.d/50-blockhid.rules)

However, that could be bypassed if the USB key acted like a USB hub with a
keyboard attached.

If you do get a keyboard working, it looks like you can just log in with
raspberry / raspberry and then full privileged access since sudo from the
raspberry user, and /dev/kmem from root is enabled. That would allow arbitrary
content to be copied on to the user supplied USB, and depending on the device,
possibly firmware reprogramming.

~~~
leni536
Huh, at least it seems that they care about this attach vector. Blacklisting
seems to be the wrong approach.

------
_pmf_
Keep in mind that it is completely feasible for the µC to activate malicious
payloads only after the n-th usage. Kind of like a PS3 exploit worked, albeit
not on the descriptor layer, but the MSC layer.

------
sathackr
> In the worst case, only the CIRCLean would be compromised, but not the
> computer reading the target (trusted) USB key/stick.

If the CIRClean device is compromised, I don't see how the trusted USB stick,
which is connected to the now compromised CIRClean, can be guaranteed to not
be infected.

------
trqx
How about sharing the output via WiFi / Bluetooth?

That seems quite risky tho, once the device is infected, that would be like
washing all your dishes with the toilet sponge.

What is the goal of having to reboot at each cycle?

~~~
striking
To guarantee, in theory, that there isn't any contamination between two
different flash drives.

But in practice, I'm pretty sure that with the right privileges you could just
write to the SD card...

~~~
mbreese
Isn't there also a physical switch on the SD card to mark it as write-
protected? I'm sure that could be bypassed, but it would make it more
difficult to hide the contamination.

~~~
XorNot
The physical switch is entirely software implemented.

~~~
undersuit
Also for Raspberry Pis the connection pin the switch relies on is un-wired.

------
fluxsauce
> The code runs on a Raspberry Pi (a small hardware device), which also means
> it is not required to plug the original USB key into a computer.

This may be splitting hairs, but a Raspberry Pi is a computer. From
[https://www.raspberrypi.org/](https://www.raspberrypi.org/)

> The Raspberry Pi is a tiny and affordable computer that you can use to learn
> programming through fun, practical projects.

The actual project page -
[https://github.com/CIRCL/Circlean](https://github.com/CIRCL/Circlean)

------
partycoder
Not all USB keys can be sanitized. e.g: USB Killer

~~~
flipp3r
Though it's probably cheaper/better to destroy a CIRCLean than to destroy
something else

------
JulianMorrison
What even is the use case for USB sticks these days? Compared to just putting
the files in Dropbox.

If I found a USB stick, I would just bin it.

~~~
adrianN
I can buy a USB stick with 32 gigs of memory for a couple of Euros and fill it
in minutes. My friends can read the stick in minutes, without having to
install software.

------
aymenim
>plug a headset and listen to the music that is played during the conversion.
When the music stops, the conversion is finished.

Bad UX but I guess it works,

I would have preferred an LED, on the Raspberry Pi GPIO ports to indicate
ready, processing and finished.

~~~
sleepychu
> _If you have a Raspberry Pi with a diode, wait until the blinking stops_

