

What Are the Dangers of Using an Untrusted USB Drive? - arunc
http://lifehacker.com/what-are-the-dangers-of-using-an-untrusted-usb-drive-1533523741

======
aw3c2
Direct link instead of the lifehacker "aggregation":
[http://superuser.com/questions/709275/what-is-the-danger-
of-...](http://superuser.com/questions/709275/what-is-the-danger-of-inserting-
and-browsing-an-untrusted-usb-drive)

~~~
chimeracoder
Thank you for posting this. When Google (ie, Matt Cutts) states that they are
looking for "scraper" sites, I wonder if they include blogspam "news"
publications like this.

For example, when someone searches my name, currently the #2 hit is a Gawker
repost of a blog post I wrote. What's worse is that Gawker actually goes out
of their way to make it seem like they spoke with me (ie, added additional
"content" to my post), when in fact they didn't; all they did was provide a
tl;dr[0].

I don't have a problem with news publications that seek to be secondary
sources that add value (analysis, more in-depth reporting) to stories that
others break, but it kills me to see publications not even bothering to do
that.

[0] I can't remember if they even linked back to my post or not; I'd check,
but I actually have all Gawker media sites blocked in /etc/hosts and I don't
really feel like undoing that.

~~~
sizzle
You should reach out to him directly and make a new thread with the results.
You have a legitimate claim.

~~~
chimeracoder
Hm, didn't think about that. Do you have an idea of how to get in contact with
him? The form link he tweeted doesn't seem to apply 100% to this case[0], but
digging around it seems you may be right; there's precedent for this kind of
action elsewhere.

[0] I took a second at the Gawker "article"; they combined content with my
blog post with some quotations from an interview with a (non-Gawker)
publication, so it's recycling content from primary + secondary source, not
just primary.

~~~
sizzle
If it bothers you enough, get the ball rolling with contact forms, then start
looking for email addresses via HN and linkedin. No harm in asking for your
identity ranking back.

------
computer
They're missing the possibility that the drive might decide to simulate being
an USB hub at some point. It can then be both a USB storage drive and a
simulated keyboard, and use the second to install something from the first.

~~~
goldenkey
Mouse, keyboard, network device, etc etc. You forfeit as soon as you plug in
an untrusted USB device.

------
bigiain
T think there's a whoe new(ish) class of answers to this question if you ask
it as :"What Are the Dangers of Using an Untrusted USB Drive from Travis
Goodspeed?"?

[http://travisgoodspeed.blogspot.com.au/2012/07/emulating-
usb...](http://travisgoodspeed.blogspot.com.au/2012/07/emulating-usb-devices-
with-python.html)

------
naiyt
Interesting stuff! (Curious, why not just link to the SuperUser question
instead of the LifeHacker link, though?)

I rarely use USB drives these days, and I don't remember the last time I used
one that didn't belong to me. Probably for the best.

------
cnvogel
At least under Linux, you could -theoretically- verify the type of a connected
device and only load and bind drivers you are actually considering to use on
that device.

[https://www.kernel.org/doc/Documentation/usb/authorization.t...](https://www.kernel.org/doc/Documentation/usb/authorization.txt)

As far as I understand this, I think it still reads the USB descriptors (which
itself has been shown to be problematic in the past), but postpone binding the
drivers (thereby locking out an enourmous amount of potentially buggy code
from automatically starting to work on your USB device's maliciously crafted
data).

------
ksk
What does trust even mean? Flash storage devices come with little
cpus/controllers which run code the moment you plug in the device (note:
nothing to do with mounting). If you can find a way to program them (many
already have), you can exploit all kinds of OS bugs without even having a
file-system on the device. There are just too many places to stash code in
modern electronic devices for them to ever be considered 'trusted'.

~~~
Hello71
That's entirely irrelevant. It doesn't matter how the USB device gets its
data; you could have a mainframe connected via USB OTG, and it wouldn't make
one iota of a difference _because USB does not have DMA_.

~~~
mschuster91
While the USB _devices_ don't have DMA, the _controller_ indeed has.

And as the USB controllers are mostly the same anyways... find a bug in a
common family and PROFIT.

------
rwmj
Try using libguestfs to isolate you from the drive:

    
    
        guestfish -a /dev/sdX
        ><fs> run
        ><fs> list-filesystems
        /dev/sda1
        ><fs> mount /dev/sda1 /
    

Libguestfs runs a tiny appliance containing a separate kernel and (if your
host supports it) protects that in an LXC container and with SELinux. In any
case it would be extremely difficult for a malformed filesystem to exploit the
guest kernel, and escape from virtualization, SELinux and LXC to attack the
host.

Note this doesn't help if your OS "helpfully" mounts the disk when you plug it
in.

[http://libguestfs.org/](http://libguestfs.org/)

~~~
mschuster91
Does not help against malformed USB descriptors, which were used to pwn the
PlayStation 3.

~~~
rwmj
True enough, but look at the amount of code in parsing USB descriptors versus
parsing filesystems:

    
    
        $ wc -l usb/core/*.c
         21465 total
        $ wc -l `find fs -name '*.c'`
         1016460 total
    

Two orders of magnitude more. Now I'm not saying that USB descriptor parsing
is free from problems, but there are an awful lot of obscure filesystem
drivers in there ... Econet ADFS anyone?

Another place where libguestfs can help is in parsing files from the
filesystem. We provide trusted parsing libraries that run inside the VM, so
parsing (say) Unix /etc configuration or Windows Registry files is much safer.

------
auctiontheory
I once gave a presentation at a USAF base overseas.

IIRC almost anything I wanted to bring for the presentation was allowed (I
wasn't searched - no TSA), but USB drives were forbidden.

The disk burner on my MBP failed (weird foreign current issues), so I ended up
using Dropbox and my iPhone.

------
gwu78
"...the only true way to be safe is to boot up a live Linux distribution..."

The only true way? Are you sure about that?

There are other OS's besides Linux and Windows.

And there is something called rump(3).

------
Fasebook
USB3 is an entire different can of worms. Plug one into Windows today to see
all the juicy details.

