Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Using an unknown USB Stick

Options
  • 21-05-2015 12:02pm
    #1
    _Tombstone_
    Closed Accounts Posts: 3,006 ✭✭✭


    What precautions should you take nowadays using one?

    Is a scan with an AV enough?


Comments

  • Options
    #2
    28064212
    Registered Users Posts: 10,493 ✭✭✭✭28064212


    Assume that it's set to run: 
    deltree /y C:\*.*
sudo rm -rf /
    as soon as it's connected (a very real possibility: https://srlabs.de/badusb/). So no, an AV scan wouldn't be enough

    The only truely effective defence would be inserting it into an air-gapped and disposable computer, retrieving the firmware from the device and analysing it for harmful code

    Boardsie Enhancement Suite - a browser extension to make using Boards on desktop a better experience (includes full-width display, keyboard shortcuts, dark mode, and more). Now available through your browser's extension store.

    Firefox: https://addons.mozilla.org/addon/boardsie-enhancement-suite/

    Chrome/Edge/Opera: https://chromewebstore.google.com/detail/boardsie-enhancement-suit/bbgnmnfagihoohjkofdnofcfmkpdmmce



  • Options
    #3
    syklops
    Closed Accounts Posts: 18,969 ✭✭✭✭syklops


    _Tombstone_ wrote: »
    What precautions should you take nowadays using one?

    Is a scan with an AV enough?

    No. Thats like finding a used condom and running it under the tap for a minute.
    The only truely effective defence would be inserting it into an air-gapped and disposable computer, retrieving the firmware from the device and analysing it for harmful code

    The only truly effective defense would be not using USB keys of unknown origins at all.


  • Options
    #4
    whats newxt
    Closed Accounts Posts: 431 ✭✭whats newxt


    I'd be careful i'v been using the USB rubber ducky for some time now, It's an amazing little device.


  • Options
    #5
    anvilfour
    Closed Accounts Posts: 720 ✭✭✭anvilfour


    If you have Linux could you not just mount it from the terminal without booting into a desktop environment? Should allow you to examine the files and only copy the ones which you need? Or perhaps I'm being naive?

    Edit : My August colleague has suggested using a Linux "Live" CD to examine the contents of the file, fairly limited damage you can do to an Operating System that will vanish when you power off the machine...!


  • Options
    #6
    realdanbreen
    Registered Users Posts: 8,142 ✭✭✭realdanbreen


    syklops wrote: »
    No. Thats like finding a used condom and running it under the tap for a minute.

    .
    Er, a 'FRIEND' of mine ran it under the tap for 3 minutes. Do you reckon I, I mean he, will be OK?:confused:


  • Advertisement
  • Options
    #7
    syklops
    Closed Accounts Posts: 18,969 ✭✭✭✭syklops


    anvilfour wrote: »
    If you have Linux could you not just mount it from the terminal without booting into a desktop environment? Should allow you to examine the files and only copy the ones which you need? Or perhaps I'm being naive?

    What if its not a USB stick but its a rubber ducky and runs rm -rf / or it backdoors your system so quickly you don't notice?
    Edit : My August colleague has suggested using a Linux "Live" CD to examine the contents of the file, fairly limited damage you can do to an Operating System that will vanish when you power off the machine...!

    A LiveCD is a good option just make sure your drives are encrypted.


  • Options
    #8
    28064212
    Registered Users Posts: 10,493 ✭✭✭✭28064212


    anvilfour wrote: »
    If you have Linux could you not just mount it from the terminal without booting into a desktop environment? Should allow you to examine the files and only copy the ones which you need?
    No. A BadUSB attack can essentially act as a pre-programmed keyboard. Imagine Eve comes along with a keyboard, plugs it in to your machine while you're logged on, and starts typing. How would you prevent them from executing commands?
    anvilfour wrote: »
    Edit : My August colleague has suggested using a Linux "Live" CD to examine the contents of the file, fairly limited damage you can do to an Operating System that will vanish when you power off the machine...!
    That assumes that the USB key can't get near the BIOS/bootloader, which would be a mistake

    Boardsie Enhancement Suite - a browser extension to make using Boards on desktop a better experience (includes full-width display, keyboard shortcuts, dark mode, and more). Now available through your browser's extension store.

    Firefox: https://addons.mozilla.org/addon/boardsie-enhancement-suite/

    Chrome/Edge/Opera: https://chromewebstore.google.com/detail/boardsie-enhancement-suit/bbgnmnfagihoohjkofdnofcfmkpdmmce



  • Options
    #9
    anvilfour
    Closed Accounts Posts: 720 ✭✭✭anvilfour


    28064212 wrote: »
    No. A BadUSB attack can essentially act as a pre-programmed keyboard. Imagine Eve comes along with a keyboard, plugs it in to your machine while you're logged on, and starts typing. How would you prevent them from executing commands?


    That assumes that the USB key can't get near the BIOS/bootloader, which would be a mistake

    Think I prefer my chances with the Live CD.. I'm lucky enough to keep my /boot partition on a separate USB as mentioned in separate thread.. it was damned difficult to do this though! :)


  • Options
    #10
    _Tombstone_
    Closed Accounts Posts: 3,006 ✭✭✭_Tombstone_


    Does plugging in a phone and using it's memory card carry the same risks?


  • Options
    #11
    BoB_BoT
    Registered Users Posts: 1,835 ✭✭✭BoB_BoT


    _Tombstone_ wrote: »
    Does plugging in a phone and using it's memory card carry the same risks?

    Yup, very little difference.


  • Advertisement
  • Options
    #12
    sheesh
    Registered Users Posts: 4,080 ✭✭✭sheesh


    wasn't there talk of using a usb device to change the firmware of the usb port its self as it is not scanned by antivirus and from there compromising the system.

    or did one of you already say that?


  • Options
    #13
    _Tombstone_
    Closed Accounts Posts: 3,006 ✭✭✭_Tombstone_


    It'd be priceless if this came back to bite this w@nker at some stage in the future.

    https://www.youtube.com/watch?v=_TidRpVWXBE


    http://www.net-security.org/secworld.php?id=18983


  • Options
    #14
    dbit
    Closed Accounts Posts: 1,322 ✭✭✭dbit


    Kiosk styled OS as per the lads above no write possible , VM with direct map of the hardware interrupt to the VM only (Still dodgy for hiddne payloads and nesting machine) . Personlly i would never ever pick one up , Even if in the car park id probably stomp it to bits just to preserve the silly types passing after me .


  • Options
    #15
    syklops
    Closed Accounts Posts: 18,969 ✭✭✭✭syklops


    Cheap and effective USB write blocker.


  • Options
    #16
    anvilfour
    Closed Accounts Posts: 720 ✭✭✭anvilfour


    syklops wrote: »
    Cheap and effective USB write blocker.

    A USB Condom! How novel! :-D


  • Options
    #17
    ejabrod
    Closed Accounts Posts: 483 ✭✭ejabrod


    How about swapping out your HDD with a drive you can afford to loose and then interrogate the contents to determine the risk?


  • Options
    #18
    syklops
    Closed Accounts Posts: 18,969 ✭✭✭✭syklops


    ejabrod wrote: »
    How about swapping out your HDD with a drive you can afford to loose and then interrogate the contents to determine the risk?

    What if there is malware on the USB stick which can infect the firmware of your graphics card or BIOS? You put your regular HDD back in, and that gets infected too.


  • Options
    #19
    dbit
    Closed Accounts Posts: 1,322 ✭✭✭dbit


    syklops wrote: »
    What if there is malware on the USB stick which can infect the firmware of your graphics card or BIOS? You put your regular HDD back in, and that gets infected too.

    Beat me to it ...... Gotta get a rubber ducky !!


  • Options
    #20
    Capt'n Midnight
    Moderators, Recreation & Hobbies Moderators, Science, Health & Environment Moderators, Technology & Internet Moderators Posts: 90,813 Mod ✭✭✭✭Capt'n Midnight


    as others have pointed out the worst cases

    someone has wired a USB ioniser to send a couple of hundred volts back into the data pins and you need a new motherboard.

    or the USB key has a firmware patch for the USB chip on the motherboard. Since this happens at a hardware level it's happened before software is even aware of the key. Note Windows will automatically install a HUD , human interface device, without asking for permission. Attacker can now emulate a keyboard/mouse.


    A lot of systems will boot from a USB key so if you leave the key in on a reboot you are also asking for trouble.


    One sneaky project had a usb key with a light sensor. So while the lights were on it pretended to be plain vanilla USB key. But once the lights went out ...


    How paranoid do you want to be ?


Advertisement