18

Say you find a usb drive on the street and you want to be 100% sure it hasn't been tampered with, neither via software nor by modifying its hardware (adding or modifying components, etc.), so that there is zero risk of malware.

Is fully formatting it enough to be 100% certain no malware remains? If so, is fully formatting it with the standard slow process from within Disk Utility in Tails 3.2 enough to do so?

Asume the highest possible technical ability from the attacker. Not just reasonable or plausible scenarios.

Norbert
  • 291

4 Answers4

30

There is no way to be 100% sure the USB is safe, and that it will not harbour malware even if wiped. (If I were that way inclined, and had the knowledge, a small chip with malware, not active, with a decent size stick with random crap - after X number of power cycles, switch chip).

You should be very wary of plugging any USB key of unknown origin into your system as USB killers are a thing, and will kill your USB port, and possibly system - to get round this you might be able to use a sacrificial USB hub.

Unfortunately most USB sticks are cheap and easy to open - someone with some skill could easily replace the insides of one with no externally visible indications.

davidgo
  • 73,366
9

You assume that it is tainted.

You cannot be betrayed if there never was any trust to be betrayed.

And you will not suffer harm if you assume that harm is what will happen and prepare to meet it.

Remove hard-drives, disconnect from the network, use a bootable drive

If you are hellbent on examining this USB drive and want to avoid malware, you can do so by taking a computer, removing all its hard-drives, unplugging it from all networks (including WiFi) and then boot it up using a bootable USB drive. Now you have a computer that cannot be tainted and that cannot spread the contents of the found USB drive.

By now you can mount the found USB drive and examine its contents. Even if it is tainted, the only thing the malware reaches is an "empty" computer with an OS that you do not care if it gets infected anyway.

Determine your level of paranoia

Do note that even this is not entirely "safe". Assume that this is The Perfect Malware™.

  • If you boot from a writable media (USB stick, writable CD/DVD), then this may become tainted too if it is writable and remains in the computer as you insert the tainted USB drive.

  • Practically all peripherals have some kind of firmware that can be updated. Malware can choose to nest there.

  • You could end up with a corrupted BIOS that compromises the hardware for good even after you have removed the tainted drive and powered down.

So unless you are prepared to throw away all the hardware afterwards, you need to determine how badly do you want to examine this found USB stick and what price are you willing to pay to 1) stay safe and 2) take the consequences if things turn out bad?

Adjust your paranoia to reasonable levels according to what risks you are willing to take.

MichaelK
  • 199
4

As far as a hardware hack, an absurdly advanced electrical specialist with a specific target could make a logic circuit that checks for you finishing running your cleaning software, then injects something into the host computer and the flash drive. They might even be able to make the drive look somewhat normal internally, to a casual observer. Just remember, theoretically nothing is secure. Security is all based on the effort people put in to hacking you, and the effort you put in to stopping them.

matterny
  • 71
1

In security, the answer to any question which contains the phrase "100%" is always a big fat NO.

Simply formatting, overwriting, erasing, or whatever else you can come up with, is not enough. Why? Because in all of these cases, you always have to go through the stick in order to do that. But, if I am an evil USB stick, and you tell me to erase myself … why would I comply? I could simply pretend to be busy for a while and then tell you "I am done", without ever having actually done anything.

So, for example, the stick could simply ignore all write commands. Or, it could perform the write commands on a scratch flash chip, wait for you to verify that the write really did erase everything, then swap in the real flash chip. The USB stick could contain a USB hub and actually be two drives, one of which only gets inserted very briefly while you are erasing the other one (which takes a long time, and thus it stands to reason that you are going to leave your computer and grab a coffee or something like that, so that you have no chance to notice).

Also, the USB drive might not even be a USB drive at all. It could be a USB keyboard which extremely quickly types some commands into your computer. Most operating systems do not verify the identity of attached keyboards. (Yes, this attack does actually exist in the real world.)

Or, it could be a USB 3G modem … and boom, your computer is connected to an open unsecure network again.

It could possibly not even be a USB device. It might be a microphone or a camera, and simply use the USB port for power.

Or, it might not be trying to install malware on your computer, but simply aim to destroy it, e.g. by putting 200V on the data lines.

Jörg W Mittag
  • 3,959