How do I safely investigate a USB stick found in the parking lot at work?

Question

I work at an embedded software company. This morning I found a USB stick in the parking lot in front of the building. With all the stories of "dropped USB stick attacks" in mind, I'm obviously not going to just plug it into my laptop. OTOH, I'm curious to know whether this was actually an attempt to compromise our systems, or it's really just an innocent case of somebody accidentally losing a USB stick. How do I safely inspect the USB stick without risking exposure?

I'm worried not just about malware and crafted file system images; there's also stuff like power surge attacks:
'USB Killer 2.0' Shows That Most USB-Enabled Devices Are Vulnerable To Power Surge Attacks.

EDIT: Many of the answers seem to assume I want to keep the drive and use it afterwards. I have no interest in that at all, I know USB sticks are cheap, and that it wouldn't be mine to keep anyway. I only want to know whether this was indeed a semi-targeted attack, partly out of curiosity whether this actually happens in real life and not just in security papers, but also so that I could warn my coworkers.

I want to know how I would figure out whether the stick contains malware. And that's not just a matter of looking at the drive contents and seeing a suspicious autorun.inf or a carefully crafted corrupt file system - I very much also want a way to inspect the firmware. I sort-of expected that there were tools for extracting that and comparing to known-good or known-bad binaries.

Answer 1

TENS

A good security distribution for testing suspicious USB flash drives that you found in the parking lot is Trusted End Node Security (TENS), previously called Lightweight Portable Security (LPS), a Linux security distribution that runs entirely from RAM when it is booted from a bootable USB flash drive. TENS Public turns an untrusted system (such as a home computer) into a trusted network client. No trace of work activity (or malware) can be written to the local computer hard drive.

In addition to the security feature TENS has another useful purpose. Because it runs entirely from RAM, TENS can boot on almost any hardware. This makes it useful for testing the USB port of a computer that is unable to boot most other live bootable USB ISO images.

---

USBGuard

If you are using Linux, the USBGuard software framework helps to protect your computer against rogue USB devices by implementing basic whitelisting and blacklisting capabilities based on device attributes. To enforce the user-defined policy, it uses the USB device authorization feature implemented in the Linux kernel since 2007.

By default, USBGuard blocks all newly connected devices and devices connected before daemon startup are left as is.

A quick way to start using USBGuard to protect your system from USB attacks is to first generate a policy for your system. Then, start the usbguard-daemon with the command sudo systemctl start usbguard.service. You can use the usbguard command-line interface command and its generate-policy subcommand ( usbguard generate-policy ) to generate an initial policy for your system instead of writing one from scratch. The tool generates an allow policy for all devices currently connected to your system at the moment of execution.¹

Features

• Rule language for writing USB device authorization policies

  The target of a rule specifies whether the device will be authorized for use or not. Three types of target are recognized:

  • allow - authorize the device
  • block - deauthorize the device
  • reject - remove the device from the system

• Daemon component with an IPC interface for dynamic interaction and policy enforcement

• Command line and GUI interface to interact with a running USBGuard instance
• C++ API for interacting with the daemon component implemented in a shared library

¹_{Revised from: Built-in protection against USB security attacks with USBGuard}

Installation

USBGuard is installed by default in RHEL 7.

To install USBGuard in Ubuntu 17.04 and later, open the terminal and type:

sudo apt install usbguard  

To install USBGuard in Fedora 25 and later, open the terminal and type:

sudo dnf install usbguard   

To install USBGuard in CentOS 7 and later, open the terminal and type:

sudo yum install usbguard  

compilation from source of USBGuard requires the installation of several other packages as dependencies.

Answer 2

If you didn't want to use it but are curious - I'd actually start by cracking open the case (very carefully) and taking a look at the chips inside.

I know. This sounds crazy, but the presence of a identifiable controller and flash chip would make it more likely it's an actual USB drive rather than something like a USB rubber duck or a USB killer.

Then do what everyone else suggests and test it on a disposable install, run a few bootable virus scanners as well, then if you're sure it's safe, wipe it.

Answer 3

Don't. Throw them in the garbage, or the Lost/Found with a timestamp. USB sticks are cheap, much cheaper than the time spent cleaning up from malware or physical sabotage. There are USB sticks out there which will store up charge in capacitors, and suddenly discharge into your PC, ruining it.

Answer 4

The question has been clarified to describe the objective as investigating the USB drive rather than simply identifying the owner or repurposing it. This is an extremely broad question, but I'll try to cover it in a general way.

What could the issues be?

• A "killer USB". Present designs of this genre pump high voltage through the USB port to fry your computer.
• Custom electronics hiding in a flash drive package. This could do anything the designer can invent. A common present design is the rubber duck, which simulates a keyboard to inject anything you could do from the keyboard.
• A flash drive with modified firmware. Again, limited only by the designer's imagination.
• A flash drive infected with malware. This could be virtually any variety of malware.
• A flash drive intended to entrap someone. This would be the kind of thing used by an intelligence service, law enforcement, an investigator, or as protection on sensitive contents. Accessing the drive would trigger some form of alert.
• A flash drive containing material that could land you in trouble for possessing it, such as classified information, stolen information, child pornography, etc.
• People with ill-intent will always come up with new ways to do nasty things, so we probably cannot know every kind of hazard contained in a USB package.

Investigating the drive

Preparation

Given the range of possibilities, it is difficult to fully protect yourself to investigate the drive.

• Start with authorization to possess and inspect any potential contents. This is easier if you work for the intelligence community, law enforcement, or have some form of legal order or license. Short of that, establish a paper trail in advance proving that it is in your hands by innocent means. If the contents belong to foreign agents acting illegally or organized crime, your paper trail may not provide much protection. :-)
• Work isolated from the Internet. If you want to protect against the possibility of an embedded radio transmitter, work inside a Faraday cage.
• Protect your own hardware from a killer USB.
  • Open the case and inspect the guts as Journeyman Geek describes. This would also identify custom electronics in a flash drive case.
  • Electrically isolate the drive. You can use an optically isolated USB hub, but you could spend more on that than a disposable computer. As suggested in my other answer, you could daisy-chain several cheap USB hubs connected to a trashable computer.
• Protect your system from low level attack. I'm not sure there's a way to protect against something like having having your firmware altered, other than to use a spare, cheap computer that you don't mind either restoring or trashing.
• Protect you system from malware. This is described in various answers, including linked threads, using techniques such as a live Linux session or VM to work isolated from your own OS, software, and files, disabling autorun, etc.

Investigation

• If the package contains something other than flash drive electronics, opening the case is the only way to see what it is. You can't query its USB interface to ask what model killer USB it is.
• If the drive contains malware, that would be identified by running anti-malware scans using several reputable programs that employ different methodologies.
• Investigating the contents would be done with the normal tools used for looking at contents. This might include a little detective work, like unhiding things or looking for disguised things. Contents could be encrypted or otherwise protected, which is a different discussion.
• Modified firmware would be extremely difficult to investigate. You would need the tools to access the firmware code, plus the normal code to compare it to (which is likely to be proprietary). If you had an identical, known good drive and the tools to access the firmware code, that would be a source for comparison, but that code will vary between vendors and potentially even versions of the same product. If the flash drive actually is a destructive plant, you would have to reverse engineer the firmware to figure out what it's doing.

Answer 5

This thread is linked with I found two usb sticks on the ground. Now what?. The other thread includes some non-technical considerations such as innaM's answer, which suggests that the contents are none of your business and you should simply turn it in for return to the owner, and Mike Chess's answer, which mentions that the drive could contain government secrets, terrorist documents, data used in identity theft, child pornography, etc., which could land you in trouble for having it in your possession.

Other answers on both threads address how to protect yourself from malware while exploring the contents, but those answers won't protect you from a "killer USB", a key point posed in this question. I won't rehash what's covered in other answers, but suffice it to say that all of the advice about protecting yourself from malware (including rubber ducks, which inject keystrokes), applies.

Value and Brand Name

But I would start with Christopher Hostage's point about flash drives being too cheap to be worth the bother and risk. If the drive is unclaimed by the owner, and after considering all of the warnings, you decide that you just have to try to make it safe and usable, start by considering the value of the drive. If it is a low capacity, standard speed, no name drive of unknown age, you could replace it with a new one for a few dollars. You don't know the remaining life on the drive. Even if you restore it to "fresh" condition, can you trust its reliability or remaining service life?

Which brings us to the case of an unclaimed drive that's officially yours, and:

• it is a high capacity, high speed, brand name drive of recognized reliability and performance,
• appears to be in new condition, perhaps a recently released product so you know it can't be very old.

One point of these criteria is that the drive could actually be worth more than a trivial amount. But my recommendation would be not to mess with anything else for a second reason. As Journeyman Geek points out in a comment, rubber ducks and USB killers come in common-looking packages. The brand name packaging is hard to counterfeit without expensive equipment, and tampering with a brand name package in an undetectable way is difficult. So limiting yourself to familiar, brand name drives offers a little protection in itself.

Safe Connection

The first question is how can you physically connect it to your system safely if it could be a killer USB, and that's what I'll focus on.

Drive Inspection

• The first clue is the drive, itself. There are miniature styles that are basically the USB connector plus just enough plastic to have something to grab to get it in and out. That style is likely to be safe, especially if the plastic has the brand name on it.

• Flip style drives are popular for rubber ducks, so be particularly careful with them.

• If it is a standard size thumb drive large enough to hold killer hardware, inspect the case for signs that it is a counterfeit or has been tampered with. If it is the original, brand-labeled case, it will be difficult to tamper with it without leaving signs that would be visible with magnification.

Electrical isolation

• The next step would be to isolate the drive from your system. Use a cheap USB hub that you are willing to sacrifice for the potential value of the thumb drive. Even better, daisy chain several hubs. The hub(s) will provide some degree of electrical isolation that might protect your very expensive computer from the "must have", free killer USB drive.

  Warning: I have not tested this and have no way of knowing the degree of safety this would provide. But if you are going to risk your system, it might minimize damage to it.

As LPChip suggests in a comment on the question, the only "safe" way to test it is using a system you consider disposable. Even then, consider that almost any working computer has the potential to be useful. An ancient, under-powered computer can be loaded with a lightweight, memory-resident Linux distro and provide some amazing performance for routine tasks. Unless you are retrieving a computer from the trash for the purpose of testing the flash drive, weigh the value of a working computer against the value of the unknown drive.

Answer 6

There are various approaches, but if that stick has firmware embedded malware it really is quite dangerous.

One approach might be to download one of the many LiveCD Linux distros, unplug any hard-drives and network connections, and then have a look.

I think though I would recommend getting an old laptop out of the cupboard, plugging it into that and then afterwards hitting it with a large hammer.

Best approach - Don't be curious! :)

Answer 7

If I really,really wanted to do this, I'd simply buy the cheapest Raspberry Pi clone I could and plug it into that. If it zaps the computer I have not lost much. The OS is unlikely to be infected, and even if it is, so what?