18

Say you find a usb drive on the street and you want to be 100% sure it hasn't been tampered with, neither via software nor by modifying its hardware (adding or modifying components, etc.), so that there is zero risk of malware.

Is fully formatting it enough to be 100% certain no malware remains? If so, is fully formatting it with the standard slow process from within Disk Utility in Tails 3.2 enough to do so?

Asume the highest possible technical ability from the attacker. Not just reasonable or plausible scenarios.

Improve this question
10
  • 40
    If the scope of your question is to "assume the highest possible technical ability from the attacker" then the answer to your question is simple.....how to be 100% certain: don't pick up a random USB drive on the street and insert it into your PC. Other than that there is no such thing as 100% certainty.
    – n8te
    Commented Oct 26, 2017 at 4:25
  • 6
    Throwing it into a fire should be 100% certain.
    – aroth
    Commented Oct 26, 2017 at 10:58
  • 2
    Do you want to 1) clean up the stick to safely use it afterwards, or 2) copy any data off from it safely without triggering any malware or hardware "traps" on it, or 3) just find out if there was indeed something suspicious on it or not? I think the the answers to these are at least slightly different. The Q linked by @KamilMaciorowski seems to be about (3).
    – ilkkachu
    Commented Oct 26, 2017 at 11:14
  • 2
    @Mawg While I don't think this question is necessarily off topic for Super User, I do agree that it may be worth migrating it to Information Security.
    – Stevoisiak
    Commented Oct 26, 2017 at 13:11
  • 1
    What makes you so certain it is in fact a USB drive? It's a rectangular piece of plastic with a USB plug on it -- it could be literally anything that uses USB.
    – Tristan
    Commented Oct 26, 2017 at 14:32

4 Answers 4

Reset to default
30

There is no way to be 100% sure the USB is safe, and that it will not harbour malware even if wiped. (If I were that way inclined, and had the knowledge, a small chip with malware, not active, with a decent size stick with random crap - after X number of power cycles, switch chip).

You should be very wary of plugging any USB key of unknown origin into your system as USB killers are a thing, and will kill your USB port, and possibly system - to get round this you might be able to use a sacrificial USB hub.

Unfortunately most USB sticks are cheap and easy to open - someone with some skill could easily replace the insides of one with no externally visible indications.

Improve this answer
6
  • 1
    elie.net/blog/security/… talks about an attack which makes the USB look like a keyboard - this attack would not be thwarted by wiping the disk as the nasty payload does not present as a disk.
    – davidgo
    Commented Oct 26, 2017 at 5:11
  • 3
    put the untrusted one in a blender and by a new one from a trusted vendor, it's the only way to be sure.
    – ratchet freak
    Commented Oct 26, 2017 at 9:39
  • 8
    @ratchetfreak Unless the drive is spiked with anthrax or something and the blending disperses it into your lungs :P 100% certainty is nonsense. If you find a flash disk with something illegal, it doesn't have to contain malware to cause you a great stream of troubles, for example; and formatting wouldn't really delete the data either.
    – Luaan
    Commented Oct 26, 2017 at 10:28
  • you don't need another chip, just reprogram the controller that's in the stick - bunniestudios.com/blog/?p=3554
    – Pete Kirkham
    Commented Oct 26, 2017 at 13:43
  • @davidgo You could see that it's an HID device (keyboard) instead of a MSC device (drive) pretty easily though
    – endolith
    Commented Oct 26, 2017 at 15:11
9

You assume that it is tainted.

You cannot be betrayed if there never was any trust to be betrayed.

And you will not suffer harm if you assume that harm is what will happen and prepare to meet it.

Remove hard-drives, disconnect from the network, use a bootable drive

If you are hellbent on examining this USB drive and want to avoid malware, you can do so by taking a computer, removing all its hard-drives, unplugging it from all networks (including WiFi) and then boot it up using a bootable USB drive. Now you have a computer that cannot be tainted and that cannot spread the contents of the found USB drive.

By now you can mount the found USB drive and examine its contents. Even if it is tainted, the only thing the malware reaches is an "empty" computer with an OS that you do not care if it gets infected anyway.

Determine your level of paranoia

Do note that even this is not entirely "safe". Assume that this is The Perfect Malware™.

  • If you boot from a writable media (USB stick, writable CD/DVD), then this may become tainted too if it is writable and remains in the computer as you insert the tainted USB drive.

  • Practically all peripherals have some kind of firmware that can be updated. Malware can choose to nest there.

  • You could end up with a corrupted BIOS that compromises the hardware for good even after you have removed the tainted drive and powered down.

So unless you are prepared to throw away all the hardware afterwards, you need to determine how badly do you want to examine this found USB stick and what price are you willing to pay to 1) stay safe and 2) take the consequences if things turn out bad?

Adjust your paranoia to reasonable levels according to what risks you are willing to take.

Improve this answer
11
  • 3
    You'd be better off booting from a Live DVD rather than USB stick. Otherwise once you plug in the "suspect" USB you end up with two possibly tainted USB drives. Boot from a read-only media.
    – Mokubai
    Commented Oct 26, 2017 at 8:07
  • 3
    @Mokubai Surely there are live images that allow you to boot up and then remove the medium you booted from?
    – MichaelK
    Commented Oct 26, 2017 at 8:09
  • 12
    Disconnecting the network and all drives is not enough. There is a lot more permanent storage inside your computer, e.g. the EFI NVRAM, the EFI Flash EEPROM, microcontroller Flash EEPROM on your keyboard and your mouse, firmware Flash EEPROM on your graphics card, the CPU's microcode, and so on, and so forth. I don't think malware that patches the CPU microcode is publicly known (which, however, doesn't mean that it doesn't exist), but all the others have at least been demonstrated and some even actively used in attacks. It's not enough to disconnect all drives, you also need to basically …
    – Jörg W Mittag
    Commented Oct 26, 2017 at 8:27
  • 10
    … throw away the computer afterwards.
    – Jörg W Mittag
    Commented Oct 26, 2017 at 8:28
  • 1
    @MichaelKarnerfors there may be, but you didn't mention removing the USB you booted from. I agree with Jörg though, there are a lot of other non-volatile storage devices than what you boot from in the computer.
    – Mokubai
    Commented Oct 26, 2017 at 8:39
4

As far as a hardware hack, an absurdly advanced electrical specialist with a specific target could make a logic circuit that checks for you finishing running your cleaning software, then injects something into the host computer and the flash drive. They might even be able to make the drive look somewhat normal internally, to a casual observer. Just remember, theoretically nothing is secure. Security is all based on the effort people put in to hacking you, and the effort you put in to stopping them.

Improve this answer
2
  • 1
    thought for you - security is based around layers of protection, and the time/cost/inconvenience to implement vs break those layers.
    – davidgo
    Commented Oct 26, 2017 at 4:56
  • 7
    You don't need to be "absurdly advanced electrical specialist" to be able to do that.
    – glglgl
    Commented Oct 26, 2017 at 8:00
1

In security, the answer to any question which contains the phrase "100%" is always a big fat NO.

Simply formatting, overwriting, erasing, or whatever else you can come up with, is not enough. Why? Because in all of these cases, you always have to go through the stick in order to do that. But, if I am an evil USB stick, and you tell me to erase myself … why would I comply? I could simply pretend to be busy for a while and then tell you "I am done", without ever having actually done anything.

So, for example, the stick could simply ignore all write commands. Or, it could perform the write commands on a scratch flash chip, wait for you to verify that the write really did erase everything, then swap in the real flash chip. The USB stick could contain a USB hub and actually be two drives, one of which only gets inserted very briefly while you are erasing the other one (which takes a long time, and thus it stands to reason that you are going to leave your computer and grab a coffee or something like that, so that you have no chance to notice).

Also, the USB drive might not even be a USB drive at all. It could be a USB keyboard which extremely quickly types some commands into your computer. Most operating systems do not verify the identity of attached keyboards. (Yes, this attack does actually exist in the real world.)

Or, it could be a USB 3G modem … and boom, your computer is connected to an open unsecure network again.

It could possibly not even be a USB device. It might be a microphone or a camera, and simply use the USB port for power.

Or, it might not be trying to install malware on your computer, but simply aim to destroy it, e.g. by putting 200V on the data lines.

Improve this answer
1
  • It could also be a USB drive and a camera/microphone/whatever - so that everything would appear to be working fine, no malware on the drive... while all your data is slowly being encrypted :P USB is flexible, and flexibility isn't always a good thing...
    – Luaan
    Commented Oct 26, 2017 at 10:37

Not the answer you're looking for? Browse other questions tagged .