1

I have to use a USB stick that introduce itself as a HID device. I'm not sure if it does something fishy behind the scene or not, but I rather to think it's not safe and take the necessary steps to keep my system safe.

My plan was to use it in a live Linux distribution; However, as mentioned here: How to prevent BadUSB attacks on Linux desktop?

Malicious agent re-flashes a device's USB controller chip to do something nasty.

So it doesn't matter if I run it in a live Linux environment, it still is able of infecting the system.

The other option is to use it on a virtual machine, however to do that I have to connect the device to the host and then redirect it to the VM, it still can do whatever it does when I attach it to the system.

So, is there anyway to use it safely?

FooBar
  • 41
  • 4
  • "I have to use a USB stick that introduce itself as a HID device." - does that means you already plugged in to a computer ? Then it's a bit late to worry about the possible damage it could do. That being said, some composite USB devices may advertise several capabilities. As an example a smart phone can advertise itself as mass storage when plugged in to a computer. It can also advertise a CD-ROM with additional drivers from the manufacturer. Now if your stick announces it is also a keyboard or a network card there could be something fishy going on. – Kate Jun 27 '21 at 13:38
  • Yes, I've plugged it into a PC that I don't normally use. I don't really care about that. The stick is some sort of a token, I have to install a program which interacts with the USB, making us able to use some services. The PC I've plugged the key in is not capable of running that software; otherwise I would use that machine in the first place. – FooBar Jun 27 '21 at 14:10
  • An BadUSB device that acts as HID can send keyboard commands but has to so blind without knowing what OS you use. And there is no generic command to infect an system. If you want to make sure use a PC and boot a live Linux system and before disconnect all local drives and disconnect the PC from Internet. – Robert Jun 27 '21 at 20:22

2 Answers2

3

If it's a BadUSB and not the "fry the device" kind of USB device, it's safe to use a live distribution disconnected from the internet.

The hacked firmware have limited access to the computer, cannot detect the OS being used, and cannot infer anything about the computer status. So if you plug it on a computer with the screen locked, the "program" on the USB cannot detect the screen is locked, and usually will send keystrokes that cannot do anything because the screen is locked.

Some devices will create a network card and change routing and DNS information. If the computer you plug it isn't connected to the network, it cannot do anything.

So just start a live Linux distribution, unplug it from the network, lock the screen, and plug it. Wait for a few minutes to see if something is typed, and you can safely inspect it with fdisk or gparted, and see if anything is strange.

ThoriumBR
  • 51,983
  • 13
  • 131
  • 149
  • It is always good to have a separate device. An SBC like raspbery pi is a very good for this type of labs. It runs from the flash drive which you can easily erase. Keeping it of the local network is also a good idea. You can have some reverse tunnel opened to it for the logging to see what is going on. – nethero Jun 28 '21 at 08:02
-4

Are you sure its not in device manager - disk drives?

Installing a bootable Linux on the chip should overwrite everything on the chip. use diskpart on it if you want to see if there are any hidden partitions. Here is a sample of using diskpart before and after i plugged in a usb thumb drive. Hope it helps. just type "exit" to quit diskpart

C:\WINDOWS\system32>diskpart

Microsoft DiskPart version 10.0.19041.964

Copyright (C) Microsoft Corporation.
On computer: pcpcpc

DISKPART> ? - (for help)

DISKPART> list disk

  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online          931 GB      0 B
  Disk 1    Online         7452 GB      0 B        *
  Disk 2    Online         7452 GB      0 B        *
  Disk 3    Online         2794 GB  7168 KB
  Disk 4    Online         7452 GB      0 B        *
  Disk 5    Online         3726 GB      0 B        *
  
  
I plugged in my usb


DISKPART> rescan

Please wait while DiskPart scans your configuration...

DiskPart has finished scanning your configuration.

DISKPART> list disk

  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
  Disk 0    Online          931 GB      0 B
  Disk 1    Online         7452 GB      0 B        *
  Disk 2    Online         7452 GB      0 B        *
  Disk 3    Online         2794 GB  7168 KB
  Disk 4    Online         7452 GB      0 B        *
  Disk 5    Online         3726 GB      0 B        *
  Disk 6    Online           29 GB      0 B


DISKPART> select disk 6

Disk 6 is now the selected disk.

DISKPART> list part

  Partition ###  Type              Size     Offset
  -------------  ----------------  -------  -------
  Partition 1    Primary             29 GB    16 KB
  
DISKPART> select part 1

Partition 1 is now the selected partition.


DISKPART> detail part

Partition 1
Type  : 0C
Hidden: No
Active: No
Offset in Bytes: 16384

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 8     D   MULTIPORT    FAT32  Removable     29 GB  Healthy


you can do a 

DISKPART> list vol

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
  Volume 0     E                       DVD-ROM         0 B  No Media
  Volume 1     C   OS           NTFS   Partition    919 GB  Healthy    Boot
  Volume 2         RECOVERY     NTFS   Partition     11 GB  Healthy    Hidden
  Volume 3     Q   Q: Seagate   NTFS   Partition   7451 GB  Healthy
  Volume 4     Y   Y: Seagate   NTFS   Partition   7451 GB  Healthy
  Volume 5     S   3tb Seagate  NTFS   Partition   2794 GB  Healthy
  Volume 6     G   G: DattoCol  NTFS   Partition   7451 GB  Healthy
  Volume 7     F   F: 4tb Seag  NTFS   Partition   3725 GB  Healthy
* Volume 8     D   MULTIPORT    FAT32  Removable     29 GB  Healthy

DISKPART> detail vol

  Disk ###  Status         Size     Free     Dyn  Gpt
  --------  -------------  -------  -------  ---  ---
* Disk 6    Online           29 GB      0 B

Read-only              : No
Hidden                 : No
No Default Drive Letter: No
Shadow Copy            : No
Offline                : No
BitLocker Encrypted    : No
Installable            : Yes

Volume Capacity        :   29 GB
Volume Free Space      :   21 GB

DISKPART> det disk

SanDisk Ultra USB Device
Disk ID: 00000000
Type   : USB
Status : Online
Path   : 0
Target : 0
LUN ID : 0
Location Path : UNAVAILABLE
Current Read-only State : No
Read-only  : No
Boot Disk  : No
Pagefile Disk  : No
Hibernation File Disk  : No
Crashdump Disk  : No
Clustered Disk  : No

  Volume ###  Ltr  Label        Fs     Type        Size     Status     Info
  ----------  ---  -----------  -----  ----------  -------  ---------  --------
* Volume 8     D   MULTIPORT    FAT32  Removable     29 GB  Healthy

DISKPART>exit
John
  • 3
  • 3
  • How does one install Linux "on the chip" to overwrite BadUSB? Partitions do not seem to be relevant. – schroeder Jun 28 '21 at 07:44
  • 1
    How would you write on it without connecting it to the system. – nethero Jun 28 '21 at 07:58
  • 1
    You cannot install anything on it. A BadUSB device have its firmware changed, so it will behave like a keyboard or a network card, and that is written on the firmware and formatting the storage does not change anything on the firmware. – ThoriumBR Jun 28 '21 at 11:51
  • The OP had already plugged in in and was wondering if there was something "fishy" on the chip. The commands would have allowed him to look and see if there were other bootable partitions and manipulate the chip. – John Jul 19 '21 at 17:41