28

Since, recently, it has been proven that transferring data through the usb port is fundamentally flawed, I'm wondering if there are 100% secure ways to transfer data without using the Internet.

Suppose Alan has a computer system that has been offline for all of it's life. Alan wants to import some data from Bob. Can Alan do this and remain disconnected from the outside world?

My thoughts were, either Alan has to have complete control over the data being transferred (i.e. Alan knows 100% what he is importing), or Alan must know exactly (and I mean it) how data is being handled by his computer system. That is because, Alan might already have malware installed on his computer system, and this malware might use pieces of data from the data being transferred that might provide the communication between Alan's computer system and the outside world without actually installing any malware in the process of the transfer.

Edit:

Instead of "Alan wants to import some data from Bob", I should have written that Alan and Bob want to communicate bidirectionally while neither of them would be connected to the Internet during their communication.

When I wrote "security", I meant securing that Alan does not leak any data other than the data he intends to send. So, even if the data gets modified when it gets to Bob, and as long as the bits of data that were modified are not copied from Alan's system, it would qualify as 100% secure, for this type of security. Also, Bob is a regular user of the Internet for life with the possibility of going offline for some period of time (i.e. during the data transfer between the two).

When I wrote "Alan has to have complete control over the data being transferred", I meant that Alan has to have a way of checking bit by bit the information that is in transit, and in some way understand it precisely.

Just to be more explicit, Bob can have malware on his computer as well.

WhiteWinterWolf
  • 19,142
  • 4
  • 59
  • 107
  • Comments are not for extended discussion; this conversation has been [moved to chat](http://chat.stackexchange.com/rooms/33774/discussion-on-question-by-shooting-squirrel-is-there-a-secure-way-to-transfer-da). – Rory Alsop Jan 03 '16 at 14:10
  • 1
    To understand where is the **weakest point** of your targeted operation to secure, could you specify which **operating systems** are running Alan and Bob? ---- From a blind analysis, Internet here is not a serious component of your problem. ---- It might even be an XY problem. – dan Jan 05 '16 at 07:36

12 Answers12

26

It really depends upon the specific threats you may be facing, the direction of your data transfers, etc.

USB specific dangers

You mention the dangers of USB. The main one is indeed related to its firmware opening the possibility of a BadUSB type attack. When you need to transfer data in both directions, you may therefore prefer to use SD-Cards which are not sensitive to such threats (if you use an external USB SD-Card reader, it should be safe but dedicate it to a single computer, don't share it!).

I insist here that I'm mentioning SD-Cards as a viable solution against USB firmware attacks only. In such attacks, a USB flash drive firmware may be corrupted in order to simulate rogue devices (fake keyboard, network card, etc.), such attacks are not possible with SD-Cards. I think this is the reason why we see Edward Snowden relying on SD-Cards in Laura Poitras' Citizenfour film when exchanging files between his own computer and the reporter's ones.

SD-Cards are also equipped with a read-only switch. While such switches are very convenient to prevent accidental modification of the card's content, they cannot be relied upon to prevent malicious modifications since read-only access is not enforced by the card itself but delegated to the computer's operating system.

Enforce a one-way communication

You talk about a possible leak of information by some malware on Alan's computer storing data in some hidden channel. If your transfers are mostly in one direction only and this is your main threat, then I suggest you use read-only media like CDs or DVDs. I don't know if there are still CD/DVD readers on the market, it would be the best since it would physically remove all possibility for Alan's PC to store any data on them, but even without that it would be by far harder to store any data discretely on such disk.

With some digging, you may also find some other alternatives, for instance in the thread how to protect my USB stick from Viruses you will see a discussion pertaining to USB sticks containing a write blocking switch (which works in a more secure way than the SD-Card's equivalent), the use of write blockers which are equipment normally designed for forensic purposes, etc.

Long distance communication

Implemented as-is, the solutions provided above suppose that Alan and Bob are in direct contact, which may not always be true. However, data transfers outside of any computer networks remains possible even on long distance, mostly by using usual postal mails, aka snail mail.

This method may be wrongly perceived as insecure by some people, while when used correctly it can actually present a very high security level. Such method is used by the industry when it is required to move a very large amount of data securely. Amazon provides his Amazon snowball service for such operation, Wikipedia's page about sneakernet also lists some other real-life usage examples, including funny experiments inspired from an April Fool's day RFC using carrier pigeon to carry the storage medium.

In our current scenario, Alan and Bob will need to take a few precautions to ensure everything goes fine:

  • Alice and Bob will need to exchange their public keys. This may sound simple, but in the concrete world Alan and Bob may have no possibility to meet even once, may not know each other and may have no common trusted third party to vouch for each other's identity or provide escrow service. However, the whole security of this system relies on the fact that this operation must be done successfully. Fortunately, asymmetric encryption greatly helps, since the leak of these keys will have no deep impact, but it will be of no help against an impersonation or tampering occurring at this step.

  • The chosen data exchange medium may have some importance since each may present different characteristics:

    • Firmware based storage devices are the most frequent nowadays, ranging from the hard disks with higher data volume to micro SD cards which can be very easily concealed. One may prefer to buy it from some physical store to avoid any initial tampering, but as we will see later the device will in all case be not trustable anymore once the first shipment occurred.

    • Non-firmware based device present obviously no firmware related issue, but depending on the exact needs of Alan and Bob they may present other issues in particular pertaining to anonymity: burned disks and printed paper for instance may contain unique identifiers allowing to link them to their author (such identifier does not allow the author location though, but once his equipment has been seized they can be used to prove that this equipment produced them).

  • Of course the data will need to be properly encrypted and signed before being stored on the medium. I would tend to prefer an encrypted file which can be more easily manipulated than an using directly an encrypted partition on the medium.

  • I strongly suggest for the data to be properly backed up before being sent. While such transfer is secure in the way that a potential opponent will not be able to access or tamper with the data even if he manages to intercept it, the data may still get lost or disappear (it can be the result of either a voluntary or involuntary action: it happens that parcels get lost or seized without any intervention from Big Brother, Murphy is very good at that too!).

  • Methods to obfuscate the actual sender and recipient (from PO boxes to more advanced stuff), when combined with concealment of the storage device, can help to avoid interception.

  • At least on the recipient side, I strongly advise to not connect the received storage device directly to the main computer, but instead:

    1. Connect the received media to a specially hardened minimal system (aka a sheep dip, the host itself may have no hard-disk and boot from a LiveCD) where you will be able to quickly inspect media content and the encrypted file (do not decrypt it on this host!),

    2. You may possibly want to copy the encrypted file to a more trusted support (here one case where using an encrypted file instead of an encrypted partition can be useful). Moving the encrypted file to another support may be especially useful if using a firmware base storage device since, once it went through the postal service, you cannot guaranty the firmware integrity anymore (while the encrypted data is signed, there is no signature you can check for the rest of the storage device).

    3. Then you can connect this most trusted support on your main air gaped computer where you will be able to safely decrypt it, making this step the end of the story :).

WhiteWinterWolf
  • 19,142
  • 4
  • 59
  • 107
  • 15
    Newegg shows several internal CD/DVD ROM only drives for <$20. They're niche devices, but there is some demand from customers in secure systems for whom the read only status is a feature. Depending on how paranoid you are; you might worry about if they're actually RW devices that just had the write part disabled in firmware. – Dan Is Fiddling By Firelight Jan 01 '16 at 21:06
  • 3
    @underscore_d Dan's statement was that *read only* optical disk drives is a niche product. For most people, the merging of a reader and a writer a single product is a feature, not a bug. It is when you go looking for one that lacks the write feature that you are looking for a niche product. – user Jan 01 '16 at 22:50
  • Ah, whoops... seems reading fails me this evening. :) Good points. To try to get myself on-topic: If the OD has been finalised, is there still a security risk? I guess an errant ODD might be able to somehow write to the disk, _somewhere_, against the spec, but I'm wondering how much use that would be to someone without a hacked-up reader on the other side. It's definitely a potential for data leaks, though. – underscore_d Jan 01 '16 at 23:00
  • Wait, what SD card reader _doesn't_ use USB? – Michael Hampton Jan 02 '16 at 17:55
  • @MichaelHampton: At least the bundled SD-Cards readers which can be found on laptops for instance don't (at least the ones I used have their SD-Card reader directly connected to the PCI bus, so there is no USB). Basically SD-Cards rely on the same technology than USB flash drives, the only difference being that they lack an USB connector, so personally I always was suspicious against USB SD-Cards readers adding these connectors, but I've never read any technical fact on the subject. [This deserves a separate question :)](http://security.stackexchange.com/q/109576/32746). – WhiteWinterWolf Jan 02 '16 at 18:52
  • 2
    Blu-ray read only units are much more common (as writer units are expensive) – user2813274 Jan 03 '16 at 03:30
  • 1
    Completely filling up a CD-R or DVD-R disk makes it essentially impossible to modify the contents of the disk with consumer-grade equipment. – JonathanReez Jan 03 '16 at 12:04
  • 1
    @MichaelHampton: Thank you for your comment. It indeed seems that the protocol change occurring at an USB SD-Card reader make it hard for a SD-Card to be able to tamper with the USB communication without first having to attack the SD-Card reader's firmware. I have therefore softened by advice since it seems that USB Card readers are safe, as long as they are dedicated to a single computer (otherwise they could themselves be target). – WhiteWinterWolf Jan 04 '16 at 10:51
  • @WhiteWinterWolf, they often do, just aren't pluggable without taking the case off (or at least that's what lusub tells me on my machine). – Chris H Jan 04 '16 at 13:08
  • Your "Long distance communication" part is pretty explanative about the perks, risks of and ways to make it safe... Perfect answer. – ave Jan 04 '16 at 20:08
17

It is not reasonable to ever assume data you receive (including your operating system, BTW) from an outside source can be made 100% secure.

The most secure way to transfer something and all-but-guarantee no side-effects (e.g. the OS mounting an external drive) is to type in all the data by hand while you be sure you understand it all. Even then you still have no guarantees.

Fundamentally, the only way to achieve perfect security is to never let your computer do anything with anything.

iAdjunct
  • 1,700
  • 11
  • 15
  • 2
    I'm not sure if you understand my questions, there are many levels of security, and it is widely known now that one form of communication, the one through the Internet, is fundamentally flawed from the point of view of security. What you say in your last statement, you never argue. Do you argue that there is no technology Alan could use so he could do what he wants to do? Why and how? Note, this is a hardware deep level question. – shooting-squirrel Jan 01 '16 at 19:56
  • 6
    @shooting-squirrel You specified in your criteria that the computer can have arbitrary and unknown malware pre-installed onto it. In that case, you must assume that (a) the computer can do anything it likes with it's inputs, and (b) it can do anything it likes with its outputs. As long as you leave it with at least 1 input and at least 1 output (which any computer must have by definition), then you cannot 100% secure it. The communication medium makes no difference (other than to the difficulty posed to the attacker), so your premise about the internet being flawed is wrong. – Jon Bentley Jan 01 '16 at 23:44
  • When I say that the Internet is flawed fundamentally, I meant that there is no guarantee of any type of security of a device connected to the Internet. I added some detail to the question, when I wrote security I meant securing that Alan does not leak any data other than the data he intends to send. So, even if the data gets modified when it gets to Bob, it would qualify as 100% secure, for this type of security. – shooting-squirrel Jan 02 '16 at 05:49
12

It is impossible to achieve what you are asking for. You've specified in your criteria that Alan's computer can be pre-infected with arbitrary and unknown malware. In other words, Alan's computer is free to do anything it likes, using any of the hardware under its control. You've also specified that you want a method which is "100%" secure, and you didn't specify what you mean by secure. Are you concerned with data destruction, theft, tampering, or all of the above? You didn't specify some level of security less than 100% as being an option, so my answer will only be in the context of 100% security.

You've attempted to make the system more secure by disconnecting it from the internet, and by banning USB drives. That will give you greater security against certain types of attacks that rely on those mediums in order to gain control of your machine. But you already have arbitrary malware so it is already too late to protect against that.

It's also too late to protect against data destruction. Your malware can decide to destroy all of Alan's data any time it likes.

So the remaining major source of concern that you want to protect is probably data leakage. It doesn't really matter how you get data in to Alan's computer. Internet, USB, carrier pigeon with manual data entry - Alan's system is completely compromised, so it has access to everything.

So that leave's data going out. Again, you cannot 100% prevent the computer from communicating with the outside world, without stopping it from functioning as a computer. It probably has some combination of: fans, electric circuits, mechanical drives, speakers, monitors, power supply. Some of those are compulsory, and all can emit controllable signals for your malware.

To address two of your specific points:

either Alan has to have complete control over the data being transfered(i.e. Alan knows 100% what he is importing)

This is a bit non specific. Do you mean that he 100% trusts the source? That he can see 100% of the data stream as it enters his computer? That he can 100% understand the meaning of every bit of that data stream?

You might be able to achieve the first two. The third is impossible. The malware could be using any kind of arbitrary encoding to hide it's communications.

or Alan must know exactly(and I mean it) how data is being handled by his computer system.

This is impossible, by the criteria you have set, due to the malware.

Jon Bentley
  • 2,011
  • 2
  • 15
  • 16
  • Referring to "combination of: fans, electric circuits, mechanical drives, speakers, monitors, power supply", in a real situation, how could these communicate with some other agent without Alan noticing? Why can't they understand the meaning of every bit of that data stream between the two? – shooting-squirrel Jan 02 '16 at 05:59
  • 4
    @shooting-squirrel : [fans](http://www.wired.com/2015/03/stealing-data-computers-using-heat/), [electric circuits](http://www.scientificamerican.com/podcast/episode/computer-snoopers-read-electromagnetic-emissions/), [speakers](http://www.scientificamerican.com/article/computers-can-be-hacked-using-high-frequency-sound/), generally: [TEMPEST](https://en.wikipedia.org/wiki/Tempest_%28codename%29). Once malware is also reading the incoming data stream, that data has an additional meaning that is specified by the malware writer, which semantics would not be supplied to the victims. – Eric Towers Jan 02 '16 at 09:32
  • Related: Alan has to be 100% secure. Have you vetted the person who you're giving the data to? – Cort Ammon Jan 02 '16 at 20:06
7

Since the question doesn't specify what sort of computer system Alan has, I will assume for the purposes of this answer that it's not a typical desktop PC, but instead some form of embedded/project computer system.

So, Bob burns the data onto a ROM chip and sends it to Alan via "sneakernet". Alan plugs the ROM chip into his computer. Since it's a ROM, nothing on Alan's computer, not even the malware, can modify it.

To prevent the suspected malware from transmitting the data to someone else, disconnect all output devices from Alan's computer. No Ethernet, no WiFi, no serial or USB. Don't even connect a monitor, as the malware could flash the screen as a form of binary code to someone else. If there are any LEDs on the computer board, snip them just in case. And disconnect any loudspeakers as well, so the malware can't whistle to anything nearby.

Of course, the down-side of that is that you no longer have any way to tell what Alan's computer is doing, rendering it completely useless. But totally secure.

Simon B
  • 904
  • 5
  • 7
  • 5
    Since we're paranoid enough to remove the monitor, have you thought about malware that makes the CPU work in a certain way to produce EMI and thus exfiltrate data that way? Or just representing 0s and 1s by heating up/cooling down the CPU? So better remove the CPU as well ;) – André Borie Jan 01 '16 at 23:38
  • Faraday cage :) – Tom Zych Jan 02 '16 at 00:26
3

In your scenario of Alan retrieving data from Bob's computer safely, we need to consider a lot about security in general. The short answer is that for the most part, you'll be fine. Chances are high that you will not transfer malicious code (that would still function) if you are performing the data transfer with a simple USB thumb-drive(Sometimes called the sneakernet).

Long Answer: No, it is data and can always be compromised. If Alan imports data from Bob, and Bob's computer has seen the internet even for a second, there is a chance that malicious code could have been added to whatever data you are going to import (albeit the chances could range greatly from high to very small).

Most malware depends on internet connections and transferring data back and fourth but there are still viruses in the wild that, well, just want to destroy stuff. They do not care if your computer is connected to the internet or not.

Realistically, you're probably fine. Even if there is malware on the data being transported, a lot of the malicious code would cease to function on the separate machine. This is because, as stated above, a lot of malware contains some sort of dependability on a connection to the internet, and the code in the malware to get to Alan's machine would not be the same code that would work on yours. (Let me know if you want to know more on why this is, or read more on shellcode variations if that interests you at all).

In short, a simple USB stick transfer is probably fine, but remember that theoretically everything is hackable and nothing is 100% safe.

Chad Baxter
  • 632
  • 4
  • 8
Henry F
  • 616
  • 1
  • 6
  • 13
3

Connect the two computers using the serial port. Hopefully both will still have such port native instead of needing a usb-to-serial converter.

The interface is simple enough that the data sent and received can be inspected manually. Not just from one of the computers (if it's trustable) but also externally with an oscilloscope. While there it's a standard interface that won't require customizations to run.

They may want to insert a couple of current limiters (so the malicious hardware from one machine can't damage the other one) and/or a rectifier (to avoid a potential covert channel with a slightly different voltage), as well as normal steps like ensuring the security of the cable itself.

For extra paranoid security, you shouldn't place both computers in the same room, in order to avoid data being exfiltrated by a magnetic field or a microphone recording the other sound (eg. disk movements), as has been used to communicate air-gapped computers (they don't have wifi hardware, right?).

In a similar question, Thomas Pornin suggested the use of the sound card (speaker → microphone) for unidirectional communication between machines. I think the serial port is preferable for Alan and Bob, but you may find this alternative interesting, too.

Ángel
  • 18,188
  • 3
  • 26
  • 63
1

You want to be 100% certainty you don't leak data from a computer that you control physically, but not operationally -- i.e. you can pick it up, disconnect the power and in all ways control the hardware, but the software is totally under someone elses control.

You can't be 100% certain because the person writing the software may have thought of a way to transmit the information that you may not know about.

In order to evaluate how much less than 100% certainty you should settle for, you need to determine (a) how desirable is the information you have, and (b) how close your your hypothetical attacker can get to their computer or the medium you are using to transmit the data and finally (c) how important is it to transmit the data vs not leak the data?

Data transmission is basically nothing more than making an observeable change. If you can control the environment enough to ensure that they can't directly observe their computer, the thing to do is to transmit the data from their computer to your computer and then on to it's final destination, while ensuring that your computer doesn't become their computer. If they can directly observe either their computer or the transmitted data from their computer, you probably won't be able to prevent them from leaking data.

jmoreno
  • 496
  • 2
  • 9
1

Physical artifacts to transfer data

You seem want to use some medium that by definition can contain only data, and no executable code or unverifiable hardware. This asks for simple physical artifacts - for example, paper. This sill be obviously less convenient than digital data transfer but still possible.

For small amounts of data you may use simple text - print, scan, OCR; possibly with some checksums to prevent errors. This is auditable - you can see what exactly is transferred.

For larger amounts of data you may use something like http://ollydbg.de/Paperbak/ which claims to reliably encode 500 kB per A4 sheet of paper.

Do note that even in this scenario side channels still exist and can transfer extra data if both computers are compromised by advanced enough malware. For example, the printed data can contain very very light yellow dots that will be readable when scanned; there are systems that will use that to encode print metadata (serial number, time, etc) in every printout; the information is hidden from the user but reliably machine readable.

Peteris
  • 8,389
  • 1
  • 27
  • 35
  • sill → will on line 2? – dan Jan 05 '16 at 07:23
  • 1
    A printer isn't such a verifiable piece of hardware. Some of them do have an internal disk, an USB port and a Wi-Fi interface. ---- In a recent past, organised leak of information was conducted through printers. – dan Jan 05 '16 at 07:46
0

@WhiteWinterWolf already has posted a good method of transferring the data, but here's another one just for fun: Using an Ethernet cable to form a direct connection (intranet, NOT internet) from Alan to Bob.

If this is the only network interface on both computers, it prevents malware on either computer from contacting any external server. Alan can SSH onto Bob's computer (which only has port 22 open) using public-key authentication as a non-root user who has read-only privileges to a specific folder and is chroot'ed there.

Alan can then copy over the file (which should be an encrypted container). He can then decrypt the container using a pre-arranged password and pre-arranged TOTP with something like a YubiKey. If Alan wanted to avoid any USB device (even a trusted one), he could use a counter based OTP instead. This prevents an attacker from being able to decrypt files exchanged in the future, even if the attacker was recording your keystrokes.

Pros:

  • Faster than physical media after initial setup (you can just add files to the directory).
  • No USB devices required (unless you use something like a YubiKey).
  • Not vulnerable to physical interception of media.

Cons:

  • Difficult to setup.
  • Requires pre-arranged keys.
  • Not practical--what if Alan and Bob were even a mile apart?
  • Not reliable--what if somebody cut the wire?
  • Obvious--if you see a cable directly connecting Alan and Bob, you could easily guess that they are transferring information.

There is no foolproof method to transfer data completely securely--the best you can do is to make it as hard as possible to obtain the information or hope that the attacker isn't someone like the NSA.

WillS
  • 769
  • 6
  • 7
0

A quick solution may be the ARM chip with decription software, let's say an AES256. Alan's PC will communicate with the CHIP, not the offline data transfer media like SD card. Alan and Bob must exchange a passphrase and the phrase itself ot a hash out of it will be a pre-shared encryption key. The key exchange must be in-person/in-real-life, not online. Then both sides can TECHNICALLY be sure, that any transfer-related issue will not be able to happen in this data exchange case. In case of requirement for security increase - use more AES(Rinjdael algorythm, actually) rounds to increase the cipher strength.

Alexey Vesnin
  • 1,565
  • 1
  • 8
  • 11
-1

Ah look, a good old classic infosec debate over how to transfer data securely. And not only "As securely as can logically be achieved" but "100% securely."

I'll keep my answer short. Nothing is 100% secure 100% of the time, and therefore not only is there not any way to transfer it offline 100% securely, there is no way to transfer it online 100% securely either.

Rebut this if you must, but thus far there has been nothing to convince me that it could be possible, nor do I believe it ever will be.

With that being said, it has for many years been proposed that information can be transferred in a secure manner, by using OTP, or One Time Pad.

You might postulate an airgap?
http://www.jocm.us/uploadfile/2013/1125/20131125103803901.pdf - inaudible audio
http://arxiv.org/abs/1503.07919 - thermal
also on that same site, see article number 1411.0237 - example like stuxnet

Those links show a few ways around an airgap, but the bottom line is, it's all about how much you can confuse your attacker, how much resources do your attackers have, and how paranoid are you. The bottom line is that "secure" is nothing more than a point of view. What's "secure" to one person, is not secure to another, and that is due to paranoia.

If anyone can prove beyond rebuttal that I am wrong I long for this answer also, but alas, I already know, one does not exist.

Tim
  • 101
  • 1
-2

You could transfer over a VPN using NonPublic IP Addresses and setting the server to only listen on the private IP. It make things by far more difficult.

  • "outside the internet" "without using the internet" – underscore_d Jan 01 '16 at 22:15
  • @underscore_d Internet or Networks Entirely? You could transfer over mail and external hard drives. Optionally you could make your own Wide Area Network and send a long private cable from building A to building B and send that way. (Considering you have the funds) – Nathaniel Suchy Jan 01 '16 at 22:38
  • 1
    Important Data, via Postal Service? You'll have even worse issues. – ave Jan 02 '16 at 00:51
  • The last post made me laugh. I agree with it, but I just pictured the ones who work at the postal office opening the package with gloves on. – shooting-squirrel Jan 02 '16 at 04:49
  • @shooting-squirrel Haha, I gave you an alternate method. But obviously your going to have a problem with any answer anyone gives so please... Just use a secure VPN (preferably run on servers you control) and transfer that way. The risk is little to none... – Nathaniel Suchy Jan 02 '16 at 04:52
  • @ardaozkal: Actually postal mail is a perfectly valid solution when the sender and recipient are located in remote places. A more funky but still working solution is using carrier pigeons, but I take this more as a joke referring to [April fool's day RFC 2549](https://en.wikipedia.org/wiki/IP_over_Avian_Carriers). You can find more information on [Wikipedia's page about sneakernet](https://en.wikipedia.org/wiki/Sneakernet). – WhiteWinterWolf Jan 04 '16 at 14:11
  • @WhiteWinterWolf Haha, Thanks for recognizing I have multiple answers with value. – Nathaniel Suchy Jan 04 '16 at 14:21
  • @WhiteWinterWolf yeah, I read that before, but if it is known by a third party, it is more dangerous than intranet, as the pigeon/postal services are in public locations. – ave Jan 04 '16 at 15:43
  • @ardaozkal and Nathaniel Suchy: I've updated my answer to deal with long distance communication and postal mail, feel free to comment :) ! – WhiteWinterWolf Jan 04 '16 at 19:42