How does one properly check foreign USB Drives before getting them in your Network? Is the presented approach considered "safe"?

Question

Current Situation:

I´m currently employed at an Hospital and with rising danger of ransomware etc. spread by usb drives we decided to block all USB-Ports (roundabout 600 Clients/Windows only) via Symantec Endpoint Protection. This blocking can determine if a device is a HID-Device (we use Smart-Card-Keyboards, Fingerprint-Mice and Voice Recorders which rely on USB in crucial areas where these Devices need to work, Input Devices like normal Mice and Keyboards are mostly PS/2) or a Storage Device. If It´s anything other than a HID-Device the Port gets locked. Also you can grant USB privileges for certain Users/Computers where they are absolutely necessary (Admin PCs, Technician PCs, etc)

Current Problem:

It´s common Practice that users (Doctors, Managing Employees) come in with their private USB-Sticks to import data, like medical studies, presentations, pictures, etc. and want them imported in the System (simply saying no is not an option unfortunately) which is obviously a pretty huge security Risk

Current Solution:

There is a specific Computer that is in a completely separated network where users put in their drives and they get scanned by SEP, if it´s check came out ok, an admin puts the drive in his PC (!) and copies the files to the network share the user needs. Obviously this is also not very secure, not only are we relying only on SEP for Protection but also this method is prone to BadUSB Attacks etc.

What i wanted to do

To securely integrate these foreign USB sticks I thought of a combination of different approaches:

Step 1 The user has to physically go to a First-Level-Support Employee which uses a Raspberry Pi (locked in a box with high security Locks that only IT-Managing Positions have access to the Keys) where CIRClean, (https://github.com/CIRCL/Circlean) an Open Source "USB Sanitizer" made by the Luxembourg Government, would run on and USB Ports are placed on the outside of the Box. This Raspberry Pi distro should strip all files from "dangerous" things like Makros in Word/Excel Files or Convert PDF Files to HTML (and stripping possibly embedded Javascript) and Copy these "sanitized" Files to another USB Drive now considered "probably safe".

After this step the user can take back his Drive and further working steps get done by the First Level Supporter. This first step should get rid of more "unsophisticated" attacks, like BadUSB, makro-viruses and so on.

Step 2 (AirGap1)

The First Level Supporter gets the "probably safe" USB Stick to a Machine running Qubes-OS (https://www.qubes-os.org) which is configured so that the USB-Controller is a separate VM. This Machine would then automatically check the USB-Drive with various different Antivirus applications. This should allow us to check for more sophisticated attacks like good programmed Rootkits. After the automated script running various AV-Checks the First Level Supporter takes the now "known" to be safe USB Stick and gets to a third Machine

Step 3 (AirGap2)

This Machine is a regular Windows PC that is in the Hospitals Network, SEP is installed and performs another security check on the drive before it gets Mounted, afterwards the Employee just drags the Files to the Destination the User wanted them and is finished.

Why I´m here

Unfortunately CIRCLean sounds like a neat tool but I could not find a version that runs properly (I´m not alone with that, I cannot post more than 2 Links but just look at the issues on Git).

So after all this background story, where coming to my Question:

How does one ensure foreign USB Drives are secure ? Is my approach any good, and if so, how would you "switch out" the non working CIRClean Part?

Answer 1

I would suggest going for the raspberry route. But instead of requiring administrators to perform the action, this could be constructed as a self-service station instead, of course locked with high secure locks and such too.

As the raspberry pi is not x86 it cannot run malware destined for windows, linux or mac PCs at all. It can run malicious scripts, but thats another thing and can be blocked.

Configure the raspberry pi to have a touchscreen, so the user can select files he want, and then make sure to block all keyboard access.

Now to the trick that will make this completely safe:

1: First, you restrict the interface to only show files of specific permitted file formats. For example (jpg, png, gif, tiff, svg, bmp) (doc, pptp, etc).

2: For pictures, you can use GD to convert from all known image formats, to PNG: (even PNG->PNG). This will strip off any malicious data that can be contained in these files, as only the raw picture data is copied over, not any metadata. (Note that you need to convert the picture to a plain GD object first)

3: For Office files, you use a Macro stripper, to strip off any macro data, and then use a document converter to convert from DOC->DOC, PPTP->PPTP etc. You don't need to use CIRClean, theres other macro strippers that can be used.

The reason you should use a converter to convert to the same format as the source format, is that such conversion will still require that the file contains valid data for that format, so for example renaming lets say virus.exe to virus.doc, will render a empty output file in this case.

This will completely cleanse the files. And this are also immune to "BadUSB" attacks as long as you configure the raspberry pi to not accept keyboard input. Mouse input will be mapped to the touchscreen, which have a very limited interface to select files.

To prevent any malicious USB from leaking secret data, its advisable to only allow copy in one direction, from USB to home dir, NOT the other way around.

So here comes the complete idea:

The user walks up to a self-service USB terminal (that is scattered around on the hospital). Insert his USB, on the touchscreen, the user selects the files he want. He can only see files of permitted file types. After that, the files selected, are cleansed, and then copied to his "home folder". The login could be done with smart-card.