1

I have a laptop operating a vehicle with attached camera. Video is exported using removable media. Ports available are USB and Ethernet (also video and audio I suppose). The laptop is not infected (presumably). Transfer speed must be enough for streamed video (H.264).

I've been looking into different removable media solutions, trying to find a solution that does not compromise the laptop even if the removable media has been compromised software wise when plugged into the untrusted system importing the data.

What are my options?

Drastic (expensive) measures allowed. (Until this is solved it's pretty much the burn-after-use rule.)

Andreas
  • 135
  • 5
  • 2
    Just to make sure I understand correctly, you have a laptop that remotely controls a vehicle, which has a camera. And you wish to export that video feed to an external drive, e.g. a USB stick. And you worry that you might insert that USB stick somewhere else, have it infected, and when you plug it back in your laptop, it infects your laptop? –  Aug 26 '19 at 10:13
  • @MechMK1 Correct. – Andreas Aug 26 '19 at 10:40
  • 3
    So, you don't want safe removable media, you want your laptop to be safe from the removable media you use. That's an important distinction. – schroeder Aug 26 '19 at 12:10
  • 1
    @schroeder Ah, I see what you mean. Yes it is the laptop that need be protected, not the media itself. Though if the media cannot be compromised neither can the laptop. If the media is connected through Ethernet I think there are ways to setup safe one-way file transfer without running any of it's code. Hence the wide title; didn't want to restrict the question to my own very limited understanding. If you think I did a bad call I'll give it some more thought for the future. – Andreas Aug 26 '19 at 12:28
  • Which version of WIndows -guessing from the tag- is used by the laptop? How is it handled? Could a user do something stupid, like double-clicking a .exe file that was in the removable media, or does he only have a limited interface? – Ángel Aug 26 '19 at 22:22
  • 2
    @Ángel Windows 10. Vehicle operator is only to use the removable media through our application, so no .exe clicks or anything such. The application allows viewing past recordings. We may assume the operator does what the manual says. – Andreas Aug 27 '19 at 07:10
  • 1
    How does the video get from the vehicle's camera to your laptop? When you speak about "exporting" the video, is that exporting being done from the laptop to send the data from your laptop to some other computer, or are you referring to exporting it from the device to get it to your laptop and *also* to the other untrusted computer? – Moshe Katz Aug 28 '19 at 19:44
  • @MosheKatz Export is from laptop to untrusted computer. Device to laptop is already covered. – Andreas Aug 30 '19 at 06:20

4 Answers4

4

It sounds like you need simple Write-Once-Read-Many-times (WORM) media. The most common media type that fits this description would be DVDs. If you trust that the DVD-R discs are actually blank (which will be the case if you get them from any reputable source), then you can write the video to disc, eject the disc, and never have to worry about it again. DVD-R discs are cheap enough that you never need to worry about reusing them (and for anyone who is worried about the environment, there are many craft projects that can be done to recycle old discs). For that matter, you could even use a Blu-Ray drive to get even more storage per disc, though recordable Blu-Ray discs are more expensive.

If you don't have an integrated optical drive, USB-connected optical drives are very cheap these days, and quite reliable.

All you need to do to make sure you stay safe is to make sure that you only put in blank discs and that once a disc has left your possession you never put it back in the system.

Of course, there are some downsides to this approach. First, you might end up using an awful lot of discs, depending on how much you need to export. Second, disc burning is slower than the transfer to flash-based media as is copying the files off the disc, though direct playback speed on other devices shouldn't be a problem - after all, that is what DVDs were created for. Finally, many modern computers don't have optical drives anymore.

That said, if you want to ensure that you don't get infected by malware from flash media, this sounds to me to be the easiest way to do that.

One other important note is that if you don't completely fill the disc, many programs will let another user add additional content afterwards, unless you explicitly "Finalize" the disc. Even so, I think that this is outside your threat model, as it will only be an issue for someone who is deliberately writing the malware onto the disc. This is because, unlike a USB flash drive, writing to optical media cannot be done just by writing to a filesystem; it takes actually telling the burning software to write to the disc.

Moshe Katz
  • 1,351
  • 1
  • 11
  • 17
  • Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/98001/discussion-between-moshe-katz-and-schroeder). – Moshe Katz Aug 28 '19 at 19:45
  • A previous employer used optical disk to transfer between environments. All this time I suspected it was because they had an enormous stash of disks hidden somewhere. Guess I owe the sec department an apology. – Andreas Aug 30 '19 at 06:17
  • DVDs are pretty small (4GB) by current standards, but as long as you can live within this limitation it's a good approach. It does not meet the OP stated need of streaming video speed (on write), but perhaps that was not a real need. – user10216038 Aug 30 '19 at 18:58
  • @user10216038 there used to be handheld video cameras that wrote directly to DVD, so I'd have to say you're wrong about the speed not being fast enough. Also, a double layer DVD can hold over 9GB and Blu-Ray is an option too. – Moshe Katz Sep 02 '19 at 18:20
3

I'll go with a bit of an unorthodox suggestion. Don't connect storage media directly to the laptop at all. Treat the laptop as completely untrustworthy, and potentially disposable.

Quite simply: pretty much every modern, general-purpose, digital data interconnect can be used to make your life miserable if the device at the other end is untrustworthy. You'd probably have to go back to good old-fashioned serial or parallell ports to get something reasonably trustworthy, and those were slow: a few hundred kilobits per second, tops.

Instead, store the data elsewhere, pushing the data over a network, wirelessly if necessary, and set up the storage target system to only accept incoming data and to be what controls how it is stored.

I don't know what kind of network connectivity you have on that laptop, but even 100 Mbit/s is more than plenty for high-end video. A gigabit Ethernet connection will pretty much saturate a rotational hard disk drive with sequential I/O. Under good conditions and especially over short distances, you can get several hundred megabits per second over a standard 802.11 wireless network connection, if you optimize for throughput; 802.11n and 802.11ac. Especially if money isn't a big issue (which sounds like it's the case in your situation), I wouldn't be surprised if you can get good throughput also over cellular.

Now, on the other end of that link, set up a system that only stores the data. This could in principle be something as simple as a SSH/SFTP server that only allows writing data to a new file (or directory) each time; that wouldn't be terribly complicated to set up.

If you want to, store the video locally as a buffer, and transmit as conditions allow.

This is basically the same situation as when you're trying to safely back up a system where a hacker might gain access. Instead of coming up with elaborate solutions to prevent the hacker from jumping from one system to the other, simply set everything up so that the hacker can't get more access to the data on one system than he already has by being on the other. (In the case of system backups, this would typically be done by having the backup storage host pull the data from the backed-up host rather than having the backed-up host know how to write data on the backup storage host. Your situation is similar, but basically just the other way around.) It's also pretty much how aircraft flight recorders are designed: accepting data from a variety of sensors and storing it, but not allowing the data to be tampered with.

user
  • 7,700
  • 2
  • 30
  • 54
  • SSH/SFTP over Ethernet was on my mind to, good someone else backs it up. Now I dare investigate the details further knowing it's probably not a waste of time – Andreas Aug 27 '19 at 06:18
  • Just exporting the data over the network (securely) was my first thought too, though depending on the exact data organization, rsync or rclone might be a better option (especially if you expect to go long periods without network connections). – Austin Hemmelgarn Aug 27 '19 at 19:18
  • @AustinHemmelgarn *"rsync or rclone"* Over SSH. (After all, this is the *Information Security* SE.) – user Aug 28 '19 at 07:21
  • @aCVn True, `rsync` should indeed be used over SSH in this case. `rclone` is a bit of an odd case though, it _can_ work over SSH, but it's mostly used for accessing cloud storage API's (for example, the AWS S3 API) from the command line, so it typically operates over HTTPS in common usage. – Austin Hemmelgarn Aug 28 '19 at 11:57
0

Cheap but efficient solution: i would simply use a regular USB flash drive and create a custom autoplay action to force media formatting when plugged in so that there's no risk to have bad stuff run on your laptop.

This post will give you some hints to do that.

binarym
  • 754
  • 4
  • 8
  • Does autoplay run before potential software based malware on the drive? – Andreas Aug 26 '19 at 12:32
  • I guess that autoplay is responsible of lauching autorun & cie... but i'm not very familiar with Windows world so you'd better double check ;-) Nevertheless, what i saw on [this wikipedia page](https://en.wikipedia.org/wiki/AutoRun) make me think it works that way. – binarym Aug 26 '19 at 12:45
  • Dire read on [BadUSB](https://security.stackexchange.com/questions/176207) :-( Battle seems lost unless I can restrict it into its anticipated behavior (Mass Storage). If acting like a keyboard or mouse it can easily DoS vehicle controls… though only for as long as it's plugged in so that might not be a problem... ugh, security sucks – Andreas Aug 26 '19 at 13:13
  • Looks like [you may disable USB HID](https://github.com/jasonbeitler/www/wiki/Deny-USB-HID-Windows) on Windows. This solve the BadUSB threat. – binarym Aug 26 '19 at 13:19
  • Looks very promising! Good find! – Andreas Aug 26 '19 at 13:23
0

If you simply want to make sure your removable media is not compromised by plugging it into another potentially compromised computer, there is a simple approach.

Use a hardware write-blocker with your media when plugging it into other computers.

Other computers can read the data but cannot write the media.

Depending upon model and details, these run about $150.

This assumes that you are using an established and trusted media in the first place. Given that, the write-blocker will ensure your trusted media stays that way.

If you don't want to deal with enforcing write blocker use, you can stage it through a second machine with the write blocker, then distribution is always from the second machine. That way whatever nasties affect the second machine never transfer to your primary laptop.

user10216038
  • 7,933
  • 2
  • 16
  • 20