17

I found a USB drive while riding the subway and I want to read it to see if I can return it back to it's owner. If I can't find any info on the stick, I'll use it for my own means. Assuming I have a perfect sandbox and I reformat the USB drive, how large is the possibility that my system gets compromised from using this USB drive? I'll leave this question's scope open to the possibility of both software and hardware (hidden memory?) methods of attack.

schroeder
  • 125,553
  • 55
  • 289
  • 326
Seanny123
  • 511
  • 2
  • 5
  • 13
  • 1
    At a minimum, you risk destroying the hardware you plug the USB stick into, (all electronics between the connector and the nearest fuse). – Ben Voigt Sep 08 '14 at 19:29
  • possible duplicate (same concept) of http://security.stackexchange.com/questions/64404/mac-osx-what-is-the-safest-way-to-access-an-unknown-usb-storage/64408#64408 – Matthew Peters Sep 08 '14 at 20:07
  • 6
    How do you know it's even a USB drive? Maybe it's just a [cleverly-disguised programmable keyboard](http://hakshop.myshopify.com/products/usb-rubber-ducky-deluxe). – Stephen Touset Sep 08 '14 at 20:16
  • 4
    @MatthewPeters No, there's a big difference. An SD card is storage and won't do anything bad if you just insert it into a reader and read from it. A USB peripheral could be anything, even if its form factor is that of a USB drive. – Gilles 'SO- stop being evil' Sep 09 '14 at 09:45

3 Answers3

8

It is possible for USB drives to have firmware-embedded malware, see this BadUSB article which shows the research. There would be no way to get rid of firmware-embedded malware, formatting would have no effect on it at all. However, it's pretty new, and therefore very, very unlikely that you would run into it. It's probably something someone dropped by accident, although found devices can have deliberately installed malware on them for the unsuspecting. These can be targeted on individuals (drop it by a CFO's car door) or companies (strew them around a coffee shop or company car park) or at random (drop them on the floor of the downtown bound 2 train).

Assuming your perfect sandbox you could examine the content and reformat it with almost certain safety. That perfect sandbox doesn't really exist though, so it would make sense to boot a virtual system from read-only and save nothing from the session.

GdD
  • 17,321
  • 2
  • 41
  • 63
2

In terms of using the USB stick long term I agree with @GdD's answer, if you are truly paranoid you can not trust this stick. But unless you are a high value target it is unlikely that you will have stumbled across BadUSB.

In terms of reading securely I would:

  1. Download one of the minimal or security focused LiveCD linux distributions.
  2. Burn to CD/DVD (Not USB Stick)
  3. Unplug any hard-drives (depending on your paranoia vs effort level you could just ensure these are not mounted)
  4. Boot into the Live linux
  5. Plug in your untrusted USB and read what you like.
  6. Optional: Format the untrusted USB and hope it does not have a firmware virus.
David Waters
  • 2,802
  • 2
  • 14
  • 14
0

In this answer, I've described how to only allow mass storage devices for a certain time. You should also use a sandbox. If you want, you can use a writeblocker, but to find the device's owner, that's not neccessary.

user10008
  • 4,355
  • 21
  • 33
  • 1
    This is a ok answer, but it would be nice if you specify what a writeblocker is - you probably mean a usb condom or something? – Dog eat cat world Sep 08 '14 at 20:27
  • 1
    Its more like wearing gloves at a crime scene: you don't want to destroy traces – user10008 Sep 08 '14 at 20:30
  • I would say it's closer to wearing a condom during sex, you don't want to catch a disease – Dog eat cat world Sep 18 '14 at 19:20
  • 1
    You can catch stuff even with a writeblocker. – user10008 Sep 18 '14 at 19:24
  • 2
    @Dogeatcatworld a writeblocker is a device that blocks writes. Read requests are sent through. If there is a malware on the device, its read out, too. I don't know whether writeblockers protect from badbios, but they wouldn't protect from malware like conficker. – user10008 Sep 20 '14 at 00:35