Hardware USB Thumbdrive Formatter

[Huntsman]

Hi, had abit of a brainfart the other day and thought of an idea. What if there's a device which formats whatever USB storage device that's connected to it? The application would be for security purposes. When you get a thumbdrive, you can't be sure what's on it (or if it turns out to be a USB Killer) and thus certainly not be feeling to great about plugging it into your PC.

 

The idea is that whenever you get a thumbdrive (new or from a friend), stick it into this device first, make sure it is really clean before usage. I can think of tons of use case such as in office environment where an outside contractor hands you a thumbdrive to copy something to them. Instead of directly plugging it into your company laptop which opens up the motherload of security risk, you stick it into this device and nuke the hell outta it. Only then you plug it into your company laptop to copy the data to him.

 

It could have some other features too like able to stick 2 thumbdrives in and serves as a safe "file transfer controller" or some sort.

 

What dya guys think? Too dumb an idea or we are on to something here?

[themctipers]

are you really this paranoid.. well i should be, considering ive received a virus that autoran when i plugged in my usb (i dont have usb autorun enabled, or dvd autorun)

--

spare pc? raspberry pi? linux machine?

[Huntsman]

1 minute ago, themctipers said:

are you really this paranoid.. well i should be, considering ive received a virus that autoran when i plugged in my usb (i dont have usb autorun enabled, or dvd autorun)

--

spare pc? raspberry pi? linux machine?

Not really paranoid, although I should. Like you said, I've got screwed over by numerous viruses that spread by USB sticks over the years too. Those antivirus can't cover them all anyway and there's this mean little fucker called the USB Killer out there which gives me trust issues.

 

Think it should be portable and fast to deploy. Nobody wants to wait 3 minutes for a Rpi to power up just for a format or file transfer..

[Huntsman]

duplicate.

[Guest]

Go to a local internet cafe and plug it in maybe?

[themctipers]

Just now, Huntsman said:

Not really paranoid, although I should. Like you said, I've got screwed over by numerous viruses that spread by USB sticks over the years too. Those antivirus can't cover them all anyway and there's this mean little fucker called the USB Killer out there which gives me trust issues.

 

Think it should be portable and fast to deploy. Nobody wants to wait 3 minutes for a Rpi to power up just for a format or file transfer..

oh, mine installed a bunch of nasty shit. im glad that i was smart enough to quickly disconnect the power (psu switch, don't risk it "fucking shit up" by using windows shutdown) and disconnected all of my drives

---

it takes only a few seconds. i would. next time i ever get a usb back from a teacher, im using the rpi transfer method.

[Huntsman]

4 minutes ago, dexxterlab97 said:

Go to a local internet cafe and plug it in maybe?

Lol you'll add to the cafe's collection of existing viruses and then contract some more..

[Huntsman]

7 minutes ago, themctipers said:

oh, mine installed a bunch of nasty shit. im glad that i was smart enough to quickly disconnect the power (psu switch, don't risk it "fucking shit up" by using windows shutdown) and disconnected all of my drives

---

it takes only a few seconds. i would. next time i ever get a usb back from a teacher, im using the rpi transfer method.

I'm thinking something microcontroller based... Fast to power on, limited features to screw up and nothing to attack or bypass.

[Hackentosher]

Just now, Huntsman said:

I'm thinking something microcontroller based... Fast to power on, limited features to screw up and nothing to attack or bypass.

Why don't you write a script on a raspberry pi ? Those have all the necessary hardware built in and could totally handle it. 

[TheCi]

You could probably figure something out with a  microcontroller to choice and a USB controller that simply starts writing 0's the moment you plug a USB in the device. Although I'd have to review on how exactly USB drives handle R/W acces and the speed at which it could happen.

[Huntsman]

14 minutes ago, Hackentosher said:

Why don't you write a script on a raspberry pi ? Those have all the necessary hardware built in and could totally handle it. 

Thinking of getting a RPi zero to do this but there's the issue with display and buttons. Oh well, I'll think of something.

1 minute ago, TheCi said:

You could probably figure something out with a  microcontroller to choice and a USB controller that simply starts writing 0's the moment you plug a USB in the device. Although I'd have to review on how exactly USB drives handle R/W acces and the speed at which it could happen.

I'm thinking microcontrollers too but I'm not so sure because whenever you plug in a thumbdrive into a PC, it first installs driver. Not sure how a micro would handle that part. Definitely need more literature research.

[Unimportant]

1 hour ago, Huntsman said:

I'm thinking microcontrollers too but I'm not so sure because whenever you plug in a thumbdrive into a PC, it first installs driver. Not sure how a micro would handle that part. Definitely need more literature research.

USB mass storage is standardized. I have a development board with a AVR32 micro controller and it has a demo program that mounts any USB stick to play music from it. You could probably get away with even lower end devices as long as they have master USB support. Since a USB stick is flash, and flash is erased in blocks, there'll probably won't even be much of a performance penalty for using USB1.1 which many low end devices are limited to.

[Hackentosher]

Is it possible to run boot N nuke on an rpi? 

[Huntsman]

21 hours ago, Unimportant said:

USB mass storage is standardized. I have a development board with a AVR32 micro controller and it has a demo program that mounts any USB stick to play music from it. You could probably get away with even lower end devices as long as they have master USB support. Since a USB stick is flash, and flash is erased in blocks, there'll probably won't even be much of a performance penalty for using USB1.1 which many low end devices are limited to.

Hmm.. might read up on this..

17 hours ago, Hackentosher said:

Is it possible to run boot N nuke on an rpi? 

Not that I know of..

[lone]

In reality, nuking a flash drive will do nothing. In the case of attacks using a similar method to BadUSB, for example, the payload is stored in the firmware of the device and your hardware device can't (and shouldn't ever try to) touch that, and erasing the flash chip on the drive will have no effect. But there are a plethora of other attacks one may employ. The safest way to protect yourself is to never plug anything into your computer that you don't already trust. Buy a Rubber Ducky and see for yourself.

[Scheer]

If all you want is to format it, you could get a $10 elcheapo Android phone and a OTG adapter and just use that phone for wiping drives.

[AshleyAshes]

Any such device would have to be capable of reading and writing to that storage.  So wouldn't any such device be itself vulnerable, targeted for infection, and be compromised?  Possibly even spreading infections onto any drive that goes onto it.

 

I mean, if there have been cases of Chinese digital picture frames which write payloads to any USB storage inserted into them, why couldn't some 'USB Format Machine' also be infested and loaded with a payload to distribute?

[Unimportant]

1 hour ago, AshleyAshes said:

Any such device would have to be capable of reading and writing to that storage.  So wouldn't any such device be itself vulnerable, targeted for infection, and be compromised?  Possibly even spreading infections onto any drive that goes onto it.

 

I mean, if there have been cases of Chinese digital picture frames which write payloads to any USB storage inserted into them, why couldn't some 'USB Format Machine' also be infested and loaded with a payload to distribute?

When using a simple micro-controller such as a PIC or AVR the chance of that is zero.

First of all, many of these micro-controllers can't write to their own program memory, programming is done with a external programmer device. So any virus or "payload" is physically incapable of nesting itself in the device's firmware. Micro-controllers that can write their own flash for boot-loader purposes can have their flash write-protected with the same end result.

 

And, of course, even if it were possible, any such malware would have to be programmed to specifically target the micro-controller architecture in question. No malware writer is going to waste time targeting a platform with such a small user-base. (unless the device would end up being popular and mass produced).