Wield a USB sanitiser
Use your Raspberry Pi to filter out harmful data from USB sticks.
If you’re reading this article, then you should congratulate yourself on taking one of the most important steps to protect yourself from viruses and malware. As a Linux user, your system can’t be seriously impaired by harmful programs designed for other operating systems such as Microsoft Windows. Linux developers are generally security conscious and when vulnerabilities are discovered, updates are issued extremely quickly. This may help explain why there’s never been a widespread infection of Linux systems.
Yet before you start to feel too smug, remember that although you may use Linux at home, your employer will most likely expect you to use a more mainstream OS for your work computer.
Linux also isn’t immune from evil HID (human interface devices) such as the USB Rubber Ducky, which we covered in a few issues ago in LXF226. These devices can be made to resemble a USB stick, but when inserted into a computer act like a keyboard by running malicious code. The only requirement is for an attacker to persuade you or someone with access to your device to insert the evil HID into a vulnerable USB port. A 2011 study by Sophos also found that two-thirds (that’s 66% to you lot – Ed) ttof a set of 50 USB keys bought at a major transit authority’s Lost Property auction were infected with malware.
Enter the CIRCLean
In 2014, security expert Maya Bonkowski started working with investigative journalists and hackers on a project to sanitise USB sticks of malware, turning information into clean, readable data. The version of the project we’ll focus on in this guide is named CIRCLean, and is maintained by the government-sponsored Computer Incident Response Center Luxembourg (CIRCL).
Maya originally envisioned the project to be primarily for activists and journalists who may need to exchange documents with contacts via USB stick.
CIRCLean is available as an image that can be written to your Raspberry Pi’s SD card. Once this has been done, sanitising USB sticks is a breeze. The Pi is powered off and the ‘UNSAFE’ USB stick is connected to the top-left USB port. You must then insert a ‘SAFE’ USB stick of your own in the port below. The Pi is then powered on and CIRCLean begins the process of copying data from the ‘UNSAFE’ USB stick to the ‘SAFE’ one. This is done according to very specific criteria.
Plain text, audio and video files are simply copied across directly to your ‘SAFE’ USB Stick. XML files are converted to plain text and then copied across, too.
Image and archive files, for example .JPGs and .ZIPs, are copied after CIRCLean verifies they aren’t “compression bombs”. For this reason CIRClean will only extract up to two levels of archives. This can result in the overall ‘SAFE’ data being larger than that on the ‘UNSAFE’ USB stick, so you may wish to use a ‘SAFE’ USB stick with a larger capacity.
MicrosoftOffice files are parsed with oletools. These are a handy set of Python applications that are used to find malware inside Office Documents and is marked as ‘dangerous’ if parsing fails.
Files deemed as potentially unsafe such as executables or PDFs that contain malicious code are marked as such by renaming them DANGEROUS_<filename>_DANGEROUS.
CIRClean can be run headlessly. To find out if the copy process is complete either connect the Pi to a speaker or headphones and wait for the music to stop, or simply wait for the green diode to stop flashing. Power off the Pi and insert your ‘SAFE’ USB stick into your own computer.
The USB sanitiser is designed to protect you from a specific kind of attack, whereby malware is delivered during an exchange of data via USB stick.
In order to reduce your attack surface as much as possible, make sure that you have a dedicated Pi for this project and don’t connect it to the internet via an Ethernet cable at any time. If you need to update the software, do this by removing the microSD card and then following steps one and two in the walkthrough below.
If an adversary gains physical access to the sanitiser without your knowledge, they could modify the source code on the card. Either keep the Pi with you at all times or at the very least remove the microSD card and keep it on your person when not in use.
The security of the sanitiser also rests on the USB sticks being connected in the right positions, whereby the ‘UNSAFE’ USB stick is in the upper USB slot. (Think ‘UUU’ – Unsafe Upper USB). If you connect them in the wrong order, format the respective USB sticks and start again.
Currently CIRCLean only supports reading and writing to USB sticks formatted to FAT32 and NTFS. These are the most common formats, so this shouldn’t pose any issues. However, for extra security you should seriously consider running Qubes OS on your own machine. The OS compartmentalises your digital life into various ‘qubes’ (virtual machines), including a dedicated one for reading USB sticks. This makes it extremely difficult for malware to infect your entire system.
CIRCL has supplied this handy infographic on how to use CIRClean. Remember to connect the UNSAFE USB stick first.