Wield a USB sani­tiser

Use your Rasp­berry Pi to fil­ter out harm­ful data from USB sticks.


If you’re read­ing this ar­ti­cle, then you should con­grat­u­late your­self on tak­ing one of the most im­por­tant steps to pro­tect your­self from viruses and mal­ware. As a Linux user, your sys­tem can’t be se­ri­ously im­paired by harm­ful pro­grams de­signed for other op­er­at­ing sys­tems such as Mi­crosoft Win­dows. Linux de­vel­op­ers are gen­er­ally se­cu­rity con­scious and when vul­ner­a­bil­i­ties are dis­cov­ered, up­dates are is­sued ex­tremely quickly. This may help ex­plain why there’s never been a wide­spread in­fec­tion of Linux sys­tems.

Yet be­fore you start to feel too smug, re­mem­ber that al­though you may use Linux at home, your em­ployer will most likely ex­pect you to use a more main­stream OS for your work com­puter.

Linux also isn’t im­mune from evil HID (hu­man in­ter­face de­vices) such as the USB Rub­ber Ducky, which we cov­ered in a few is­sues ago in LXF226. These de­vices can be made to re­sem­ble a USB stick, but when in­serted into a com­puter act like a key­board by run­ning ma­li­cious code. The only re­quire­ment is for an at­tacker to per­suade you or some­one with ac­cess to your de­vice to insert the evil HID into a vul­ner­a­ble USB port. A 2011 study by Sophos also found that two-thirds (that’s 66% to you lot – Ed) ttof a set of 50 USB keys bought at a ma­jor tran­sit author­ity’s Lost Prop­erty auc­tion were in­fected with mal­ware.

En­ter the CIRCLean

In 2014, se­cu­rity ex­pert Maya Bonkowski started work­ing with in­ves­tiga­tive jour­nal­ists and hack­ers on a project to sani­tise USB sticks of mal­ware, turn­ing in­for­ma­tion into clean, read­able data. The ver­sion of the project we’ll fo­cus on in this guide is named CIRCLean, and is main­tained by the gov­ern­ment-spon­sored Com­puter In­ci­dent Re­sponse Cen­ter Lux­em­bourg (CIRCL).

Maya orig­i­nally en­vi­sioned the project to be pri­mar­ily for ac­tivists and jour­nal­ists who may need to ex­change doc­u­ments with con­tacts via USB stick.

CIRCLean is avail­able as an im­age that can be writ­ten to your Rasp­berry Pi’s SD card. Once this has been done, sani­tis­ing USB sticks is a breeze. The Pi is pow­ered off and the ‘UN­SAFE’ USB stick is con­nected to the top-left USB port. You must then insert a ‘SAFE’ USB stick of your own in the port be­low. The Pi is then pow­ered on and CIRCLean be­gins the process of copy­ing data from the ‘UN­SAFE’ USB stick to the ‘SAFE’ one. This is done ac­cord­ing to very spe­cific cri­te­ria.

Plain text, au­dio and video files are sim­ply copied across di­rectly to your ‘SAFE’ USB Stick. XML files are con­verted to plain text and then copied across, too.

Im­age and ar­chive files, for ex­am­ple .JPGs and .ZIPs, are copied af­ter CIRCLean ver­i­fies they aren’t “com­pres­sion bombs”. For this rea­son CIRClean will only ex­tract up to two lev­els of archives. This can re­sult in the over­all ‘SAFE’ data be­ing larger than that on the ‘UN­SAFE’ USB stick, so you may wish to use a ‘SAFE’ USB stick with a larger ca­pac­ity.

Mi­crosoft­Of­fice files are parsed with ole­tools. These are a handy set of Python ap­pli­ca­tions that are used to find mal­ware in­side Of­fice Doc­u­ments and is marked as ‘dan­ger­ous’ if pars­ing fails.

Files deemed as po­ten­tially un­safe such as ex­e­cuta­bles or PDFs that con­tain ma­li­cious code are marked as such by re­nam­ing them DANGEROUS_<file­name>_DANGEROUS.

CIRClean can be run headlessly. To find out if the copy process is com­plete ei­ther con­nect the Pi to a speaker or head­phones and wait for the mu­sic to stop, or sim­ply wait for the green diode to stop flash­ing. Power off the Pi and insert your ‘SAFE’ USB stick into your own com­puter.

Cleaned out

The USB sani­tiser is de­signed to pro­tect you from a spe­cific kind of at­tack, whereby mal­ware is de­liv­ered dur­ing an ex­change of data via USB stick.

In or­der to re­duce your at­tack sur­face as much as pos­si­ble, make sure that you have a ded­i­cated Pi for this project and don’t con­nect it to the in­ter­net via an Eth­er­net ca­ble at any time. If you need to up­date the soft­ware, do this by re­mov­ing the mi­croSD card and then fol­low­ing steps one and two in the walk­through be­low.

If an ad­ver­sary gains phys­i­cal ac­cess to the sani­tiser with­out your knowl­edge, they could mod­ify the source code on the card. Ei­ther keep the Pi with you at all times or at the very least re­move the mi­croSD card and keep it on your per­son when not in use.

The se­cu­rity of the sani­tiser also rests on the USB sticks be­ing con­nected in the right po­si­tions, whereby the ‘UN­SAFE’ USB stick is in the up­per USB slot. (Think ‘UUU’ – Un­safe Up­per USB). If you con­nect them in the wrong or­der, for­mat the re­spec­tive USB sticks and start again.

Cur­rently CIRCLean only sup­ports read­ing and writ­ing to USB sticks for­mat­ted to FAT32 and NTFS. These are the most com­mon for­mats, so this shouldn’t pose any is­sues. How­ever, for ex­tra se­cu­rity you should se­ri­ously con­sider run­ning Qubes OS on your own ma­chine. The OS com­part­men­talises your dig­i­tal life into var­i­ous ‘qubes’ (vir­tual ma­chines), in­clud­ing a ded­i­cated one for read­ing USB sticks. This makes it ex­tremely dif­fi­cult for mal­ware to in­fect your en­tire sys­tem.

CIRCL has sup­plied this handy in­fo­graphic on how to use CIRClean. Re­mem­ber to con­nect the UN­SAFE USB stick first.

Newspapers in English

Newspapers from Australia

© PressReader. All rights reserved.