USB drive hacking

flash drive

[wesley mcgrew] has been playing around with Sandisk’s U3 Smart USB Drives technology. U3 is designed to make implementation of portable applications easier. The USB drive appears as a  CDROM drive and can autorun applications. Wesley has a guide for how to patch in your own CD ISO. This ties in pretty well with the dangers of USB drives that we’ve covered before (one, two) and Schneier has a recent post on USB security issues as well.

[UPDATE: [matt] pointed out a recent Security Catalyst podcast with Abe Usher on podslurping]

48 thoughts on “USB drive hacking

  1. interesting artical – goes to show why I have autorun turn off on everything…

    off topic – but what usb drive that you have is chrome? looks cool haha

  2. #4: if I understand what’s going on here correctly, the device acts like two devices, a USB CD and a USB storage device. It’s autoruns the files from the faux CD. So to answer your question: bus/battery-powered USB CD drive? Or is that not cheaper than a u3?

  3. i’m just curious as to how these u3 drives are different from standard flash drives, and whether a standard drive could be “turned into” a u3-capable one.

  4. #9: The only real difference to these U3 drives are basically what he stated in the article. They have a second method of talking to Windows which tells Windows that the device is not removable, thus enabling autorun. iPod’s actually use this non-removable flag as well, meaning that an iPod can do autorun in particular circumstances.

    Microsoft has a USB FAQ that makes it a bit more clear: http://www.microsoft.com/whdc/device/storage/usbfaq.mspx

    Q: What must I do to trigger Autorun on my USB storage device?

    The Autorun capabilities are restricted to CD-ROM drives and fixed disk drives. If you need to make a USB storage device perform Autorun, the device must not be marked as a removable media device and the device must contain an Autorun.inf file and a startup application.

    The removable media device setting is a flag contained within the SCSI Inquiry Data response to the SCSI Inquiry command. Bit 7 of byte 1 (indexed from 0) is the Removable Media Bit (RMB). A RMB set to zero indicates that the device is not a removable media device. A RMB of one indicates that the device is a removable media device. Drivers obtain this information by using the StorageDeviceProperty request.

  5. I don’t want or need U3 compatability.
    From what I’ve seen there isn’t that much U3 stuff that impresses me other than Firefox.

    What I would like to do is remove the U3 stuff entirely and recover the space for my own use.
    How can I do that?

  6. awesome comments guys, glad you’re enjoying the writeup.

    there is a u3 uninstaller floating around on the internet (and I could swear the u3 folks were hosting it too, but the url escapes me).

  7. #11,

    that’s really interesting. i wonder if there is firmware to hack on most usb keys that we can change that bit to zero?

  8. I wish someone just came up with a hack where you could just put the U3 stuff on a drive, or am I missing something? Is there actually some hardware that allows U3 features?

  9. I got to have the fun of playing with a co-worker’s u3 thumbdrive when they first came out. Seems that it has to install software on the computer they are used on, which is a big no-no at most place one would want to use one (Work, library, photo printing machine, etc). When it couldn’t install the software the drive refused to open. Needless to say it didn’t take a lot of talking to get her to take it back and get a standard thumbdrive as all she wanted to do was haul files tween work & home.

  10. I have an older Jump Drive Secure 128 MB. Part of its software allows partitioning with a secure and public partitions. It also allows specifying a program to auto run. This bypasses my auto run dissable, and runs it anyways. Must be ran out of the driver, Nice! :D

  11. #23: no need, check out http://portableapps.com/ . you don’t have to pay, plus most software repackaged there is open source, unlike most of the apps available through u3. if you want something to start your programs, look into pstart in the utilities section.

  12. Hmmm. Has anyone else tried this out? Some PCs state that they’ll need to reboot before installing the U3 drive… rendering the “slurp” considerably less effective…

  13. Its all in the controler-chip guys.
    IF your drive has the right one , you can flash it… well you can flah them ALL if you can find the tool.My FSC MemBird shows itself as a FIXED disk.

  14. anyone know how to change the RMB bit to show the device as non-removable and therefor able to enable autorun???

  15. @ #29 (dude)
    Yes , I know how,if you go to the http://www.911cd.net forum and search
    you will find some VERY usefull tips
    and links to tools that might let you do it,
    but it all depends on what controler-chip your drive uses.

  16. Hello all, maybe you can help me out. I’m trying to autoplay a software on my usb key. I configure the autorun.inf to start automaticaly with the program, but not the damn window that ask you what to do (media player, no action, and blablabla). Is that possible? i don’t have a u3, it’s a basic usb key. I read alot on that but, it doesn’t seems to work. Is there a solution? How can i partition my usb key like a cd?

    thanks, chris

  17. Dudes, U3 sucks balls.
    Installers are for babys, just do it yourself.
    I’ve got a 1GB USB with PStart installed and check out the programs I have on it:
    Powerpoit Viewer; Firefox Portable;O pera 9 USB; Gaim Portable; Miranda IM; VLC Media Player; Process Explorer; DTask Manager; Portable Wackget; 7-Zip; VisualBoyAdvance; Sudoku Portable; The GIMP; Thunderbird; TweakUI; Xpy; Network Stumbler; ClamWin Portable; RegCleaner; Nokia Wireless Presenter, and I just don’t have the whole OpenOffice Suite because of the space it uses.

    If you only use portable apps in PCs where you have Admin rigths, you can also check out MojoPac, which allows you to carry ANY program on your pocket. ANY.
    Yes, It can handle stuff like M$Office, Counter-Strike Source (and Half-life 2, of course), Photoshop, etc, etc… whatever you may think of.
    It’s here: http://www.mojopac.com
    Bad thing I don’t know of any free or “freed” version.

  18. U3 programs are of NO INTERST to most of the profesionals. Interesting part is in construction of a USB drive that lets you AUTORUN (any application) without any prompt (upon insertion into a computer).
    I NEED “non-removable” usb drive to play with!!! :[

  19. Now it’s possible to hack launchpad. It has an option to erase whole partition when you forgot the password. I think it’s too simple , since with one click anyone that access sandisk pendrive can delete all protected data. Of course it would be necessary to block somehow launchpad unistaller from sandisk site, that would do the same. Any ideas?

  20. I’ve got an idea. There is possibility to change file “version.dat” for a version that never existed ]-) This might cause uninstaller (from website) stop working. I saw a post that someone had an older version of launchpad and newer uninstaller from website. But I don’t know if the uninstaller on pendrive would stop working too. If so, it would be impossible to uninstall launchpad even if it was neccesery. Only sandisk could do it.

  21. Is there any prog which can copy all the data secretly from usb key whenever it is inserted. Please tell me about this. I am searching for this badly and if you know please tell me.

    thanks…

  22. A few months ago I saw an article re: installing software that would automatically and transparently copy data from thumb drives inserted in a PC. Reverse thumb sucking, I believe is what the author called it, but I can’t find the article. All I get is links to articles about the movie, Thumbsucker.
    All my clients ask that I disable the USB ports for flash drive use, while a couple of others want to know what data employees are copying/stealing to their flash drives from the company network.

    Can anyone recommend a program that will accomplish this?

    Thanks!

  23. there is a sftwre i developed that secretly copies the thumbdrives upon insertion, rar or 7zips them into 2mb chunks, n mails them to you.

  24. I’ve been playing with autoruns and flash drives since before U3 drives were even available. I still have some of the original UD-RW drives from Hagiwara lying around. (Test models, 1GB each with a resizable U3-like partition.) I’ve used them for years to show why physical security is just as important as network security.

    You can read more about my findings and creations here: http://www.GuidoZ.com/U3/


    Peace. ~G

  25. So, is there any way to crack a password or hack it if USB Drive (aka thumb drive) is password protected? I heard that it’s nearly impossible?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s