USB Drive Hacking

flash drive

[wesley mcgrew] has been playing around with Sandisk’s U3 Smart USB Drives technology. U3 is designed to make implementation of portable applications easier. The USB drive appears as a  CDROM drive and can autorun applications. Wesley has a guide for how to patch in your own CD ISO. This ties in pretty well with the dangers of USB drives that we’ve covered before (one, two) and Schneier has a recent post on USB security issues as well.

[UPDATE: [matt] pointed out a recent Security Catalyst podcast with Abe Usher on podslurping]

52 thoughts on “USB Drive Hacking

  1. #4: if I understand what’s going on here correctly, the device acts like two devices, a USB CD and a USB storage device. It’s autoruns the files from the faux CD. So to answer your question: bus/battery-powered USB CD drive? Or is that not cheaper than a u3?

  2. #9: The only real difference to these U3 drives are basically what he stated in the article. They have a second method of talking to Windows which tells Windows that the device is not removable, thus enabling autorun. iPod’s actually use this non-removable flag as well, meaning that an iPod can do autorun in particular circumstances.

    Microsoft has a USB FAQ that makes it a bit more clear: http://www.microsoft.com/whdc/device/storage/usbfaq.mspx

    Q: What must I do to trigger Autorun on my USB storage device?

    The Autorun capabilities are restricted to CD-ROM drives and fixed disk drives. If you need to make a USB storage device perform Autorun, the device must not be marked as a removable media device and the device must contain an Autorun.inf file and a startup application.

    The removable media device setting is a flag contained within the SCSI Inquiry Data response to the SCSI Inquiry command. Bit 7 of byte 1 (indexed from 0) is the Removable Media Bit (RMB). A RMB set to zero indicates that the device is not a removable media device. A RMB of one indicates that the device is a removable media device. Drivers obtain this information by using the StorageDeviceProperty request.

  3. I don’t want or need U3 compatability.
    From what I’ve seen there isn’t that much U3 stuff that impresses me other than Firefox.

    What I would like to do is remove the U3 stuff entirely and recover the space for my own use.
    How can I do that?

  4. I got to have the fun of playing with a co-worker’s u3 thumbdrive when they first came out. Seems that it has to install software on the computer they are used on, which is a big no-no at most place one would want to use one (Work, library, photo printing machine, etc). When it couldn’t install the software the drive refused to open. Needless to say it didn’t take a lot of talking to get her to take it back and get a standard thumbdrive as all she wanted to do was haul files tween work & home.

  5. I have an older Jump Drive Secure 128 MB. Part of its software allows partitioning with a secure and public partitions. It also allows specifying a program to auto run. This bypasses my auto run dissable, and runs it anyways. Must be ran out of the driver, Nice! :D

  6. Hmmm. Has anyone else tried this out? Some PCs state that they’ll need to reboot before installing the U3 drive… rendering the “slurp” considerably less effective…

  7. Its all in the controler-chip guys.
    IF your drive has the right one , you can flash it… well you can flah them ALL if you can find the tool.My FSC MemBird shows itself as a FIXED disk.

  8. Hello all, maybe you can help me out. I’m trying to autoplay a software on my usb key. I configure the autorun.inf to start automaticaly with the program, but not the damn window that ask you what to do (media player, no action, and blablabla). Is that possible? i don’t have a u3, it’s a basic usb key. I read alot on that but, it doesn’t seems to work. Is there a solution? How can i partition my usb key like a cd?

    thanks, chris

  9. Dudes, U3 sucks balls.
    Installers are for babys, just do it yourself.
    I’ve got a 1GB USB with PStart installed and check out the programs I have on it:
    Powerpoit Viewer; Firefox Portable;O pera 9 USB; Gaim Portable; Miranda IM; VLC Media Player; Process Explorer; DTask Manager; Portable Wackget; 7-Zip; VisualBoyAdvance; Sudoku Portable; The GIMP; Thunderbird; TweakUI; Xpy; Network Stumbler; ClamWin Portable; RegCleaner; Nokia Wireless Presenter, and I just don’t have the whole OpenOffice Suite because of the space it uses.

    If you only use portable apps in PCs where you have Admin rigths, you can also check out MojoPac, which allows you to carry ANY program on your pocket. ANY.
    Yes, It can handle stuff like M$Office, Counter-Strike Source (and Half-life 2, of course), Photoshop, etc, etc… whatever you may think of.
    It’s here: http://www.mojopac.com
    Bad thing I don’t know of any free or “freed” version.

  10. U3 programs are of NO INTERST to most of the profesionals. Interesting part is in construction of a USB drive that lets you AUTORUN (any application) without any prompt (upon insertion into a computer).
    I NEED “non-removable” usb drive to play with!!! :[

  11. Now it’s possible to hack launchpad. It has an option to erase whole partition when you forgot the password. I think it’s too simple , since with one click anyone that access sandisk pendrive can delete all protected data. Of course it would be necessary to block somehow launchpad unistaller from sandisk site, that would do the same. Any ideas?

  12. I’ve got an idea. There is possibility to change file “version.dat” for a version that never existed ]-) This might cause uninstaller (from website) stop working. I saw a post that someone had an older version of launchpad and newer uninstaller from website. But I don’t know if the uninstaller on pendrive would stop working too. If so, it would be impossible to uninstall launchpad even if it was neccesery. Only sandisk could do it.

  13. Is there any prog which can copy all the data secretly from usb key whenever it is inserted. Please tell me about this. I am searching for this badly and if you know please tell me.

    thanks…

  14. A few months ago I saw an article re: installing software that would automatically and transparently copy data from thumb drives inserted in a PC. Reverse thumb sucking, I believe is what the author called it, but I can’t find the article. All I get is links to articles about the movie, Thumbsucker.
    All my clients ask that I disable the USB ports for flash drive use, while a couple of others want to know what data employees are copying/stealing to their flash drives from the company network.

    Can anyone recommend a program that will accomplish this?

    Thanks!

  15. I’ve been playing with autoruns and flash drives since before U3 drives were even available. I still have some of the original UD-RW drives from Hagiwara lying around. (Test models, 1GB each with a resizable U3-like partition.) I’ve used them for years to show why physical security is just as important as network security.

    You can read more about my findings and creations here: http://www.GuidoZ.com/U3/


    Peace. ~G

    1. No, it’s not a “Trojan.” Just crappy antivirus programs that have now managed to get my website blacklisted by Firefox and Chrome. If I was some “script kiddie” why in the hell would I be using the same website, same handle, and same files (that I used daily without issue)? I answer questions, I help people, and I continue to release new things. Google my handle “uberguidoz _at_ gmail.com” and you’ll see plenty from me. No funny business. Just poor software and ignorant people.

  16. No, it’s not a “Trojan.” Just crappy antivirus programs that have now managed to get my website blacklisted by Firefox and Chrome. If I was some “script kiddie” why in the hell would I be using the same website, same handle, and same files (that I used daily without issue)? I answer questions, I help people, and I continue to release new things. Google my handle “uberguidoz _at_ gmail.com” and you’ll see plenty from me. No funny business. Just poor software and ignorant people.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.