All computers are vulnerable to attacks by viruses or black hats, but there are lots of steps that can be taken to reduce risk. At the extreme end of the spectrum is having an “air-gapped” computer that doesn’t connect to a network at all, but this isn’t a guarantee that it won’t get attacked. Even transferring files to the computer with a USB drive can be risky under certain circumstances, but thanks to some LED lights that [Robert Fisk] has on his drive, this attack vector can at least be monitored.
Using a USB drive with a single LED that illuminates during a read OR write operation is fairly common, but since it’s possible to transfer malware unknowingly via USB drives, one that has a separate LED specifically for writing operations will help alert a user to any write operations that might be trying to fly under the radar. A recent article by [Bruce Schneier] pointed out this flaw in USB drives, and [Robert] was up to the challenge. His build returns more control to the user by showing them when their drive is accessed and in what way, which can also be used to discover unique quirks of one’s chosen operating system.
[Robert] is pretty familiar with USB drives and their ups and downs as well. A few years ago he built a USB firewall that was able to decrease the likelihood of BadUSB-type attacks. Be careful going down the rabbit hole of device security, though, or you will start seeing potential attacks hidden almost everywhere.
1) no one will pay attention
2) every os is constantly sniffing and writing to every disk on your system
jumpers to the rescue:
https://www.electroschematics.com/diy-usb-condom-circuit/
Because Linux is used in so many embedded systems where flash wear and sudden power loss are real issues, there are options for mounting most filesystems either completely read-only, or such that mount count, access time, etc. are not written; i.e. only actual file-api level writes will trigger block-level writes (so of you mout the disk read-write, but create no files or directories and perform no file writes a bit-for-bit compare of the disk after the mount with one before the mount should show no differences).
Even that, however, is not going to save you from short single-block writes that light the LED for short enough times that you don’t notice… For that you’re still better mounting it truly read only.
It’s not a drive, it’s an armadillo USB firewall, readily available one google away. No hacks involved – but hackaday has lost the ability to check things before posting anyway :)
I don’t see that “Hackaday” means EVERY article contains a hack, rather, that you should expect at least one hack per day. :)
If you’re really paranoid, remember that LEDs can be used to stealthily exfiltrate data from an air-gapped system…
Only if the led is attached to the data line… strap it to the /OE line ;)
The best way to secure a Linux server is to make sure all unused ports, services and clear text programs are shut, there is an ip wrapper around needed passwords, all updates are in place with hardened firewalls and limited networks preferably a waterfall between the Linux box and the network, in a secured locked room with limited and logged personnel access and hardened authentication procedures.
The best way to secure a Windows server is to locate it in a secure locked room with limited and logged personnel access, ensure none of the Ethernet or SFP ports can be connected to an external network, make sure the power supplies do not have power cords and all storage drives are removed and located at a second, locked, secure location. Might also be a good idea to backup the drives in case there is a virus onboard.
Brilliant.
Could be a “hardware feature” of an av software that analyses the USB data signal instead of just feeding LEDs, maybe use machine learning to flag suspicious drive states compared to what the user is doing with user data from the OS?
Alarmingly little to be done if there’s an attack that hits something below the level of the OS(eg. an external hub/dock/etc. if you are connecting through one or potentially the internal root hub); but there’s no real reason beyond performance why you couldn’t inspect USB traffic in much the same way that you do network traffic. I’m pretty sure that Wireshark among others already supports sniffing USB on most platforms; though the collection of analysis tools is certainly less mature than for network malice.
You can also do a lot if you are prepared to go to the trouble of default-deny rather than default allow for USB devices. That won’t save you if the attacker knows your VID/PIDs of choice and only needs functions you are using USB for; but if you don’t use USB NICs, say, an attack that involves impersonating one can get shot down fairly readily.
Another way would be to make it a micro samba or webdav. When you attach it, it becomes a network drive. Generally things don’t autorun and you can see things with wireshark
>I’m pretty sure that Wireshark among others already supports sniffing USB
You remember correctly, my tomentose friend – https://desowin.org/usbpcap/
Much like tachometers and oil temp gauges on cars I love visual throughput indicators on computers. With the thinking that if they’re not there then I definitely won’t notice a potential problem.
I might be in the minority but I tend to see irregularities in a gauge (or gauge style widget) fairly quick.