I work at an embedded software company. This morning I found a USB stick in the parking lot in front of the building. With all the stories of "dropped USB stick attacks" in mind, I'm obviously not going to just plug it into my laptop. OTOH, I'm curious to know whether this was actually an attempt to compromise our systems, or it's really just an innocent case of somebody accidentally losing a USB stick. How do I safely inspect the USB stick without risking exposure?
I'm worried not just about malware and crafted file system images; there's also stuff like power surge attacks:
'USB Killer 2.0' Shows That Most USB-Enabled Devices Are Vulnerable To Power Surge Attacks.
EDIT: Many of the answers seem to assume I want to keep the drive and use it afterwards. I have no interest in that at all, I know USB sticks are cheap, and that it wouldn't be mine to keep anyway. I only want to know whether this was indeed a semi-targeted attack, partly out of curiosity whether this actually happens in real life and not just in security papers, but also so that I could warn my coworkers.
I want to know how I would figure out whether the stick contains malware. And that's not just a matter of looking at the drive contents and seeing a suspicious autorun.inf or a carefully crafted corrupt file system – I very much also want a way to inspect the firmware. I sort-of expected that there were tools for extracting that and comparing to known-good or known-bad binaries.
Best Answer
TENS
A good security distribution for testing suspicious USB flash drives that you found in the parking lot is Trusted End Node Security (TENS), previously called Lightweight Portable Security (LPS), a Linux security distribution that runs entirely from RAM when it is booted from a bootable USB flash drive. TENS Public turns an untrusted system (such as a home computer) into a trusted network client. No trace of work activity (or malware) can be written to the local computer hard drive.
In addition to the security feature TENS has another useful purpose. Because it runs entirely from RAM, TENS can boot on almost any hardware. This makes it useful for testing the USB port of a computer that is unable to boot most other live bootable USB ISO images.
USBGuard
If you are using Linux, the USBGuard software framework helps to protect your computer against rogue USB devices by implementing basic whitelisting and blacklisting capabilities based on device attributes. To enforce the user-defined policy, it uses the USB device authorization feature implemented in the Linux kernel since 2007.
By default, USBGuard blocks all newly connected devices and devices connected before daemon startup are left as is.
A quick way to start using USBGuard to protect your system from USB attacks is to first generate a policy for your system. Then, start the usbguard-daemon with the command
sudo systemctl start usbguard.service. You can use theusbguardcommand-line interface command and itsgenerate-policysubcommand (usbguard generate-policy) to generate an initial policy for your system instead of writing one from scratch. The tool generates an allow policy for all devices currently connected to your system at the moment of execution.1Features
Rule language for writing USB device authorization policies
The target of a rule specifies whether the device will be authorized for use or not. Three types of target are recognized:
Daemon component with an IPC interface for dynamic interaction and policy enforcement
1Revised from: Built-in protection against USB security attacks with USBGuard
Installation
USBGuard is installed by default in RHEL 7.
To install USBGuard in Ubuntu 17.04 and later, open the terminal and type:
To install USBGuard in Fedora 25 and later, open the terminal and type:
To install USBGuard in CentOS 7 and later, open the terminal and type:
compilation from source of USBGuard requires the installation of several other packages as dependencies.