Can consumer devices with a pen drive port inject computer viruses?

  • #1
Swamp Thing
Insights Author
961
664
I just bought one of these things...


81HQQU8K+DL._SL1500_.jpg

described as a "Portable Rechargeable Mini Voice Amplifier for Teachers with Wired Microphone Headset and Waistband". (Not pasting the link here, but a search for the description should bring up similar generic items on Amazon). I'ts a box that comes with a Mic, allowing you to record and/or amplify your voice, and it can also work as a regular Bluetooth & MP3 player.

And, it has a USB port where you can connect a USB drive for recording, playing and transferring audio files.

But having just plugged in the drive, it occurred to me that this device does complex enough stuff that it might be running some kind of Lite OS that could be capable enough to be a vector for malware etc., including perhaps cross-platform baddies. So how likely is that, how much should one worry about this kind of vector?

I will be transferring files from the USB drive to a Raspberry Pi which I use for various experiments and for general web browsing, including reading Physics Forums, watching YouTube etc. It would be a pretty big nuisance if something bad were to happen to the Raspberry Pi's current OS installation and contents.
 
Computer science news on Phys.org
  • #3
jedishrfu said:
Any USB port is susceptible to the keyboard attack.

How would it play out in this case with the device from Amazon?

Let's assume for a moment that my USB storage (SanDisk branded) is genuine and free from bad stuff before I plug it into the audio box that I have just bought.

So now, the box's bad firmware would set up the USB storage to emulate a keyboard after it is plugged into my computer?
 
  • #4
Some stuff on Amazon comes from small vendors in China as an example. Suppose it got infected there or was designed to only infect certain types of devices or copy a malware package onto your San disk stick then you could wind up with a virus infection.

I think in your case, this is highly unlikely though. You could and should make a backup of your PI boot drive for this kind of scenario.
 
  • Informative
Likes Swamp Thing
  • #5
As mentioned, yes it is possible. And I would be less concerned if the product came from a major manufacturer than some place in Chine or North Korea that I never heard of.

One could, I suppose test it by taking two identical USB drives, plug one in, and see if they are still identical. There is software for these kinds of comparisons, some of which is a little sketchy as well. (I wend down this rabbit hole investigating a bad USB drive: the reported capacity was less than the actual capacity - once you filled it up to 25%, it stopped working)
 
  • Like
Likes jedishrfu
  • #6
Vanadium 50 said:
One could, I suppose test it by taking two identical USB drives, plug one in, and see if they are still identical.

If I was a malware designer and a member of this forum, then at this moment I would be like ...
"Note to self: Don't write to the drive until something else is stored in it."
 
  • #7
I said "identical". Not "empty".

Can this be a source of malware? Yes. Is it? Hard to tell, but there are red flags one can look for. Are there tests that can identify a malware-spewer? Yes. Are they accurate 100% of the time? No.

If you want an ironclad answer, you aren't going to get it. If you want a very good answer, the unit needs to go into a lab. If you are willing to accept "probably OK", buy from well-known brands and avoid sketchy brands or distribution channels.
 
  • #8
Vanadium 50 said:
As mentioned, yes it is possible. And I would be less concerned if the product came from a major manufacturer than some place in Chine or North Korea that I never heard of.

One could, I suppose test it by taking two identical USB drives, plug one in, and see if they are still identical. There is software for these kinds of comparisons, some of which is a little sketchy as well. (I wend down this rabbit hole investigating a bad USB drive: the reported capacity was less than the actual capacity - once you filled it up to 25%, it stopped working)
There was an external drive scam that my son ran into at college some years ago where he got a terabyte drive in an enclosure that could only hold 64GB because it was actually a USB stick inside the enclosure not a drive.
 
  • Like
Likes Vanadium 50
  • #9
Root kits can hide files and directories easily by intercepting OS calls and only returning those files not in its protected list.
 
  • #10
jedishrfu said:
because it was actually a USB stick inside the enclosure not a drive.
I'm not even slightly surprised.

jedishrfu said:
Root kits can hide files and directories easily
Yes they can. See my "not 100%" comment.

There exist programs that read USB block-by-block and not file-by-file. That's helpful. You can also use a USB port on a non-Windows/non-x86 machine: say an ARM running Linux. Neither is perfect.

If the requirement is zero chance of infection, do what the US government does: fill the USB ports with glue. If that is too extreme, you need to decide what level of risk to accept.
 
  • #11
With respect to the USB keyboard hack, they said the hacker would salt a parking lot with these devices. An employee might see it and bring it to work to look for identifying info in the USB stick files only to actually infect their own computer and then the work network.

We were routinely reminded never to plugin USB devices we didn't know.

At one company where I once worked, we discovered a network machine had the NIMDA virus, and every time we attempted an install via the network, we got the virus, too. Eventually, we had to install via media to avoid network contamination.
 
  • #12
Vanadium 50 said:
If you are willing to accept "probably OK", buy from well-known brands and avoid sketchy brands or distribution channels.

The product in my original post is, of course, not a well known brand and it could well be sketchy.

As a matter of theoretical interest, how much extra safety would you say the following strategy might offer:
  • I have an oldish phone that I haven't been using.
  • I would delete all apps that it allows me to delete, in general bring it to a pristine condition.
  • Connect the USB drive to it via an OTG cable.
  • Copy the files to the device storage then unplug the OTG.
  • Connect the phone to my Raspberry Pi and use strictly only Media Transfer Protocol (MTP) to transfer the files to the Pi.
My impression is that MTP is pretty much sandboxed compared to conventional file transfer via USB (where the phone looks like a full fledged storage device).

Another option might be to create a Google account just for this purpose and upload to Google Drive from the phone.
 
Last edited:
  • #13
If I tell you "this is probably OK" and it is not, you will be sad. Since I don't know, I shouldn't guess.
 
  • #14
I'm going to stick my neck out here and say that providing you only plug in USB memory sticks from a known origin (i.e. you have purchased them yourself) you are worrying about nothing.

The attack vector mentioned in #2 is not a malicious file on an ordinary device, it is a malicious device - a computer that masquerades itself electronically as a keyboard and physically as a memory stick.

As long as you are not stupid enough to execute any program stored on a genuine USB storage device (either manually or by confirming any "do you want to run autorun" OS prompt or by copying it locally and then executing it), it cannot harm you.

Note that by plugging something that is not a memory stick (e.g. a phone) in you are actually creating a risk that does not otherwise exist (e.g. the phone may be root-kitted with keyboard emulation malware).

Don't do this.
 
  • Like
Likes davenn and Swamp Thing
  • #15
pbuk said:
I'm going to stick my neck out here and say that providing you only plug in USB memory sticks from a known origin (i.e. you have purchased them yourself) you are worrying about nothing.

The attack vector mentioned in #2 is not a malicious file on an ordinary device, it is a malicious device - a computer that masquerades itself electronically as a keyboard and physically as a memory stick.

As long as you are not stupid enough to execute any program stored on a genuine USB storage device (either manually or by confirming any "do you want to run autorun" OS prompt or by copying it locally and then executing it), it cannot harm you.

Note that by plugging something that is not a memory stick (e.g. a phone) in you are actually creating a risk that does not otherwise exist (e.g. the phone may be root-kitted with keyboard emulation malware).

Don't do this.

Couldn't have said it better myself, good words of wisdom
 
  • Like
Likes Swamp Thing

Similar threads

Replies
1
Views
2K
Back
Top