This seems a bit misleading to me. From README.md:
This project aims to be useful when you get/find a USB key
that you can't trust, and you want to look at its contents
without taking the risk of plugging it into your computer
directly.
Its method of operation is given as:
The content of the untrusted key will be copied or/and
converted to the second (blank) key following these rules
(based on the mime type as determined by libmagic)
This process does not make the key trustworthy. From the BadUSB intro:
Once reprogrammed, benign devices can turn malicious in
many ways, including:
1. A device can emulate a keyboard and issue commands on
behalf of the logged-in user [...]
2. A modified thumb drive or external hard disk
can [...] boot a small virus, which infects the
computer’s operating system prior to boot.
Assuming that the first USB stick can infect the second USB stick, CIRClean will not protect you against these attacks.
They can mitigate against badUSB by only whitelisting the generic USB mass storage class driver. No keyboard, no mouse, etc... I am not confident they do this though.
However, that could be bypassed if the USB key acted like a USB hub with a keyboard attached.
If you do get a keyboard working, it looks like you can just log in with raspberry / raspberry and then full privileged access since sudo from the raspberry user, and /dev/kmem from root is enabled. That would allow arbitrary content to be copied on to the user supplied USB, and depending on the device, possibly firmware reprogramming.
> They can mitigate against badUSB by only whitelisting
I'd say just don't run a graphical environment or, if you do, lock it. With a normal password, good luck to the USB thumb drive that pretends to be a keyboard.
As for booting, well, don't have it in there at boot time.
As for malware in the files itself -- I don't think that's the point of this project. It says "if you don't trust the transport medium (i.e. USB)", it's not about the contents.
But it's the assumption that is in itself inaccurate.
Case #1 is about a modified firmware of the USB controller in the USB stick, case #2 assumes that a boot is initiated from the USB stick.
What the Circlean thingy does is more similar to an antivirus, it examines the contents (files) on the USB stick filesystem and only copies to the second stick those files of known type, according to the given rules.
Whether this is effective against everything is another thing, of course.
Only "plain" files are directly copied, other supported ones are analyzed and converted, some more detiled info is here:
No, I think the assumption is entirely correct. If you can't trust a USB stick's contents then you probably can't trust its controller itself.
But your OS doesn't have to say "Oh, you are a keyboard? Here, open a terminal and type arbitrary commands." It can say "Sorry, I only talk to USB mass storage class devices."
Not necessarily, it should be possible to do this correctly, although I doubt this specific device does so. The device itself needs to be hardened against USB attacks, otherwise it would be pointless, of course. Then it copies the contents of the malicious USB stick into a buffer storage, analyses the buffer and cleans up the documents on it, and then it unmounts the first device, mounts the second device and copies the contents of the buffer to it.
If it also allows for write-protection, then it might be interesting for forensic work. (AFAIK, USB write protectors cost a few hundred bucks, and maybe this device is the cost range.)
The crucial question is, of course, how well the device is hardened against targeted attacks. Just using some seemingly secure Linux won't suffice.
Keep in mind that it is completely feasible for the µC to activate malicious payloads only after the n-th usage. Kind of like a PS3 exploit worked, albeit not on the descriptor layer, but the MSC layer.
> In the worst case, only the CIRCLean would be compromised, but not the computer reading the target (trusted) USB key/stick.
If the CIRClean device is compromised, I don't see how the trusted USB stick, which is connected to the now compromised CIRClean, can be guaranteed to not be infected.
Isn't there also a physical switch on the SD card to mark it as write-protected? I'm sure that could be bypassed, but it would make it more difficult to hide the contamination.
I can buy a USB stick with 32 gigs of memory for a couple of Euros and fill it in minutes. My friends can read the stick in minutes, without having to install software.
Readit News
However, that could be bypassed if the USB key acted like a USB hub with a keyboard attached.
If you do get a keyboard working, it looks like you can just log in with raspberry / raspberry and then full privileged access since sudo from the raspberry user, and /dev/kmem from root is enabled. That would allow arbitrary content to be copied on to the user supplied USB, and depending on the device, possibly firmware reprogramming.
I'd say just don't run a graphical environment or, if you do, lock it. With a normal password, good luck to the USB thumb drive that pretends to be a keyboard.
As for booting, well, don't have it in there at boot time.
As for malware in the files itself -- I don't think that's the point of this project. It says "if you don't trust the transport medium (i.e. USB)", it's not about the contents.
Only "plain" files are directly copied, other supported ones are analyzed and converted, some more detiled info is here:
https://github.com/CIRCL/Circlean/blob/master/README.md
The thing is not really "new":
https://news.ycombinator.com/item?id=8216853
But your OS doesn't have to say "Oh, you are a keyboard? Here, open a terminal and type arbitrary commands." It can say "Sorry, I only talk to USB mass storage class devices."
This is also how I would characterize it.
> Whether this is effective against everything is another thing, of course.
The homepage states:
which (at least to me) seems to imply complete effectiveness, which is what irks me.If it also allows for write-protection, then it might be interesting for forensic work. (AFAIK, USB write protectors cost a few hundred bucks, and maybe this device is the cost range.)
The crucial question is, of course, how well the device is hardened against targeted attacks. Just using some seemingly secure Linux won't suffice.
If the CIRClean device is compromised, I don't see how the trusted USB stick, which is connected to the now compromised CIRClean, can be guaranteed to not be infected.
That seems quite risky tho, once the device is infected, that would be like washing all your dishes with the toilet sponge.
What is the goal of having to reboot at each cycle?
But in practice, I'm pretty sure that with the right privileges you could just write to the SD card...
This may be splitting hairs, but a Raspberry Pi is a computer. From https://www.raspberrypi.org/
> The Raspberry Pi is a tiny and affordable computer that you can use to learn programming through fun, practical projects.
The actual project page - https://github.com/CIRCL/Circlean
If I found a USB stick, I would just bin it.
You can dump a bunch of films and tv shows on a USB stick and use that with a cheap laptop for travelling.
Bad UX but I guess it works,
I would have preferred an LED, on the Raspberry Pi GPIO ports to indicate ready, processing and finished.
Deleted Comment