How can I browse an untrusted USB flash drive safely?
There were many options to open it, but in case of safety concern it will consume more time:
- Open it up through some live CD version of Linux. If the USB flash drive was infected it would infect only the OS on the live CD.
- Boot the OS in a virtual machine and test the USB flash drive[Note: You can set the guest OS to detect USB first which would disable the host USB detection].
- If you are using a Windows machine: Disable
autorun.inf
on a local computer. - If you are on mac mount the USB as readonly
- You could disable autorun in mac by following this steps :
You need to remove the auto launch job with the launchctl
command.
For example, in my case I have already installed a modem manufactured by ZTE. So I searched for LAUNCHD listings using the launchctl list
command and grepped for those modem strings.
launchctl list | grep -i zte
Showing:
5681 - cn.com.zte.usbswapper.plist
If you do not find your app, then output all the jobs to a file. This awk command tries to overcome the chance that you may have spaces in your launchd job name.
launchctl list 2>/dev/null | awk '
{ x="\""substr($0, match($0, $3), 100)"\""; print x; system("launchctl list " x) }
' > launchList.txt
Open launchList.txt. The name of the launchd job will be shown in "..." above the {} block where you hopefully find a "Mobile Partner" or "AutoOpen" string.
Perhaps inspect the item to be more confident before removal. Surround by "" if there are spaces in the job name.
launchctl list "cn.com.zte.usbswapper.plist"
Then just remove it. This is the command to stop the auto load. Be very sure you are removing the correct agent or deamon.
launchctl remove "cn.com.zte.usbswapper.plist"
Add it again if you want, using the full path of the PLIST file.
launchctl load /Library/LaunchAgents/cn.com.zte.usbswapper.plist
Scan through a computer and all USB flash drives regularly.
Note for BADUSB :
When you plug a USB device into a computer, the device tells the computer what sort of thing it is, so the computer can select the appropriate driver. For example, a thumb drive declares itself as a "USB Mass Storage" device, while a keyboard is a "Human Interface Device".
BadUSB is a technique for re-writing the firmware of a plugged-in USB device from the computer. For example, it could make a thumb drive identify itself as a mouse and cause the pointer to jump around at random. Or it could make the thumb drive identify as a USB hub with connected keyboard and mass storage, that when plugged in types a sequence of keystrokes that causes a program on the thumb drive to be run.
If you were using linux and wish to prevent against badusb :
BadUSB attacks are based on the fact that computers allow and enable HID devices on all usb ports. Faked network adapters are no real danger. My answer tries do describe how to use udev to temporarily disable the addition of new HID devices
For preparation, create a file /etc/udev/rules.d/10-usbblock.rules
with the content:
#ACTION=="add", ATTR{bInterfaceClass}=="03" RUN+="/bin/sh -c 'echo 0 >/sys$DEVPATH/../authorized'"
If you want to block other classes too, then look up the class number, and copy the line, and change the class.
Now you can block all new HID devices using the command
sed -i 's/#//' /etc/udev/rules.d/10-usbblock.rules; udevadm control --reload-rules
and unblock with:
sed -i 's/^/#/' /etc/udev/rules.d/10-usbblock.rules; udevadm control --reload-rules
Before you shut down, always unblock, as the setting is persistent, and your "good" HID devices would be rejected on reboot.
I don't know whether you can edit the temporary rules directory, but if changes there affect the behaviour, you should edit that instead, as then you don't need to unblock before shutdown.
BADUSB Credits source : Security DMZ