Safe to connect to external drive?

Respectfully, @Adnan is dead wrong in some key assumptions that it is relatively safe to open an unknown external drive.

As I answered here, it is not safe to connect any infected drive without proper safeguards in place.

In fact, the only way to be 99.99% (nothing in security is certain) sure it's malware-free is to actually do a forensic examination on it. At a bare minimum you should only attach an unknown external device using a proper VM. Ideally, you would take a forensic image of the drive and then examine it in the VM.

Note that you can do this 'safely' but only if precautions are followed.

Here is a simple article that outlines a few real-world examples.

Bear in mind that it is not just limited to autoplay features. There are sooooo many ways to hide things digitally and then execute them (leveraging OS/driver/buffer exploits for example).

Update: you may want to keep your ears peeled for more information on this as it's presented at Black Hat soon.


I believe all Mac OS 10+ versions disabled the auto run feature so even if there were a virus on it, if you are simply copying files it would never start unless you intentionally ran the program.

I would say you are very safe in attaching and copying the files with no ill effects. If it were Windows I say would there is a lot of worry.

If you are that worried, you can download Kaspersky's bootable USB antivirus and plug the drive in on reboot and scan it with that.

http://www.precisesecurity.com/tools-resources/free-antivirus/virus-scan-kaspersky-usb


If you connect the disk, don't open it, and just send the files to it, then there's almost no risk at all. If your system is originally clean, malware cannot magically move themselves from the USB disk to your system. Plus, Mac OS X doesn't have an autorun capability for USB drives. It never has.

The only theoretical risk I can think of, is if the attacker had found a vulnerability in the way Mac handles the drive's names and was able to exploit it and execute some code.

Personally, I wouldn't worry about it. Just make sure you copy without opening it.

Note 1: When I say "don't open it", I don't mean that there's a magical way to get you infected if you open the disk, there isn't. It's just that if you open it, it's more likely that you'll click on something in it.

Note 2: Please don't run an Anti-Virus scan on a disk that is not yours unless you're asked to. Anti-Viruses tend to be stupid, they delete pen. testing tools all the time.