I am looking for a fast USB drive which has a physical write-protect enable switch on it. I would also want a BadUSB-resistant USB controller. I want this for 2 reasons:

  • So I can diagnose issues on machines where the problem may or may not be malware. This way, I can plug it into several machines without risking spreading malware.

  • So I can carry around a TailsOS drive wherever I go, and use it on public computers and friend’s computers without risk of infection.

So far, I have only found one company making these things, Kanguru. There are almost no reviews of their products by reputable sources, at least not for their write-protecting drives.

Their BadUSB firmware detection module is NIST certified, which is great (given that you trust proprietary cryptography modules at all), but no certs for the main storage write protection. Also Kanguru products are very overpriced.

And no I am not using SD cards, their write protect implementation is software-based and they are too slow for me.

I am specifically looking at the Kanguru FlashTrust . My questions are:

  • Has anyone used Kanguru products and how was your experience?

  • Are there other companies that make decent quality drives with hardware write-protect switches? (Ideally ones that have FOSS firmware and are third-party tested, but I will take anything).

  • Are there any companies that make USB writeblockers which are small enough to fit in a wallet and <$50? (Example of one that is too big). That way I can use a standard, cheaper USB drive.

Oh how I wish Nitrokey made these!

  • jet@hackertalks.com
    link
    fedilink
    English
    arrow-up
    5
    ·
    edit-2
    3 months ago

    You might want to expand your search to include forensic USB devices, that’s a arena where people absolutely want read only data acquisition, and that might help find what you want.

    “Forensic bridges”

    There is complexity to read only modes. Depending on the underlying technology the read-only switch could be implemented in software, or the host needs to honor it by protocol, but not physically. That’s pretty common for SD cards, if the host computer wants to write to them it can

    Some of the better USB sticks, the Read only button, actually prevents the write enable signal from physically reaching the storage, that would be best in class. But you need the schematic to actually verify that. So you don’t know if it’s actually just implemented in software

    For the forensic bridges, they actually speak the USB protocol, because it’s just a serial bus, and they simply don’t relay any commands they believe are related to writes. That relies on them enumerating every possible serial command, and that both the talker and the listener both have the same understandings for the same commands… It’s pretty good, but there is room for error

    Most encrypted USB devices, the ones with the keypads on them, have a read only mode. If you trust their software: https://www.kingston.com/en/usb-flash-drives/ironkey-kp200-encrypted-usb-flash-drive

    Honestly, your cheapest option is to get cheap USB drives, image them. Put some red gaffers tape on them, whenever you break the tape to plug them into a device they’re now tainted, and you as a human must reimage the drives again before you put them into another computer.

    https://github.com/o7-machinehum/ovrdrive Here’s a fully open source flash drive, if you look at the schematic you can see you just want to be able to disable the right enable pin. This drive is designed with some fancy controller in front of the USB controller so you could actually disable it in software if you wanted… https://www.crowdsupply.com/interrupt-labs/ovrdrive-usb/updates/a-look-at-our-firmware-and-how-to-modify-it

    • anon2963@infosec.pubOP
      link
      fedilink
      English
      arrow-up
      2
      ·
      3 months ago

      Thanks for the wonderful info. I think I will go with the iStorage datAshur PRO+C because it has the best speeds out of all of them. It is slightly more involved to activate read-only mode than a simple switch, but it should be negligible compared to the time to boot the system and other overhead.

      There is no way for me to verify how the write-protect works with this drive, but that is true for all of them, so I have to trust one. However, this company seems very competent. And importantly there are many 3rd party reviews of this and similar iStorage products. Also the firmware is supposedly signed so it should be immune to badUSB. But you do make the point that there is no way to be sure.

      I plan to use root on LUKS anyway (I want persistent storage), so I can keep / encrypted and checksum my /boot every boot to search for anomalies. Once LUKS is decrypted, theoretically malware could get embedded in there, but I feel like it would be unlikely for malware to infect one partition and not the other.

      I wonder if there is a way to setup a “honeypot” partition which holds no useful data but exhibits traits that are appealing for malwares to embed themselves in. It would be checksummed regularly while the system was running and alert me if anything changed.

      That open source flash drive looks awesome, and I will keep my eye on it, maybe I would consider it if my threat model was tougher.