• Sign in to Neowin Faster!

    Create an account on Neowin to contribute and support the site.

  • 0
Sign in to follow this  

USB Write Blocker : Makes any USB drive Write protected.

Question

+warwagon    11,366

Something that has boggled my mind for a while now. In the beginning write protected USB drives were pretty common place (so I've been told). But as the progression of Malware has increased, the number of write protected USB drives has decreased.

To be honest, most people don't even care if they stick their usb drive into an infested computer. Even though autorun, for the most part has been disabled on windows systems (so malware shouldn't technically get activated when sticking the stick into a clean machine) I would still never stick a usb flash drive that wasn't write protected into someone else machine. If I did, I would (and have in the past) format the stick from a BartPE environment on another machine before sticking it back into my own.

I was looking online and came across this neat little product. It's called the USB Write blocker. 1 end plugs into the computer and you plug your usb hard drive or USB memory stick into the other end.

41MsNWtLhbL.jpg

This device obviously isn't for everyone. But those who do repairs where write protection is a serious concern this might be for you. What I like about this idea, is that you would use it when ever you plug in a usb drive into someones computer. This way you KNOW it's write protected. The problem I had with USB memory sticks that had write protection switches, is I always had to check the switch to make sure it was activated, which means it would be possible to forget.

The only thing I wish it did was not to spoof the writes (showing it copied when it didn't) but just through up a write protection error. For this reason I could never temporary used it on an usb sata dock, because if It was behind the computer and if I forgot it was there, and i went to backup someones files, it would show they got backed up but in the end they would not be. But to be used in combination with a USB repair thumb drive or now a USB repair hard drive, would work great.

it's $160 on Amazon, I think I might get one. Lemme know what you think.

  • Like 1

Share this post


Link to post
Share on other sites

Recommended Posts

  • 0
Karl L.    275

Your script works for /bin/bash. By changing a few things that are bashisms (Bash specific), your script would be more portable. I'll post something when I get to a terminal at home.

What's wrong with bashisms? They exist to make shell scripting more convenient. I never intended this script for use outside of a modern GNU/Linux environment, but, honestly, OS X ships with BASH by default and it is easily installable on FreeBSD.

If it's in public domain it doesn't need one. Otherwise what gives? Can I modify and redistribute your code? If so in what terms?

Although I normally license BSD, since I did not give this script a license, you may use it in the public domain. I would appreciate some credit if you make a derivative, however.

Share this post


Link to post
Share on other sites
  • 0
TAZMINATOR    12,416

You have a way with words. I think you should write books.

I don't write books... I prefer to fix computers for anybody. I like to fix computers instead of write books. Thanks for your concern.

Share this post


Link to post
Share on other sites
  • 0
tiagosilva29    892
What's wrong with bashisms? They exist to make shell scripting more convenient.
They only work for the Bash shell. Why exactly do you think there's a standard for shell and utilities?

Share this post


Link to post
Share on other sites
  • 0
ozgeek    157

That device you've showed there has the same flaw as cheap IDE or SATA drive write blockers, it only catches the most common write codes, so yeah, for the majority of the time you won't be able to write to it.

From doing forensics before, if you're worried about malware, you've just wasted your money.

I suspected this. Even though it claims ot block writes to the drive, it mightn't do a good job at it. Even with the write-blocker, comptuers might be able to overcome the blocker and infect your usb-sticks. You never know. To be really sure that nothing can be written, use a media that actually only have "1 write and that's it". like a CD-R.

I bought too much computer crap like this to know that you actually don't need these. They become dust-collectors after a few uses.

Share this post


Link to post
Share on other sites
  • 0
+warwagon    11,366

I bought too much computer crap like this to know that you actually don't need these. They become dust-collectors after a few uses.

Hmm... Darn, so much for that then. Well maybe i'll find some use for it. On the plus side, it's deductible :D

Share this post


Link to post
Share on other sites
  • 0
+goretsky    877

Hello,

It will be interesting to read your review on the device when it arrives. Do you think you could test it with a variety of file system formats and capacities of rewriteable media?

Regards,

Aryeh Goretsky

Share this post


Link to post
Share on other sites
  • 0
n_K    1,925

The filesystem doesn't make a difference, it detects generic codes to write data to the device which can be overcame by sending spoof codes and whatnot inbetween valid codes.

Share this post


Link to post
Share on other sites
  • 0
Simon-    490

$160 is too much, for that price I could get 32 USB sticks prepared for potentially malware-infested systems and after 32 uses go and re-wipe and re-copy the software.

Or get a U3 device with a virtual CD drive and use a utility to write an ISO file to the USB drive which is read only

Share this post


Link to post
Share on other sites
  • 0
virtorio    2,534

I tried finding some USB sticks with the write protect switch to use for installing our software on peoples (often virus filled) laptops in our training sessions. Optical discs are no good as the data it uses can be up to 20 GB. I found only one and it cost a fortune, so in the end we just went with SD cards (which do have write protect switches on them) with a USB card reader.

This thing would be interesting if it were, say, $140 cheaper.

Share this post


Link to post
Share on other sites
  • 0
nkaHnt    3

Most SDCard has write protection.

So a USB SDCard reader + SDCard with WProtection for me

Share this post


Link to post
Share on other sites
  • 0
+warwagon    11,366

Does anyone know of some software I can use to test the device which does unusual writes?

Share this post


Link to post
Share on other sites
  • 0
+goretsky    877

Hello,

I would think of starting with a variety of internal commands and applications (DISKPART, FORMAT, DISKMGMT, Windows Explorer, the various Office applications, file archiving utilities, file management programs, etc.) just to see if there was any common programs behave differently. I'd also be interested to see if things like FAT12, FAT16, FAT32, NTFS, ExFAT make a difference. USB-wise, lots of USB flash drives (including older, smaller capacity ones, if possible), optical drives and even a floppy diskette drive, if you have one.

I know, it's a lot of work, but, it's an interesting subject!

Regards,

Aryeh Goretsky

Does anyone know of some software I can use to test the device which does unusual writes?

Share this post


Link to post
Share on other sites
  • 0
n_K    1,925

Does anyone know of some software I can use to test the device which does unusual writes?

Nope, you'd have to make your own or find malware that does it, normal everyday software isn't made to send spoof commands to bypass write protection bloks.

Share this post


Link to post
Share on other sites
  • 0
Karl L.    275

Nope, you'd have to make your own or find malware that does it, normal everyday software isn't made to send spoof commands to bypass write protection bloks.

I'm very curious as to what that would look like. Could you provide a code snipet that does what you are talking about? I did a quick Google search and couldn't find anything of the sort.

Share this post


Link to post
Share on other sites
  • 0
+warwagon    11,366

I'm very curious as to what that would look like. Could you provide a code snipet that does what you are talking about? I did a quick Google search and couldn't find anything of the sort.

ya me too

Share this post


Link to post
Share on other sites
  • 0
n_K    1,925

As said I'm no longer at the university so don't have any of the stuff and it's not likely to be just randomly around on the net. Look up spec sheets on USB specs and whatnot for things like 'null' data that the device ignores and if you've got the time and skill, put them into programs and try them.

Share this post


Link to post
Share on other sites
  • 0
+warwagon    11,366

http://www.neowin.ne...-security-patch

and people wonder why I don't plug in USB drives into my system which are not write protected (Physical switch, and by write protected I mean write protected while inserted into a customers machine) and that I don't have control over. In this case it's modified USB descriptors, which I don't think malware can alter, this has been in windows for quite some time. What else don't we know about.

Share this post


Link to post
Share on other sites
  • 0
+goretsky    877

Hello,

From my reading of the article, it appears this vulnerability occurs at the a USB flash drive is enumerated, e.g., identified by the system. I do not think protecting against writes to USB flash drives would, in this case, have any effect, since the operation occurs when the drive is read from and not written to. What this attack actually reminds me of are similar exploits which were (or are) used against FireWire.

Your point about trusting external media is quite valid, and users with earlier versions of Microsoft Windows should verify AutoRun is turned off and fully patched. While that certainly won't stop all attacks, it will, at least, improve security.

Regards,

Aryeh Goretsky

http://www.neowin.ne...-security-patch

and people wonder why I don't plug in USB drives into my system which are not write protected (Physical switch, and by write protected I mean write protected while inserted into a customers machine) and that I don't have control over. In this case it's modified USB descriptors, which I don't think malware can alter, this has been in windows for quite some time. What else don't we know about.

  • Like 1

Share this post


Link to post
Share on other sites
  • 0
The_Decryptor    1,105

It's a bit of a call back, but this caught my eye.

lolwut... optical drives? it hurts my brain just thinking about it.

slow burn time... no/slow rewrite... not to mention that many machines now have no optical drives.

That's basically a point, with a CD-R you can't change the disk contents, i.e. malware can never attack it. Get a USB optical drive (I got one for like $20 months back to replace the dead drive in my Mac Mini) and a burnt CD with rescue tools/a live Linux install and work on just about anything (Y)

Share this post


Link to post
Share on other sites
  • 0
+warwagon    11,366

Hello,

From my reading of the article, it appears this vulnerability occurs at the a USB flash drive is enumerated, e.g., identified by the system. I do not think protecting against writes to USB flash drives would, in this case, have any effect, since the operation occurs when the drive is read from and not written to. What this attack actually reminds me of are similar exploits which were (or are) used against FireWire.

Your point about trusting external media is quite valid, and users with earlier versions of Microsoft Windows should verify AutoRun is turned off and fully patched. While that certainly won't stop all attacks, it will, at least, improve security.

Regards,

Aryeh Goretsky

I know the vulnerability does not care if the USB device is write protected or not. By write protection I meant it would stop the USB device from getting infected on the customers machine in the first place.. if that was possible.

  • Like 1

Share this post


Link to post
Share on other sites
  • 0
The_Decryptor    1,105

Other way around, the USB device isn't what's being attacked, it's what's doing the attacking, they adjusted what information the chipset sends to the host to exploit a flaw in how it parsed that information.

Share this post


Link to post
Share on other sites
  • 0
Ace    82
How about a better idea and NOT use USB drives in infected machines. Burn a CD with whatever utilities that you need. ZERO chance of infection.

Better still, buy an ISOStick or Zalman's ZM-VE300 HDD enclosure. Both have write protect switches.

  • Like 2

Share this post


Link to post
Share on other sites
  • 0
+warwagon    11,366

Better still, buy an ISOStick or Zalman's ZM-VE300 HDD enclosure. Both have write protect switches.

OMG Thank you for letting me know about the ISOstick. It looks AMAZING! Ordered one!

Other way around, the USB device isn't what's being attacked, it's what's doing the attacking, they adjusted what information the chipset sends to the host to exploit a flaw in how it parsed that information.

Correct. I didn't say it was. What I meant was, if it was at all possible for a virus to modify the chips firmware to make a stick which would attack, then a write protection should might be useful on it to stop it from modified.

  • Like 1

Share this post


Link to post
Share on other sites
  • 0
+goretsky    877

Hello,

Kanguru is one of the few USB flash drive manufacturers that still makes models with a hardware write-protect switch.

Of course, you could also use an SDHC Card (which has a hardware write-protection switch) in a card reader, but from looking at this Wikipedia article, it's not clear to me how permanent setting the switch is on an SDHC Card, as it appears there may be a way to bypass it. The article is a little ambiguous about the details, though.

There are also several programs one can run which place a "garbled" entry for an AUTORUN.INF file on a USB flash drive. While I do not know for certain how effective this is in the real world, as anything which is done in software can be undone in software, it should prove effective against at least some worms which spread via USB drive in that fashion. Both BitDefender and Panda Security have free programs which perform this operation.

Regards,

Aryeh Goretsky

Share this post


Link to post
Share on other sites
  • 0
+warwagon    11,366

My isostick video

Or if you just want to watch it here

  • Like 1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.