USB Write Blocker : Makes any USB drive Write protected.


Recommended Posts

+warwagon

Warwagon, you are paranoid and wasted your money on that crap.

You have a way with words. I think you should write books.

  • Like 3
Link to post
Share on other sites
Karl L.

Your script works for /bin/bash. By changing a few things that are bashisms (Bash specific), your script would be more portable. I'll post something when I get to a terminal at home.

What's wrong with bashisms? They exist to make shell scripting more convenient. I never intended this script for use outside of a modern GNU/Linux environment, but, honestly, OS X ships with BASH by default and it is easily installable on FreeBSD.

If it's in public domain it doesn't need one. Otherwise what gives? Can I modify and redistribute your code? If so in what terms?

Although I normally license BSD, since I did not give this script a license, you may use it in the public domain. I would appreciate some credit if you make a derivative, however.

Link to post
Share on other sites
TAZMINATOR

You have a way with words. I think you should write books.

I don't write books... I prefer to fix computers for anybody. I like to fix computers instead of write books. Thanks for your concern.

Link to post
Share on other sites
tiagosilva29
What's wrong with bashisms? They exist to make shell scripting more convenient.
They only work for the Bash shell. Why exactly do you think there's a standard for shell and utilities?
Link to post
Share on other sites
ozgeek

That device you've showed there has the same flaw as cheap IDE or SATA drive write blockers, it only catches the most common write codes, so yeah, for the majority of the time you won't be able to write to it.

From doing forensics before, if you're worried about malware, you've just wasted your money.

I suspected this. Even though it claims ot block writes to the drive, it mightn't do a good job at it. Even with the write-blocker, comptuers might be able to overcome the blocker and infect your usb-sticks. You never know. To be really sure that nothing can be written, use a media that actually only have "1 write and that's it". like a CD-R.

I bought too much computer crap like this to know that you actually don't need these. They become dust-collectors after a few uses.

Link to post
Share on other sites
+warwagon

I bought too much computer crap like this to know that you actually don't need these. They become dust-collectors after a few uses.

Hmm... Darn, so much for that then. Well maybe i'll find some use for it. On the plus side, it's deductible :D

Link to post
Share on other sites
goretsky

Hello,

It will be interesting to read your review on the device when it arrives. Do you think you could test it with a variety of file system formats and capacities of rewriteable media?

Regards,

Aryeh Goretsky

Link to post
Share on other sites
n_K

The filesystem doesn't make a difference, it detects generic codes to write data to the device which can be overcame by sending spoof codes and whatnot inbetween valid codes.

Link to post
Share on other sites
Simon-

$160 is too much, for that price I could get 32 USB sticks prepared for potentially malware-infested systems and after 32 uses go and re-wipe and re-copy the software.

Or get a U3 device with a virtual CD drive and use a utility to write an ISO file to the USB drive which is read only

Link to post
Share on other sites
+virtorio

I tried finding some USB sticks with the write protect switch to use for installing our software on peoples (often virus filled) laptops in our training sessions. Optical discs are no good as the data it uses can be up to 20 GB. I found only one and it cost a fortune, so in the end we just went with SD cards (which do have write protect switches on them) with a USB card reader.

This thing would be interesting if it were, say, $140 cheaper.

Link to post
Share on other sites
nkaHnt

Most SDCard has write protection.

So a USB SDCard reader + SDCard with WProtection for me

Link to post
Share on other sites
+warwagon

Does anyone know of some software I can use to test the device which does unusual writes?

Link to post
Share on other sites
goretsky

Hello,

I would think of starting with a variety of internal commands and applications (DISKPART, FORMAT, DISKMGMT, Windows Explorer, the various Office applications, file archiving utilities, file management programs, etc.) just to see if there was any common programs behave differently. I'd also be interested to see if things like FAT12, FAT16, FAT32, NTFS, ExFAT make a difference. USB-wise, lots of USB flash drives (including older, smaller capacity ones, if possible), optical drives and even a floppy diskette drive, if you have one.

I know, it's a lot of work, but, it's an interesting subject!

Regards,

Aryeh Goretsky

Does anyone know of some software I can use to test the device which does unusual writes?

Link to post
Share on other sites
n_K

Does anyone know of some software I can use to test the device which does unusual writes?

Nope, you'd have to make your own or find malware that does it, normal everyday software isn't made to send spoof commands to bypass write protection bloks.

Link to post
Share on other sites
Karl L.

Nope, you'd have to make your own or find malware that does it, normal everyday software isn't made to send spoof commands to bypass write protection bloks.

I'm very curious as to what that would look like. Could you provide a code snipet that does what you are talking about? I did a quick Google search and couldn't find anything of the sort.

Link to post
Share on other sites
+warwagon

I'm very curious as to what that would look like. Could you provide a code snipet that does what you are talking about? I did a quick Google search and couldn't find anything of the sort.

ya me too

Link to post
Share on other sites
n_K

As said I'm no longer at the university so don't have any of the stuff and it's not likely to be just randomly around on the net. Look up spec sheets on USB specs and whatnot for things like 'null' data that the device ignores and if you've got the time and skill, put them into programs and try them.

Link to post
Share on other sites
  • 7 months later...
+warwagon

http://www.neowin.ne...-security-patch

and people wonder why I don't plug in USB drives into my system which are not write protected (Physical switch, and by write protected I mean write protected while inserted into a customers machine) and that I don't have control over. In this case it's modified USB descriptors, which I don't think malware can alter, this has been in windows for quite some time. What else don't we know about.

Link to post
Share on other sites
goretsky

Hello,

From my reading of the article, it appears this vulnerability occurs at the a USB flash drive is enumerated, e.g., identified by the system. I do not think protecting against writes to USB flash drives would, in this case, have any effect, since the operation occurs when the drive is read from and not written to. What this attack actually reminds me of are similar exploits which were (or are) used against FireWire.

Your point about trusting external media is quite valid, and users with earlier versions of Microsoft Windows should verify AutoRun is turned off and fully patched. While that certainly won't stop all attacks, it will, at least, improve security.

Regards,

Aryeh Goretsky

http://www.neowin.ne...-security-patch

and people wonder why I don't plug in USB drives into my system which are not write protected (Physical switch, and by write protected I mean write protected while inserted into a customers machine) and that I don't have control over. In this case it's modified USB descriptors, which I don't think malware can alter, this has been in windows for quite some time. What else don't we know about.

  • Like 1
Link to post
Share on other sites
The_Decryptor

It's a bit of a call back, but this caught my eye.

lolwut... optical drives? it hurts my brain just thinking about it.

slow burn time... no/slow rewrite... not to mention that many machines now have no optical drives.

That's basically a point, with a CD-R you can't change the disk contents, i.e. malware can never attack it. Get a USB optical drive (I got one for like $20 months back to replace the dead drive in my Mac Mini) and a burnt CD with rescue tools/a live Linux install and work on just about anything (Y)

Link to post
Share on other sites
+warwagon

Hello,

From my reading of the article, it appears this vulnerability occurs at the a USB flash drive is enumerated, e.g., identified by the system. I do not think protecting against writes to USB flash drives would, in this case, have any effect, since the operation occurs when the drive is read from and not written to. What this attack actually reminds me of are similar exploits which were (or are) used against FireWire.

Your point about trusting external media is quite valid, and users with earlier versions of Microsoft Windows should verify AutoRun is turned off and fully patched. While that certainly won't stop all attacks, it will, at least, improve security.

Regards,

Aryeh Goretsky

I know the vulnerability does not care if the USB device is write protected or not. By write protection I meant it would stop the USB device from getting infected on the customers machine in the first place.. if that was possible.

  • Like 1
Link to post
Share on other sites
The_Decryptor

Other way around, the USB device isn't what's being attacked, it's what's doing the attacking, they adjusted what information the chipset sends to the host to exploit a flaw in how it parsed that information.

Link to post
Share on other sites
Ace
How about a better idea and NOT use USB drives in infected machines. Burn a CD with whatever utilities that you need. ZERO chance of infection.

Better still, buy an ISOStick or Zalman's ZM-VE300 HDD enclosure. Both have write protect switches.

  • Like 2
Link to post
Share on other sites
+warwagon

Better still, buy an ISOStick or Zalman's ZM-VE300 HDD enclosure. Both have write protect switches.

OMG Thank you for letting me know about the ISOstick. It looks AMAZING! Ordered one!

Other way around, the USB device isn't what's being attacked, it's what's doing the attacking, they adjusted what information the chipset sends to the host to exploit a flaw in how it parsed that information.

Correct. I didn't say it was. What I meant was, if it was at all possible for a virus to modify the chips firmware to make a stick which would attack, then a write protection should might be useful on it to stop it from modified.

  • Like 1
Link to post
Share on other sites
goretsky

Hello,

Kanguru is one of the few USB flash drive manufacturers that still makes models with a hardware write-protect switch.

Of course, you could also use an SDHC Card (which has a hardware write-protection switch) in a card reader, but from looking at this Wikipedia article, it's not clear to me how permanent setting the switch is on an SDHC Card, as it appears there may be a way to bypass it. The article is a little ambiguous about the details, though.

There are also several programs one can run which place a "garbled" entry for an AUTORUN.INF file on a USB flash drive. While I do not know for certain how effective this is in the real world, as anything which is done in software can be undone in software, it should prove effective against at least some worms which spread via USB drive in that fashion. Both BitDefender and Panda Security have free programs which perform this operation.

Regards,

Aryeh Goretsky

Link to post
Share on other sites
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By Copernic
      HWiNFO 7.02
      by Razvan Serea



      HWiNFO (Hardware Information) is a professional hardware information and diagnostic tool supporting latest components, industry technologies and standards. It's targeted to recognize and extract the most possible amount of information about computer's hardware which makes it suitable for users searching for driver updates, computer manufactures, system integrators and technical exteperts too. Retrieved information is presented in a logical and easily understandable form and can be exported into various types of reports. System health monitoring and basic benchmarking available too.

      HWiNFO32 & HWiNFO64 v7.02 changelog:

      Enhanced sensor monitoring on ASRock Z590 OC Formula and Z590 Phantom Gaming-ITX.

      Fixed unintentional waking up of some NVIDIA dGPUs disabled by Optimus technology.

      Added reporting of PCI Express Resizable BAR capability and status for all devices.

      Enhanced sensor monitoring on MSI Z590 PLUS, MEG Z590 UNIFY and B560M PRO WIFI.

      Enhanced monitoring of AMD Navi14.

      Restored monitoring of AMD Navi21 with Radeon Adrenalin 21.3.1.

      Fixed monitoring of Vcore and VDIMM on ASUS PRIME Z590-A and STRIX Z590 series.

      Added ability to collapse sensor groups.

      Aggregated some sensor values into nodes (collapsed by default) to reduce amount of information on the screen.

      Improved GUI responsiveness in some situations.

      Enhanced sensor monitoring on EVGA Z590 FTW and Z590 DARK.

      Improved support of Intel Rocket Lake.

      Fixed reporting of Core Performance Order on AMD Raven, Renoir and Cezanne.

      Updated for proper support of AGESA 1.2.0.1 Patch A.

      Improved detection of AMD ThreadRipper PRO and next generation ThreadRipper.

      Improved reporting of Intel Integrated GPU clock.

      Enhanced sensor monitoring on ASUS ROG CROSSHAIR VIII EXTREME.

      Added monitoring of Global Frequency Limit on AMD Zen2/3 CPUs.

      Added monitoring of DRAM Read/Write Bandwidth on AMD Zen2/3 CPUs.

      Download page: HWiNFO 7.02 ~8.0 MB (Free for Non-Commercial use)
      View: HWiNFO Website | HWiNFO Screenshot

      Get alerted to all of our Software updates on Twitter at @NeowinSoftware

    • By Copernic
      Core Temp 1.17
      by Razvan Serea



      Core Temp is a useful tool that will help monitor your PCs CPU temperature. What makes Core Temp unique is the way it works. It is capable of displaying a temperature of each individual core of every processor in your system! You can see temperature fluctuations in real time with varying workloads. Core Temp is also motherboard agnostic.

      Core Temp is easy to use, while also enabling a high level of customization and expandability.
      Core Temp provides a platform for plug-ins, which allows developers to add new features and extend its functionality.

      Core Temp 1.17 changelog:

      New: AMD Zen 3 and Zen 2 APU support New: Intel Rocket Lake support New: Preliminary Alder Lake support New: Very preliminary Meteor Lake support Fix: "Unsupported CPU" message when only some cores have HT enabled Fix: Epyc Rome/Threadripper 3rd gen Platform detection Fix: Gemini Lake platform detection Fix: Whiskey Lake codename Fix: Incorrect VID reporting on some Celeron/Pentium processors Fix: Crash on Intel Banias based (Pentium/Celeron M) processors Fix: Turbo multiplier detection on Nehalem/Westmere Fix: Bugs related to response to DPI changes Fix: VID reporting on some AMD Athlon64 processors Change: AMD Bulldozer based processors now display the amount of modules/threads instead of cores/threads Change: Improve accuracy of information on unsupported Intel CPUs Download: Core Temp 1.17 (32-bit) | 399.0 KB (Freeware)
      Download: Core Temp 1.17 (64-bit) | 440.0 KB
      View: Core Temp Homepage | Core Temp Add-Ons

      Get alerted to all of our Software updates on Twitter at @NeowinSoftware

    • By Copernic
      HWiNFO 7.00
      by Razvan Serea



      HWiNFO (Hardware Information) is a professional hardware information and diagnostic tool supporting latest components, industry technologies and standards. It's targeted to recognize and extract the most possible amount of information about computer's hardware which makes it suitable for users searching for driver updates, computer manufactures, system integrators and technical exteperts too. Retrieved information is presented in a logical and easily understandable form and can be exported into various types of reports. System health monitoring and basic benchmarking available too.

      HWiNFO32 & HWiNFO64 v7.00 changelog:

      HWiNFO64 is limited to non-commercial use only. Check License terms. Introducing HWiNFO64 Pro for commercial use and additional features. Enhanced sensor monitoring on MSI H510 series mainboards. Fixed monitoring of +12V on some ASUS Z590 series mainboards. Improved support of LPDDR3/LPDDR4/LPDDR4X memories. Fixed a possible WHEA error/system crash during long-term monitoring of AMD RX 6000 series GPUs. Enhanced sensor monitoring on ASRock Z590 Taichi and Z590 PG Velocita. Consolidated AMD Navi monitoring, added Effective Clock and TGP Power for Navi21. Added sensor tool tips to provide more details about sensors and their values. Improved sensor UI responsiveness during some operations. Improved handling of disappearing/reappearing sensors in custom order. Fixed a possible hang when logging sensors with large sets of disabled items. Added monitoring of GPU HotSpot temperature for NVIDIA GPUs. Improved reporting of GPU memory vendor and ROP count for AMD GPUs. Enhanced sensor monitoring on ASRock J4105-ITX. Fixed reporting of effective clock on AMD Ryzen 1st generation CPUs. Added preliminary support for DDR5 thermal sensors. Download page: HWiNFO 7.00 ~8.0 MB (Free for Non-Commercial use)
      View: HWiNFO Website | HWiNFO Screenshot

      Get alerted to all of our Software updates on Twitter at @NeowinSoftware

    • By Copernic
      HWiNFO 6.42
      by Razvan Serea



      HWiNFO (Hardware Information) is a professional hardware information and diagnostic tool supporting latest components, industry technologies and standards. It's targeted to recognize and extract the most possible amount of information about computer's hardware which makes it suitable for users searching for driver updates, computer manufactures, system integrators and technical exteperts too. Retrieved information is presented in a logical and easily understandable form and can be exported into various types of reports. System health monitoring and basic benchmarking available too.

      HWiNFO32 & HWiNFO64 v6.42 changelog:

      Improved support of some future AMD CPUs and APUs. Fixed a possible hang on some systems with Intel Thunderbolt controller. Enhanced sensor monitoring on ASUS ROG STRIX B550-XE. Added reporting of DIMM module location if BIOS provides correct data. Fixed VRM monitoring on ASRock Z490 Taichi and B550 Steel Legend. Added monitoring of Effective GPU clock on NVIDIA GPUs. Improved reporting of serial number on NVIDIA GPUs. Enhanced sensor monitoring on MSI Z590 and B560 series. Enhanced sensor monitoring on GIGABYTE Z590, B560, H570, Q570 and H510 series. Added monitoring of Aquacomputer farbwerk 360 and highflow NEXT. Added fan speed monitoring on some MSI notebooks. Enhanced sensor monitoring on some ASRock Z590, H570 and B560 series. Added monitoring of GDDR6X Memory Junction Temperature on NVIDIA RTX 30-series. Download page: HWiNFO 6.42 ~8.0 MB (Freeware)
      View: HWiNFO Website | HWiNFO Screenshot

      Get alerted to all of our Software updates on Twitter at @NeowinSoftware

    • By Copernic
      AIDA64 6.32.5600
      by Razvan Serea



      AIDA64 Extreme Edition is a streamlined Windows diagnostic and benchmarking software for home users. AIDA64 Extreme Edition provides a wide range of features to assist in overclocking, hardware error diagnosis, stress testing, and sensor monitoring. It has unique capabilities to assess the performance of the processor, system memory, and disk drives.

      AIDA64 Business Edition is an essential Windows network management solution for small and medium scale enterprises. AIDA64 Business Edition provides a wide range of features to compile, manage, and analyse hardware and software inventory of corporate computer networks. Its capabilities cover local and remote system diagnosis, network monitoring, remote control, and license management.

      AIDA64 6.32.5600 new features & improvements:

      AVX2 and FMA accelerated 64-bit benchmarks for AMD Zen 3 based Ryzen 5000 Series processors

      EVGA iCX3 sensor support

      GPU details for AMD Radeon RX 6000 Series

      GPU details for nVIDIA GeForce RTX 3050, GeForce RTX 3060, GeForce RTX 3060 Ti, GeForce RTX 3070 Ti, GeForce RTX 3080 Ti

      What’s new since AIDA64 v6.00:

      SHA3-512 cryptographic hash benchmark utilizing AVX, AVX2 and AVX-512 AVX-512 accelerated benchmarks for Intel Ice Lake, Rocket Lake, Tiger Lake processors AVX2 and FMA accelerated 64-bit benchmarks for AMD Zen 2 Matisse and Renoir processors AVX accelerated 64-bit benchmarks for Zhaoxin ZX-C+, Zhaoxin KaiXian KX-5000, KaiXian KX-6000 processors SSE4 optimized 64-bit benchmarks for Intel Lakefield SoC Further optimized SHA3-512 cryptographic hash benchmark Art.Lebedev Optimus Popularis, BeadaPanel, El Gato Stream Deck, EVGA Z10 RGB, Matrix Orbital EVE3 LCD display support SteelSeries Apex 7, Apex 7 TKL, Apex Pro, Apex Pro TKL, Rival 710 OLED OLED display support Corsair H100i Platinum and H115i Platinum liquid cooler sensor support NZXT Kraken X53, X63, X73, Z63, Z73 sensor support Enhanced RGB LED monitoring module Cooler Master MP750 RGB LED mousepad support Aqua Computer Octo, Corsair Obsidian 1000D, EVGA iCX2, Farbwerk 360, NZXT GRID+ V3 sensor support Full support for Hygon C86 Mukti/Dhyana CPU Improved support for 3rd generation AMD Threadripper processors Improved support for Intel Comet Lake and Ice Lake CPUs Improvements for AMD A520, B550, X570 chipset based motherboards Support for PCI Express 4.0 controllers and devices Preliminary support for Intel Alder Lake, Elkhart Lake, Jasper Lake CPUs Enhanced support for LGA-1200 motherboards Advanced support for LSI RAID controllers NVMe 1.4 support OpenCL 3.0 support SMBIOS 3.4.0 support GPU details for AMD Radeon Pro W5500, Radeon RX 590 GME, Radeon RX 5500, Radeon RX 5600 XT, Radeon RX 5700, Radeon VII Series GPU details for nVIDIA GeForce GTX 1600, GeForce GTX 1650 Ti, GeForce MX330, GeForce MX350, GeForce MX450, GeForce RTX 2000 Super, GeForce RTX 2060 Series, GeForce RTX 3000 Series Preliminary support for AMD Navi GPUs Fixed handling of per-core HyperThreading (Intel Comet Lake-S) Fixed lockup at startup on systems with multiple CPU groups Retired SHA1 and VP8 benchmarks Download: AIDA64 Extreme Edition 6.32.5600 | Portable | ~50.0 MB (Shareware)
      Download: AIDA64 Business Edition 6.32.5600 | 48.5 MB
      Links: AIDA64 Homepage | Other Operating Systems

      Get alerted to all of our Software updates on Twitter at @NeowinSoftware