The safety of using USB sticks to transfer data from an offline machine

[thewayshegoes]

Being a little bit paranoid, I've been wondering lately if there is any real risk when transferring files via USB stick from an online machine, to a machine that will always be offline, and the other way around.  For instance, if I'm using the offline Electrum wallet, and I want to make an offline transaction.  At some point the USB stick is going from my offline computer to my online one.  And then at another point that same USB is likely going to be put in the offline machine again.  Is there any way for some kind of virus/malware/spyware to get on that USB stick and get transferred to the offline machine, and then in turn get transferred back to the online machine?  Basically, my worry is that even though my netbook will always stay offline, is there any way for any data from it to be leaked via a USB stick, once that stick is put in an online computer?  Maybe I'm being a little too paranoid, but I'm not that much of a techie, and was hoping to hear from those that are on this issue.

[keystroke]

Stuxnet used a Windows USB stick 0day to propagate. So it is not unheard of.

Maybe a written CD is easier if it is fully written and has no more space to write? Or a USB stick with a read-only switch?

[elbandi]

use linux. every time destroy the filesystem on the stick, and recreate in a trusted/clean system.

[kjj]

Stuxnet used a Windows USB stick 0day to propagate. So it is not unheard of.

Maybe a written CD is easier if it is fully written and has no more space to write? Or a USB stick with a read-only switch?

Write protect switches are advisory.  Many many years ago, some models of enterprise SCSI drives had write jumpers that physically disconnected power to the write/erase head.  Everything else should be taken to mean "please don't write on me".

Much safer is to use something like QR or a barcode, either on paper, or on a screen.  If using QR, care should be taken that you don't ever read them with clever software.  I use a scanner that simulates keystrokes.

[Automatic]

use linux. every time destroy the filesystem on the stick, and recreate in a trusted/clean system.

Don't get me wrong, I agree a Linux based operating system would be a lot more secure, but, after all, it is a computer and could still be exploited.

[elbandi]

use linux. every time destroy the filesystem on the stick, and recreate in a trusted/clean system.

Don't get me wrong, I agree a Linux based operating system would be a lot more secure, but, after all, it is a computer and could still be exploited.

yes, only a destroyed computer cant exploited 

but some linux dont automount and autorun apps when a stick is inserted. you only get a sdX and it's easy do wipe everything from it.

[keystroke]

Stuxnet used a Windows USB stick 0day to propagate. So it is not unheard of.

Maybe a written CD is easier if it is fully written and has no more space to write? Or a USB stick with a read-only switch?

Write protect switches are advisory.  Many many years ago, some models of enterprise SCSI drives had write jumpers that physically disconnected power to the write/erase head.  Everything else should be taken to mean "please don't write on me".

Much safer is to use something like QR or a barcode, either on paper, or on a screen.  If using QR, care should be taken that you don't ever read them with clever software.  I use a scanner that simulates keystrokes.

What software do you use to produce the QR code and what scanner do you use?

[justusranvier]

In what way does a write-protected USB stick prevent malware from spreading between the online and offline machines?

[kjj]

Stuxnet used a Windows USB stick 0day to propagate. So it is not unheard of.

Maybe a written CD is easier if it is fully written and has no more space to write? Or a USB stick with a read-only switch?

Write protect switches are advisory.  Many many years ago, some models of enterprise SCSI drives had write jumpers that physically disconnected power to the write/erase head.  Everything else should be taken to mean "please don't write on me".

Much safer is to use something like QR or a barcode, either on paper, or on a screen.  If using QR, care should be taken that you don't ever read them with clever software.  I use a scanner that simulates keystrokes.

What software do you use to produce the QR code and what scanner do you use?

The QRs themselves are made by PHP QR Code.  They are being generated by my offline key generator, a project that hasn't been released yet.

I use a Wasp WDI4500 barcode/QR reader, but I've also tested them with the Android QR app also.  I also put barcodes on the pages, which I test with the wasp, and with a cheapass $10 chinese barcode reader.

[thewayshegoes]

In what way does a write-protected USB stick prevent malware from spreading between the online and offline machines?

The way I understand it is that you turn off the write protection when you put the USB in the offline computer (assuming you have an offline computer that has never touched the internet), so you can copy the signed transaction (using offline Electrum or Armory).  Then you turn on the write protection when you put the USB in the online computer to complete the transaction, so no data can be written on the USB drive while it's in the online computer, it can only read data.  This could protect against something malicious being written on your USB stick while it's in the online machine.

[justusranvier]

In what way does a write-protected USB stick prevent malware from spreading between the online and offline machines?

The way I understand it is that you turn off the write protection when you put the USB in the offline computer (assuming you have an offline computer that has never touched the internet), so you can copy the signed transaction (using offline Electrum or Armory).  Then you turn on the write protection when you put the USB in the online computer to complete the transaction, so no data can be written on the USB drive while it's in the online computer, it can only read data.  This could protect against something malicious being written on your USB stick while it's in the online machine.

And how do you get the unsigned transaction from the online machine to the offline machine in the first place?

[justusranvier]

I'm not an expert, but I'm pretty sure the only time you have to write anything is when the USB is in the offline computer.  I'm talking about using Electrum or Armory offline, I'm not sure about other methods.  You create the transaction offline and write the file it gives you to the USB.  Then turn on write protection and put the USB in the online computer to finish the transaction.  Pretty sure you don't have to write anything to the USB while it's in the online computer.  Correct me if I'm wrong about this.

Nope.

An offline computer by definition does not have access to the blockchain, therefore can not create a transaction.

Transactions need to be constructed online, then moved to the offline computer for signing, then moved back to the online computer for broadcast.

[TiagoTiago]

You could use QR codes and SSTV to transfer the data back and forth thru audio... ¬.¬

[justusranvier]

The danger is that since nobody in the hardware industry gives a shit about security, it's conceivable for malware on your online machine to infect a USB stick at the firmware level, with malware that infects your offline machine's motherboard (also at the firmware level) as soon as you plug it in. All of this would happen at such a low level that your OS can't do anything about it.

Manually typing in the unsigned transaction is probably safe, but is the most tedious thing imaginable.

Printing it out and then loading via OCR is probably safe too, as long as the OCR app is thoroughly vetted for bugs and vulnerabilities.

Transferring the data via an audio cable might be ok, but since audio has never been security-sensitive before nobody has spent a lot of time auditing that subsystem for exploitable vulnerabilities so we don't really know how safe it is.

tl;dr: PC security is virtually non-existent right now, and not likely to improve any time soon.

[TiagoTiago]

You think a virus would manage to infect a machine thru the microphone without even knowing the brand, much less the model, of the sound card of the target machine?

[behindtext]

The danger is that since nobody in the hardware industry gives a shit about security, it's conceivable for malware on your online machine to infect a USB stick at the firmware level, with malware that infects your offline machine's motherboard (also at the firmware level) as soon as you plug it in. All of this would happen at such a low level that your OS can't do anything about it.

ding ding ding! justus wins the prize.

i know some people who are familiar with firmware and the best idea i've had so far is to use serial ports and then disconnect them when done. serial ports that run up to 115200 baud often have no (afaik) firmware that has an externally accessible attack surface.

[Carlton Banks]

Manually typing in the unsigned transaction is probably safe, but is the most tedious thing imaginable.

Which in practice means using a printer on your online machine, and a scanner on your offline machine. And strictly that configuration. Imagine getting home one day to find your housemate/spouse hooking up the scanner to the online machine: "You said don't use the old computer, so I just needed to scan a letter, and..."

Clearly, using a single multi-function scanner/printer to connect to print online and then scan offline is out....

[justusranvier]

i know some people who are familiar with firmware and the best idea i've had so far is to use serial ports and then disconnect them when done. serial ports that run up to 115200 baud often have no (afaik) firmware that has an externally accessible attack surface.

Maybe I shouldn't have thrown away all my old motherboards that still had ISA slots so that I could build an offline machine with a non-soft modem.

[justusranvier]

Anyone know if the upcoming Trezor will fix this problem?

IF there are no hardware vulnerabilities which an attacker can exploit, it will fix the problem.

[behindtext]

i know some people who are familiar with firmware and the best idea i've had so far is to use serial ports and then disconnect them when done. serial ports that run up to 115200 baud often have no (afaik) firmware that has an externally accessible attack surface.

Maybe I shouldn't have thrown away all my old motherboards that still had ISA slots so that I could build an offline machine with a non-soft modem.

i am to understand that most modern motherboards and SoCs that have integrated serial ports are 'safe' in that they have no conventional firmware. once you start using pci cards with multiple serial ports, it is not as certain that they do not have firmware.

there are a number of recent boards out there with 2 serial ports that are cheap and run amd64.