Offline wallet - USB key alternatives - security concerns

[milkshoe]

Hi!

I am concerned about USB key security and not sure if I am ultra paranoid.

Is there any known auto run malware available (For Windows I think yes but linux !? I heard about a nautilus thumbnail exploit)? If yes this malware could infect your USB stick & offline computer that you use to transfer unsigned & signed transactions.

What are the best options to get around this potential security risk? I am aware of the following "solutions":

Hack transactions manually into my computer(s)
Pros:
- Very secure

Contra:
-Very time consuming

QR Code movies
Pros:
- Very secure

Contra:
- Webcam needed
- Not supported yet

Armorys upcoming audio transfer feature
Pros:
- Very secure

Contra:
- Not supported yet / in development

Burn CDs
1 new CD for the unsigned tx, 1 for the signed tx;
Not sure if this is really a security improvement?

What do you think?

Thanks

[DobZombie]

As far as I know if you have 'auto run' turned off on your PC then nothing can run if inserted.

[Ente]

..good question..
Imagining a custom malware which only attacks linux and Armory, and your online computer is infected, I am not sure how secure we are.
The attacker needs to find an exploit for the offline computer. If he has an exploit to run his code, he can use it via USB, audio, QR, or whatever other clever way you use to move the unsigned data to the offline computer.

So, as I guess, it's just playing "which way is less likely to have a bug or exploit, audio, QR, USB?".

As long as the transferred data can't be verified by the user by eye or ear, we can't be sure there's no malicious data in it, and have to blindly rely on the offline computer having no security hole?

What do you people think?

Ente

[xe99]

couldn't you just use a go between (middleman) pc?  so for example you create transaction on online pc, unplug that usb stick (usb #1), plug it into pc/device #2 (middleman pc), cut and paste the transaction onto a second usb key(usb#2 that never is used except between offline pc and middleman pc), unplug usb #2, plug into offline pc, sign transaction, plug back into middleman pc, cut and paste signed transaction to Middleman pc/device, unplug usb #2, plug in usb #1 (this usb only ever touches online pc and middleman pc), cut and paste signed transaction onto usb, plug into online pc and transmit.

hope that wasn't too confusing. i'm no security expert and have no idea if this is even feasible or would add any extra layer of security. it does add another third device and makes the whole process longer but if its only something thats done infrequently (to access a cold storage wallet), and it would work, might be an option.

[Ente]

couldn't you just use a go between (middleman) pc?  so for example you create transaction on online pc, unplug that usb stick (usb #1), plug it into pc/device #2 (middleman pc), cut and paste the transaction onto a second usb key(usb#2 that never is used except between offline pc and middleman pc), unplug usb #2, plug into offline pc, sign transaction, plug back into middleman pc, cut and paste signed transaction to Middleman pc/device, unplug usb #2, plug in usb #1 (this usb only ever touches online pc and middleman pc), cut and paste signed transaction onto usb, plug into online pc and transmit.

hope that wasn't too confusing. i'm no security expert and have no idea if this is even feasible or would add any extra layer of security. it does add another third device and makes the whole process longer but if its only something thats done infrequently (to access a cold storage wallet), and it would work, might be an option.

That's absolutely possible! It will add another layer of security.
However, when assuming that an attacker can infect the offline computer via USB, we have to assume he can do the same with the middleman-computer.
So this is no 100% bulletproof setup. But you can make it pretty secure: For example, use some exotic, hardened OS for it. Some BSD or other Unix derivate may be a good choice. Or a non-default USB implementation. At least a different OS or USB implementation than on the offline computer. We should have many choices, as all the middleman has to be able to do is check (and copy) stuff on USB sticks.

When doing all this, to have a very secure middleman, why not simply applying all this to the offline computer and skip the middleman?

The only reasonable way to have high and verificable security revolves, in my opinion, around the files you transfer via USB. The "unsigned" and "signed" transaction, going from online to offline, and from offline to online. If we could read the files directly, as human-readable text, we may have a chance to notice attacks early enough (via middleman?).
Having small files with a hard size limit would help too. I believe this isn't possible, as the unsigned transaction must contain all relevant data of all input transactions, and this can, in some cases, be a *lot* of data. In the 100kb size league easily, which is impossible to read through as a user, and no problem for an attacker to hide a one kb malware in.

Guys, I need some theoretical IT specialist to help out on this! This, surely, is an old and well-known question, hopefully with some answers out there as well?

Ente

[gglon]

https://code.google.com/p/ghost-usb-honeypot/

Ghost USB honeypot

Ghost is a honeypot for malware that spreads via USB storage devices. It detects infections with such malware without the need of any further information. If you would like to see a video introduction to the project, have a look at this Youtube video.

The honeypot was first developed for a bachelor thesis at Bonn University in Germany. Now development is continued by the same developer within the Honeynet Project.

Ghost was recently selected for Rapid7's Magnificent7 program (see the press release). Our goal for the next year is to extend the honeypot to a USB protection system, i.e. a system that protects networked computer environments from the threat of USB malware.

[Ente]

https://code.google.com/p/ghost-usb-honeypot/

Ghost USB honeypot

Ghost is a honeypot for malware that spreads via USB storage devices. It detects infections with such malware without the need of any further information. If you would like to see a video introduction to the project, have a look at this Youtube video.

The honeypot was first developed for a bachelor thesis at Bonn University in Germany. Now development is continued by the same developer within the Honeynet Project.

Ghost was recently selected for Rapid7's Magnificent7 program (see the press release). Our goal for the next year is to extend the honeypot to a USB protection system, i.e. a system that protects networked computer environments from the threat of USB malware.

Interesting approach, I like!
Now, where's the source and linux version? :-)

Thank you for the link!

Ente

[TimS]

For an idea of why USB might not be secure, even if you disable AutoRun:
http://superuser.com/a/709302/252526 (TLDR: it looks like a USB flash drive, but tells the computer it's a keyboard, and it stores and runs arbitrary commands upon insertion)

Some USB drives could also, just by reprogramming firmware, appear to the computer as a CD drive, which may have different auto-run rules (and boot priority, if you happen to reboot with it in). http://www.allarghiamoci.it/usbcdrom/index.php?lang=en

Using a CD is a safer approach, for the above reasons (although at first glance, I'll admit that it looks utterly unnecessary). A CD is just data, no firmware or chips, so it can't (AFAIK) pretend to be anything else. You could even use a single CD-RW over and over without compromising security: just make sure that the offline computer says you're signing the transaction you think you are (visual inspection of address and amount), and you should be good.

Realistically, unless you're storing millions in bitcoins, you're probably being overly paranoid by worrying about using a USB key. But if it's not too much trouble to use a more secure thing, it may well be worth it!

[Ente]

For an idea of why USB might not be secure, even if you disable AutoRun:
http://superuser.com/a/709302/252526 (TLDR: it looks like a USB flash drive, but tells the computer it's a keyboard, and it stores and runs arbitrary commands upon insertion)

Some USB drives could also, just by reprogramming firmware, appear to the computer as a CD drive, which may have different auto-run rules (and boot priority, if you happen to reboot with it in). http://www.allarghiamoci.it/usbcdrom/index.php?lang=en

Using a CD is a safer approach, for the above reasons (although at first glance, I'll admit that it looks utterly unnecessary). A CD is just data, no firmware or chips, so it can't (AFAIK) pretend to be anything else. You could even use a single CD-RW over and over without compromising security: just make sure that the offline computer says you're signing the transaction you think you are (visual inspection of address and amount), and you should be good.

Realistically, unless you're storing millions in bitcoins, you're probably being overly paranoid by worrying about using a USB key. But if it's not too much trouble to use a more secure thing, it may well be worth it!

So, what would be more secure, an "airgapped" usb-stick, which would be the only thing ever touching both the offline and online computer, or a direct connection via serial cable? How about a network connection, but the only service reachable on the (formerly) "offline" computer is a locked-down ssh daemon? The "offline" computer obviously wouldn't be airgapped nor offline, but the attack vector might be much smaller than with usb?

Ente

[picobit]

So, what would be more secure, an "airgapped" usb-stick, which would be the only thing ever touching both the offline and online computer, or a direct connection via serial cable? How about a network connection, but the only service reachable on the (formerly) "offline" computer is a locked-down ssh daemon? The "offline" computer obviously wouldn't be airgapped nor offline, but the attack vector might be much smaller than with usb?

Ente

The serial line is probably as safe as it gets.  The direct network connection would make me worry, it seems far far more risky than a USB.  In particular if you only use your own USB stick that is never used for anything else, and a different OS on the online and offline computer.  Theoretically, someone could write a USB virus to infect just the particular setup you are using, but if they go that specifically after you the "rubber hose attack" seems far easier to pull off.

Any network connection will be vulnerable if there is a bug in the TCP stack or in the libraries the locked-down ssh demon uses (OpenSSL?)

Edit: spelling

[Ente]

So, what would be more secure, an "airgapped" usb-stick, which would be the only thing ever touching both the offline and online computer, or a direct connection via serial cable? How about a network connection, but the only service reachable on the (formerly) "offline" computer is a locked-down ssh daemon? The "offline" computer obviously wouldn't be airgapped nor offline, but the attack vector might be much smaller than with usb?

Ente

The serial line is probably as safe as it gets.  The direct network connection would make me worry, it seems far far more risky than a USB.  In particular if you only use your own USB stick that is never used for anything else, and a different OS on the online and offline computer.  Theoretically, someone could write a USB virus to infect just the particular setup you are using, but if they go that specifically after you the "rubber hose attack" seems far easier to pull off.

Any network connection will be vulnerable if there is a bug in the TCP stack or in the libraries the locked-down ssh demon uses (OpenSSL?)

Edit: spelling

These are precisely my thoughts as well.
Still, for my gut, a cable going to the "offline" device feels less secure than swapping a USB key back and forth.
My head tells me the serial cable would be the way to go.
Eventually I'll play around with all that on a raspi.

Ente

[LeMiner]

I was thinking, how about a read only SD card?

////////////////////////////////////////////////////////////////////////

Online computer -> Create Transaction -> Load to SD card

Put SD card on read only

Offline computer -> Enter SD card -> Load transaction to harddrive

-Remove read only SD card

-Enter different SD card than the one used before to the offline PC

Offline PC -> Sign offline transaction on the new SD card (the one that came from the old read only sd card)

Take out SD card, put it on read only again

Insert it in the online pc, broadcast.
--------------------------------------------------

This would eliminate the risk of malware being able to write directly to the potentially infected storage device. What do you think?

[Ente]

I was thinking, how about a read only SD card?

////////////////////////////////////////////////////////////////////////

Online computer -> Create Transaction -> Load to SD card

Put SD card on read only

Offline computer -> Enter SD card -> Load transaction to harddrive

-Remove read only SD card

-Enter different SD card than the one used before to the offline PC

Offline PC -> Sign offline transaction on the new SD card (the one that came from the old read only sd card)

Take out SD card, put it on read only again

Insert it in the online pc, broadcast.
--------------------------------------------------

This would eliminate the risk of malware being able to write directly to the potentially infected storage device. What do you think?

Great idea!
Except the detail, that the switch is only a flag, and the software on your computer decides to interpret that flag as "read only". Or not.
Newer USB sticks with such a switch are the same, if you can find them.
I believe the older ones with a switch really worked as one would expect: the switch changes something in the usb stick controller to make it impossible for the host computer to write something. I am not 100% certain though.

Ente

[LeMiner]

I was thinking, how about a read only SD card?

////////////////////////////////////////////////////////////////////////

Online computer -> Create Transaction -> Load to SD card

Put SD card on read only

Offline computer -> Enter SD card -> Load transaction to harddrive

-Remove read only SD card

-Enter different SD card than the one used before to the offline PC

Offline PC -> Sign offline transaction on the new SD card (the one that came from the old read only sd card)

Take out SD card, put it on read only again

Insert it in the online pc, broadcast.
--------------------------------------------------

This would eliminate the risk of malware being able to write directly to the potentially infected storage device. What do you think?

Great idea!
Except the detail, that the switch is only a flag, and the software on your computer decides to interpret that flag as "read only". Or not.
Newer USB sticks with such a switch are the same, if you can find them.
I believe the older ones with a switch really worked as one would expect: the switch changes something in the usb stick controller to make it impossible for the host computer to write something. I am not 100% certain though.

Ente

A mechanical sliding tablet on the side of the card (refer to the Part 1 Standard Size SD Card Mechanical Addendum) will be used by the user to indicate that a given card is write protected or not. If the sliding tablet is positioned in such a way that the window is open it means that the card is write protected. If the window is close the card is not write-protected. A proper, matched, switch on the socket side will indicate to the host that the card is write-protected or not. It is the responsibility of the host to protect the card. The position of the write protect switch is unknown to the internal circuitry of the card.

Sadly it appears you are right! Now the question is, is there a solution where the hardware write protect actually does work and doesn't need host protection?

http://en.wikipedia.org/wiki/Write_protection

On the bottom of this wiki article:

Write blocking, a subset of write protection, is a technique used in computer forensics in order to maintain the integrity of data storage devices. By preventing all write operations to the device, e.g. a hard drive, it can be ensured that the device remains unaltered by data recovery methods.

Hardware write blocking was invented by Mark Menz and Steve Bress (US patent 6,813,682 and EU patent EP1,342,145)

Both hardware and software write-blocking methods are used; however, software blocking is generally not as reliable.[1]

Perhaps?

edit: Some further googling reveals these interesting reads;

http://security.stackexchange.com/questions/4248/how-reliable-is-a-write-protection-switch-on-a-usb-flash-drive

and

http://www.fencepost.net/2010/03/usb-flash-drives-with-hardware-write-protection/
-------

Apparently true hardware write protection does exist for USB sticks. In which case, I change my example to a USB stick with with true hardware write protection instead of a SD card

edit2: Link to USB sticks: http://www.amazon.com/s?ie=UTF8&redirect=true&ref_=sr_nr_n_0&keywords=imation%20clip&bbn=541966&qid=1268453984&rnid=541966&rh=n%3A172282%2Ck%3Aimation%20clip%2Cn%3A%21493964%2Cn%3A541966%2Cn%3A1292110011

[picobit]

Online computer -> Create Transaction -> Load to SD card

Virus transferred from online computer to SD card 1

Put SD card on read only

Offline computer -> Enter SD card -> Load transaction to harddrive

Virus transferred to offline computer

-Remove read only SD card

-Enter different SD card than the one used before to the offline PC

Offline PC -> Sign offline transaction on the new SD card (the one that came from the old read only sd card)

Virus transferred to SD card 2, now with the private keys.

Take out SD card, put it on read only again

Insert it in the online pc, broadcast.

Virus transfers all funds to evil hacker.

--------------------------------------------------

This would eliminate the risk of malware being able to write directly to the potentially infected storage device. What do you think?

I think this scenario of infected SD cards / USB sticks and custombuilt malware is so unlikely that one should not worry about it.  But I cannot see that read-protecting the cards help at all (even if read-protecting was actually read-protecting and not just a software hint).

[Ente]

Online computer -> Create Transaction -> Load to SD card

Virus transferred from online computer to SD card 1

Put SD card on read only

Offline computer -> Enter SD card -> Load transaction to harddrive

Virus transferred to offline computer

-Remove read only SD card

-Enter different SD card than the one used before to the offline PC

Offline PC -> Sign offline transaction on the new SD card (the one that came from the old read only sd card)

Virus transferred to SD card 2, now with the private keys.

Take out SD card, put it on read only again

Insert it in the online pc, broadcast.

Virus transfers all funds to evil hacker.

--------------------------------------------------

This would eliminate the risk of malware being able to write directly to the potentially infected storage device. What do you think?

I think this scenario of infected SD cards / USB sticks and custombuilt malware is so unlikely that one should not worry about it.  But I cannot see that read-protecting the cards help at all (even if read-protecting was actually read-protecting and not just a software hint).

I agree, read-protection won't help much, as you still need one writable channel from online to offline, and one from offline to online. No matter how you turn that.

The question, of course, is to find a channel with the least risk to execute any code. USB is a bad choice for that, with some auto-run functions enabled on some systems, and obscure drivers in all systems for dozens of usb devices, where each one could have a hole.
An SD card could be a better choice, as you only expose an SD card slot with its driver, and not a whole usb.

But even with qr or audio or morse code, we have to make sure the driver is watertight, and the operation system only ever uses that single driver.

Ente

[flipperfish]

I think the most secure approaches seem to be QR and audio. Both formats deliver noisy (quantized & time sampled) analog data (=sound waves or images) up to the user space program, which does the decoding. The corresponding kernel space driver only is exposed to the analog data. I assume, that it is impossible for a malware to exploit a driver bug from its own representation as analog data. So one key aspect of the additional security of QR and audio comes from the fact, that the malware can only begin its attack from user space. Another security improvement of QR and audio is, that the malware has no other way, than to hide in the raw analog data. In contrast USB drives as well as SD cards have their own internal controller besides the actual data flash chips. This controller could theoretically also be hijacked by the malware and used to attack the offline pc.