Razick (OP)
Legendary
Offline
Activity: 1330
Merit: 1003
|
|
August 06, 2014, 02:39:30 AM Last edit: August 06, 2014, 04:46:54 AM by Razick |
|
I can't seem to find the article, but it was recently reported that USB flash drives are unsafe because they can hide malicious software in an unusable portion of the drive used by the storage system. Therefore, for the purposes of Bitcoin security, it's important to consider any usb drive exposed to an untrusted computer to be infected.
Does this affect SD cards or only USB flash drives?
EDIT: I am referring to malware stored in the FIRMWARE such that formatting the drive does not delete it. EDIT: If so can you suggest a good option for moving transactions between online and offline wallets without using paper?
|
ACCOUNT RECOVERED 4/27/2020. Account was previously hacked sometime in 2017. Posts between 12/31/2016 and 4/27/2020 are NOT LEGITIMATE.
|
|
|
CanaryInTheMine
Donator
Legendary
Offline
Activity: 2352
Merit: 1060
between a rock and a block!
|
|
August 06, 2014, 02:50:12 AM |
|
I can't seem to find the article, but it was recently reported that USB flash drives are unsafe because they can hide malicious software in an unusable portion of the drive used by the storage system. Therefore, for the purposes of Bitcoin security, it's important to consider any usb drive exposed to an untrusted computer to be infected.
Does this affect SD cards or only USB flash drives?
SD cards too.
|
|
|
|
Razick (OP)
Legendary
Offline
Activity: 1330
Merit: 1003
|
|
August 06, 2014, 02:52:31 AM |
|
Can you suggest a good option for moving transactions between online and offline wallets without using paper?
|
ACCOUNT RECOVERED 4/27/2020. Account was previously hacked sometime in 2017. Posts between 12/31/2016 and 4/27/2020 are NOT LEGITIMATE.
|
|
|
waldox
|
|
August 06, 2014, 03:01:58 AM |
|
im sure this exposes windows pcs to malicious usb keys does it effect macos or linux (ie ubuntu)?
|
|
|
|
|
franky1
Legendary
Offline
Activity: 4396
Merit: 4760
|
|
August 06, 2014, 03:08:12 AM |
|
USB flash drive and SD cards are both storage devices and I think they are prone to malicious malware and viruses so we better be careful of what files we are storing on them.
if you are now worried about USB devices this week.. then you need to realise that its been around for 6 years. so why suddenly think that you now this week are at any more risk compared to yesterday, last week, last year, 5 years ago??? the truth is that unless your on a government watch list for a particular reason. then your more likely worrying over nothing
|
I DO NOT TRADE OR ACT AS ESCROW ON THIS FORUM EVER. Please do your own research & respect what is written here as both opinion & information gleaned from experience. many people replying with insults but no on-topic content substance, automatically are 'facepalmed' and yawned at
|
|
|
gadman2
Legendary
Offline
Activity: 978
Merit: 1001
|
|
August 06, 2014, 03:39:16 AM |
|
Someone get the floppies.
|
|
|
|
BIGbangTheory
Member
Offline
Activity: 83
Merit: 10
|
|
August 06, 2014, 03:43:09 AM |
|
USB flash drive and SD cards are both storage devices and I think they are prone to malicious malware and viruses so we better be careful of what files we are storing on them.
if you are now worried about USB devices this week.. then you need to realise that its been around for 6 years. so why suddenly think that you now this week are at any more risk compared to yesterday, last week, last year, 5 years ago??? the truth is that unless your on a government watch list for a particular reason. then your more likely worrying over nothing The vulnerabilities have always been there, it is just that there has been little reason in the past to worry about them because there would be little reason to exploit the vulnerabilities.
|
|
|
|
Pente
|
|
August 06, 2014, 03:58:19 AM |
|
Can you suggest a good option for moving transactions between online and offline wallets without using paper?
- You could go on ebay and buy a lot of old flash drives (128 mb) that are still packaged. Throw each one away after being compromised.
- You might try using these: http://www.amazon.com/64MB-Pen-Drive-Flash-Memory/dp/B0014CA7VU
Customer reviews say that they will only hold data for about a week, then they need to be reformatted. Any malware would lose random bits and quit working. They are old enough that the firmware is certainly okay and not subject to the firmware exploit. - Buy a microcontroller, dig up some ancient wire-wrap tools and build your own USB device. Add a button that clears everything.
- Link a serial cable (RS-232, DF9 connector) between the two computers. Configure your isolated computer for send only. This is such a low tech solution, that I wouldn't worry about malware. For extra paranoia, you could even cut the receive line and configure for asynchronous communication making it physically impossible to send data back to your safe/isolated computer
- Go to the local ewaste recycling center and find an old floppy disk drive. Most motherboards still have the connector for this legacy item. Set your file explorer to see hidden & system files. This method still allows stuff to get through, but it would be totally visible and obvious. You could also use ZIP drives.
- Burn to a write-once CD drive. Transport data, throw it away (or destroy).
- Convert the private key to audio cassette tape by reading it out loud. Now you can use one of those cassette drive to USB converters to put the audio file on a USB device. The USB never needs to touch your isolated computer.
- I am sure the community can add some more ideas
|
|
|
|
phillipsjk
Legendary
Offline
Activity: 1008
Merit: 1001
Let the chips fall where they may.
|
|
August 06, 2014, 04:14:12 AM Last edit: August 06, 2014, 07:01:19 AM by phillipsjk |
|
Similar attacks have been demonstrated with SD card and hard disk firmware as well. However, USB is scary in that the device can masquerade as any other USB device: such as a keyboard that roots your machine with shell commands. If it was not for the CPRM with device revocation, I would say SD cards are the perfect floppy replacement. If security is important, I suggest CD-Rs. Note: most CD drives operate above the maximum storage temperature of the disk (about 35°C) You could go on ebay and buy a lot of old flash drives (128 mb) that are still packaged. Throw each one away after being compromised. sometimes they have malware from the factory. Edit: I was talking about the drive firmware as well.
|
James' OpenPGP public key fingerprint: EB14 9E5B F80C 1F2D 3EBE 0A2F B3DE 81FF 7B9D 5160
|
|
|
|
Razick (OP)
Legendary
Offline
Activity: 1330
Merit: 1003
|
|
August 06, 2014, 04:45:27 AM Last edit: April 30, 2020, 12:51:51 PM by mprep |
|
Can you suggest a good option for moving transactions between online and offline wallets without using paper?
- You could go on ebay and buy a lot of old flash drives (128 mb) that are still packaged. Throw each one away after being compromised.
- You might try using these: http://www.amazon.com/64MB-Pen-Drive-Flash-Memory/dp/B0014CA7VU
Customer reviews say that they will only hold data for about a week, then they need to be reformatted. Any malware would lose random bits and quit working. They are old enough that the firmware is certainly okay and not subject to the firmware exploit. - Buy a microcontroller, dig up some ancient wire-wrap tools and build your own USB device. Add a button that clears everything.
- Link a serial cable (RS-232, DF9 connector) between the two computers. Configure your isolated computer for send only. This is such a low tech solution, that I wouldn't worry about malware. For extra paranoia, you could even cut the receive line and configure for asynchronous communication making it physically impossible to send data back to your safe/isolated computer
- Go to the local ewaste recycling center and find an old floppy disk drive. Most motherboards still have the connector for this legacy item. Set your file explorer to see hidden & system files. This method still allows stuff to get through, but it would be totally visible and obvious. You could also use ZIP drives.
- Burn to a write-once CD drive. Transport data, throw it away (or destroy).
- Convert the private key to audio cassette tape by reading it out loud. Now you can use one of those cassette drive to USB converters to put the audio file on a USB device. The USB never needs to touch your isolated computer.
- I am sure the community can add some more ideas
Lol at the second option. Those must be some sucky USB keys! I like your idea about a send only cable, is this possible with a USB cord and a Rasperry Pi?
I was wrong about the iPad, but I really hope I am right about Google Glass not catching on...
USB flash drive and SD cards are both storage devices and I think they are prone to malicious malware and viruses so we better be careful of what files we are storing on them.
if you are now worried about USB devices this week.. then you need to realise that its been around for 6 years. so why suddenly think that you now this week are at any more risk compared to yesterday, last week, last year, 5 years ago??? the truth is that unless your on a government watch list for a particular reason. then your more likely worrying over nothing I've always used online wallets, but I am planning to move to an offline, Rasperry Pi based, wallet.
|
ACCOUNT RECOVERED 4/27/2020. Account was previously hacked sometime in 2017. Posts between 12/31/2016 and 4/27/2020 are NOT LEGITIMATE.
|
|
|
Pente
|
|
August 06, 2014, 05:00:07 AM |
|
Can you suggest a good option for moving transactions between online and offline wallets without using paper?
- You could go on ebay and buy a lot of old flash drives (128 mb) that are still packaged. Throw each one away after being compromised.
- You might try using these: http://www.amazon.com/64MB-Pen-Drive-Flash-Memory/dp/B0014CA7VU
Customer reviews say that they will only hold data for about a week, then they need to be reformatted. Any malware would lose random bits and quit working. They are old enough that the firmware is certainly okay and not subject to the firmware exploit. - Buy a microcontroller, dig up some ancient wire-wrap tools and build your own USB device. Add a button that clears everything.
- Link a serial cable (RS-232, DF9 connector) between the two computers. Configure your isolated computer for send only. This is such a low tech solution, that I wouldn't worry about malware. For extra paranoia, you could even cut the receive line and configure for asynchronous communication making it physically impossible to send data back to your safe/isolated computer
- Go to the local ewaste recycling center and find an old floppy disk drive. Most motherboards still have the connector for this legacy item. Set your file explorer to see hidden & system files. This method still allows stuff to get through, but it would be totally visible and obvious. You could also use ZIP drives.
- Burn to a write-once CD drive. Transport data, throw it away (or destroy).
- Convert the private key to audio cassette tape by reading it out loud. Now you can use one of those cassette drive to USB converters to put the audio file on a USB device. The USB never needs to touch your isolated computer.
- I am sure the community can add some more ideas
Lol at the second option. Those must be some sucky USB keys! I like your idea about a send only cable, is this possible with a USB cord and a Rasperry Pi? I would just program the Raspberry Pi to clear all contents after each use. Setting up the USB to act as a serial receive only device would require reprogramming the USB interface hardware which would be way to much work.
|
|
|
|
Razick (OP)
Legendary
Offline
Activity: 1330
Merit: 1003
|
|
August 06, 2014, 05:21:23 AM |
|
Can you suggest a good option for moving transactions between online and offline wallets without using paper?
- You could go on ebay and buy a lot of old flash drives (128 mb) that are still packaged. Throw each one away after being compromised.
- You might try using these: http://www.amazon.com/64MB-Pen-Drive-Flash-Memory/dp/B0014CA7VU
Customer reviews say that they will only hold data for about a week, then they need to be reformatted. Any malware would lose random bits and quit working. They are old enough that the firmware is certainly okay and not subject to the firmware exploit. - Buy a microcontroller, dig up some ancient wire-wrap tools and build your own USB device. Add a button that clears everything.
- Link a serial cable (RS-232, DF9 connector) between the two computers. Configure your isolated computer for send only. This is such a low tech solution, that I wouldn't worry about malware. For extra paranoia, you could even cut the receive line and configure for asynchronous communication making it physically impossible to send data back to your safe/isolated computer
- Go to the local ewaste recycling center and find an old floppy disk drive. Most motherboards still have the connector for this legacy item. Set your file explorer to see hidden & system files. This method still allows stuff to get through, but it would be totally visible and obvious. You could also use ZIP drives.
- Burn to a write-once CD drive. Transport data, throw it away (or destroy).
- Convert the private key to audio cassette tape by reading it out loud. Now you can use one of those cassette drive to USB converters to put the audio file on a USB device. The USB never needs to touch your isolated computer.
- I am sure the community can add some more ideas
Lol at the second option. Those must be some sucky USB keys! I like your idea about a send only cable, is this possible with a USB cord and a Rasperry Pi? I would just program the Raspberry Pi to clear all contents after each use. Setting up the USB to act as a serial receive only device would require reprogramming the USB interface hardware which would be way to much work. The problem with that is that I am using the Rasperry Pi as my wallet. Clearing it each time would pretty much defeat the purpose. Unless you mean clearing the SD card, but that wouldn't work if malware is hiding in the firmware.
|
ACCOUNT RECOVERED 4/27/2020. Account was previously hacked sometime in 2017. Posts between 12/31/2016 and 4/27/2020 are NOT LEGITIMATE.
|
|
|
phillipsjk
Legendary
Offline
Activity: 1008
Merit: 1001
Let the chips fall where they may.
|
|
August 06, 2014, 07:08:26 AM |
|
I would not worry too much about it. As long as you don't keep using your USB key in strange computers, you should be relatively safe. Any attack that gets your off-line keys would likely have to be targeted at your specific set-up anyway.
Is there a problem with using paper? I have both a paper and electronic copy of all of my (Bitcoin) keys.
|
James' OpenPGP public key fingerprint: EB14 9E5B F80C 1F2D 3EBE 0A2F B3DE 81FF 7B9D 5160
|
|
|
Razick (OP)
Legendary
Offline
Activity: 1330
Merit: 1003
|
|
August 06, 2014, 01:32:49 PM |
|
I would not worry too much about it. As long as you don't keep using your USB key in strange computers, you should be relatively safe. Any attack that gets your off-line keys would likely have to be targeted at your specific set-up anyway.
Is there a problem with using paper? I have both a paper and electronic copy of all of my (Bitcoin) keys.
I plan to use paper backups, but I want an easier way to move transactions. Printing out a paper wallet every time I want to move Bitcoins to my online wallet sounds like a hassle, especially since my computer can't scan a QR code easily.
|
ACCOUNT RECOVERED 4/27/2020. Account was previously hacked sometime in 2017. Posts between 12/31/2016 and 4/27/2020 are NOT LEGITIMATE.
|
|
|
TimS
|
|
August 06, 2014, 01:57:13 PM |
|
Are SD Cards Subject to Vulnerability Similar to USB?
SD cards have firmware, so theoretically, yes. EDIT: If so can you suggest a good option for moving transactions between online and offline wallets without using paper?
- CD-RW - the disc itself is just data. As long as you don't have AutoRun enabled and don't execute anything manually, it will be a purely data transfer, which is totally safe.
- Audio modem-style communication, e.g. http://www.reddit.com/r/Bitcoin/comments/2ceklk/audio_modem_python_library_for_airgapped/ - the only thing that goes over the audio cable or speakers/mic is the data; as long as the software is legit (and you can inspect the source code to ensure this), it will transfer the data securely.
|
|
|
|
Jamie_Boulder
|
|
August 06, 2014, 01:58:22 PM |
|
The vulnerability is within the firmware which SD cards also have so yes.
|
|
|
|
Razick (OP)
Legendary
Offline
Activity: 1330
Merit: 1003
|
|
August 06, 2014, 07:02:12 PM |
|
Thanks everyone, I think you've answered my question and given me some ideas. I like the airgap idea... I wonder how hard it would be to write my own airgap audio transmission program to send transactions between computers. It could easily be put in send-only mode so that the transaction could be sent, but nothing returned to the offline computer.
|
ACCOUNT RECOVERED 4/27/2020. Account was previously hacked sometime in 2017. Posts between 12/31/2016 and 4/27/2020 are NOT LEGITIMATE.
|
|
|
|
|