Personally, I’d be comfortable trying it on an old computer running Linux that I don’t care about, playing the music files, and then optionally copying those files to something else to then put on my computer. I’d know exactly what files I put on it, and I would eliminate the “fake flash drive” exploit, which is the one I care most about.
Ideally I’d burn an audio CD, as that would mostly eliminate any malware risk. But that risk is already pretty low using Linux and paying attention to what files I copy over.
If I didn’t have a Linux computer, I’d feel pretty comfortable trying it in a vehicle that has USB support. Or plugging it into an iPhone with an adapter. It wouldn’t be impossible for there to be an exploit that would affect those, but it’s quite unlikely.
The main thing I wouldn’t do is plug it into a Windows computer.
If you want to add a layer of protection, play the music on that old computer running Linux that you can wipe if you need to, and record the music using something that listens to music (like an old fashioned tape player, or a modern audio recorder) and then use THAT to put the music on your real computer, phone, etc.
I wouldn’t be too worried about the music files themselves. There have been some broken media libraries on Windows, Android, and I’m sure others that allow specially crafted media files to do stuff, but a modern and patched system should be safe against anything except some media file zero day.
If the files are valid media files and pass a virus scanner, then they’re almost certainly safe to copy and play however you want.
Even if there actually is a virus on the USB drive, as long as you don’t run it, it won’t do anything. (Sometimes computers run things without your permission, so that’s something to worry about.) Definitely don’t run some kind of installer to help you copy the files to your media library, or an included program to convert them to mp3 from their special format.
As said by many others, the truly dangerous concern is that instead of a flash drive you have a USB rubber ducky or USB killer which will deliver a payload (or high voltage) to your computer through a much more sophisticated attack than tricking you to run reggae songs definitely not a virus.exe
And it’s your last sentence that completely invalidates the rest of your contentions.
The mere act of physically sticking the USB device into your computer’s slot is enough to start a chain reaction that you have zero reason to believe is safe, and many, many reasons to believe might be fatal to your computer or your identity. The idea that you have to actively (albeit mistakenly) execute malware by an overt action or click is soooo 2000’s.
By the time you’ve “scanned” the obvious content files, all the damage may have long since been done.
My apologies for being unclear. I meant “Your (echoreply’s) last sentence within the snip just quoted.”
My meaning being that his comment that things running unbidden are dangerous is surely correct. And almost unpreventable. And that since you / he / we can’t prevent that, we can’t safely do the things earlier in the snip that he suggests, namely scan the purported music files to somehow ascertain they aren’t malware in disguise.
But you can scan them on a computer that isn’t on-line, isn’t connected to any other computers, and that you can rebuild from scratch if you need to. (And ideally isn’t a Windows computer, and probably not running iOS, either.)
I’m curious if there’s any safe way to move the mp3 files to a more valuable device. I’m pretty sure that if you can play the mp3 files on the trash machine you can safely record the sound and put that on anything, but transferring the files is potentially a lot more convenient.
Yes, my point was if through careful planning, bravado, or naivete you’ve acquired access to the files, copying and using the files probably isn’t a threat.
I think if you’ve gotten to where you can play the files, then you can just copy them. No need to do anything more tricky. Now, how exactly you copy them off your locked down computer might be more complex. The safest way is probably going to be on some sort of dumb media like a writable CD, because the controller in a USB flash drive or SD card can be reprogrammed… Another option would be a limited network connection. Of course, if by now you’ve adequately proven the USB drive is exactly what it claims to be, then just copying the files a normal way is probably fine.
No guarantees this setup would prevent total pwnership, but is probably safe enough for playing reggae music:
Use one of the cheap RasberryPi boards, and install a stripped down Linux. Run a hardened kernel that doesn’t even have USBHID or USB serial drivers available, so no USB keyboards or mice. Also, nothing is listening on any local terminals, or will start listening if a serial port appears The only access is a fixed ethernet connection and SSH. No network drivers other than the one required. Static address, so no dhcp or other auto configuration of a new network adapter that appears. Firewall rules to only listen for requests from a single other host. Anything more to protect from a rubber duck? If there are direct hardware exploits against the Pi, then move to a different host system, maybe something based on MIPS instead of ARM, or with a BSD instead of Linux…
Use an opto-isolated USB hub to protect against a USB killer.
Connect the drive. If it appears to be what it says—the only USB device that shows up is a flash drive from the company on the label—then proceed. If anything appears fishy, such as the USB ID of a keyboard appearing, stop. Check the files to see if they are what is claimed—valid mp3 or m4a files with normal meta data. If so, then retrieve them over SSH and finally get to listen to your new music!
You probably were being overly cautious. But the cost of the “probably” actually being “not” can be very very high.
ETA: I started to write a reply to @puzzlegal three posts up, but @echoreply pretty well nailed it in the spot my post was aiming at.
One thing I’d add to @echoreply’s excellent thinking: Once your suspect stick has been inserted in your offline sacrificial computer, the trustworthiness of that computer is very low until it’s been rebooted. And even then is not back up to full trustworthiness until it’s had the OS reinstalled.
A virt that’s configured with two HDs, one readonly for the OS and apps plus another that’s r/w for data is about the best sacrificial you can get. Use the virt’s utilities on the RO disk to copy the purported MP3s to the virt’s RW disk. Then reboot and scan the purported MP3s again with tools from the RO disk. Then transfer the files to writeable CD as @echoreply says.
That might not defeat the NSA, but it’ll defeat damn near anyone else.
Netboot the sacrificial computer. Then it’s operating system exists only in its own memory. Turn it off, and it is blank once again. Of course, make sure that it doesn’t have programmable BIOS, eprom, or other persistent storage that is writable.
I think the biggest thing that you will learn if you find the drive is suspicious is that somebody is targeting you (or your class, such as employee of a secure facility). These things are too expensive for a genuinely random attack. If you are targeted, then it is time to lock down absolutely everything else in your life.
This is a great setup for a spy thriller. After leaving the show the musician is passing out USB drives. The spy (or her civilian date), plugs it into the car to keep the music going, and now the car is driving itself around the city, after locking the doors and what not, “you have ten seconds to tell me the name of the mole, or I drive you off the bridge!”
If you do netboot your sacrificial, make darn sure to sever the network connection before you plug in the suspect USB device!
Using the techniques I was thinking of, you’re never really examining the stick for malware. You’re essentially creating a situation where any malware you inadvertently trigger will fail to create a persistent foothold. And then you reboot and re-air gap so any ephemeral foothold is negated before moving on to the next step which could conceivably jump the gaps you’ve inserted. So you may never know or care whether you did or didn’t trigger anything. Behave as if you did, and keep sweeping up ahead and behind of yourself.
Distributing basic ransomware via the internet is so cheap that going to the trouble to distribute it by USB feels like the floppy viruses of the 1980s.
So yeah, if you are doing forensics on a suspect USB and you find it’s highly “radioactive”, or it just drives your sacrificial into wacky mode then who you are or what you do is probably being targeted explicitly. Time to go Red Alert on your whole life. And report this to your overseers.
At one time I had a laptop just for things like this. It had no hard drive or wifi and booted to a virtual OS, usually a Linux live cd. The only way to save anything was to write it to an external drive. Once you shut down your OS session everything else was gone for good.
This is really a great application for a Raspberry Pi. They’re cheap enough to be basically disposable, there is no networking unless you want it, and they run a stripped down version of Linux that you can re-flash easily if you lose any trust in it. It’s also just not a high priority target for malware creators, so it’s unlikely to be exploited in the first place.
I wouldn’t do it. You won’t be able to take those computers offline, and they’ll likely be running Windows, which is what most exploits use. And they’ll likely be more interconnected and cause more problems than just plugging it into your own computer.
@echoreply: Netbooting to me seems a bit more complicated than you need. It’d be easier to get a Linux install disk. Those will usually run from RAM, and will even let you pull out the drive before before you use it.
I agree that the MP3s are probably fine. I just threw in burning an audio CD as an extra precaution, without having the issue of quality loss by trying to rerecord.
The risk I was eliminating was the risk that there is some malware that infects the Linux computer and installs itself on whatever disks you plug into it. An audio CD won’t have a data portion, and thus can’t be infected in that manner.
There are lots of things a malefactor can do with a USB device. But most of them are expensive enough that they’re not going to do it to random schmucks at a concert. Unless you work in an extreme-security field, it’s almost certainly just a USB drive. It’s a risk, but then, everything in life is a risk. You were probably in greater danger from a drunk driver crashing into you as you left the show.
Personally, I’d just plug it into an old computer I don’t care much about, and take a look.
Why would a car’s driving systems be connected to the onboard entertainment system?
If the entertainment system shows any kind of driving information–fuel consumption, range, etc.–then it has access to telemetry sources like the wheel rotation sensors or the engine control unit. And that means the systems are connected.
The different networks are firewalled, but they aren’t airgapped. Which means hacking is possible, at least in principle.
They shouldn’t be, but it does feel like the sort of thing a stupid designer would do. The entertainment system already includes the GPS connection, so adding the ability for the car to follow that GPS seems like something they might do.
