Malicious software transferable via usb

Is anyone aware of software or viruses transmittable through usb as run by Windows? I don’t want to transfer data to my Libre machine from my Windows devices if there’s a risk I’m transferring things that might render aspects of privacy or security moot. I know software or viruses like this exists. Other general questions include:

Are there ways of checking a usb for such contents? and;

If this is something to be concerned about, is there ways of transferring data securely through other means, or are there usbs that offer securities in this respect? Is this a function of the LibreKey, being able to securely transfer data between devices without concern for unbeknownst “tag-along” software?

Forget about Windows. Search for “badusb” (either in this forum or on the internet generally or both).

There is probably no perfect mitigation for “badusb” but a good start would be:

  • ensure that the USB device is in a trusted state initially
  • only insert the USB device into computers that are well-maintained
  • never lose custody of the USB device

Transferring via the (local) network avoids the problems of “badusb”.

Putting aside the means of transfer, the content itself must be safe. Your best mitigation for that may be to

  • keep your software up-to-date
  • don’t accept content at all from sources that are not both authenticated and trusted
  • never treat content as ‘executable’, as far as is possible.
2 Likes

Please, do not use a pen drive for continuously transferring GBs of data because more GBs you write to a pen drive and more you reduce its life, especially if it gets overheating, it depends from its capacity and quality, I killed some pen drives from different manufacturers backing up, although I use some of them for recording videos everyday without issues. I’ll never want to reduce the lifetime of a Librem Key, moreover it is slow (USB 2.0), its purposes are different.
Please copy by Samba over network or boot the Windows machine by a live USB GNU/Linux OS and copy to an external HDD.

If you are really concerned about the USB attacks, you can use Qubes OS. Works flawlessly on Librem laptops. USB devices in Qubes are isolated in a separate virtual machine. In my setup, the USB VM is automatically reset every time it is rebooted.

1 Like

Some Windows Security software greatly mitigates USB malware.

I think the answer I would have wanted is. How in Purism does one put the USB Controllers, and Firmware into the state that originally came with the Pure OS.

Is there a Malware Scanning for Linux that works with Pure?

The most likely way to get a malware problem, and I bet the OP knew this, is from the drive by malware installed while using browser. Which Pure has some means to prevent.

Perhaps someone can write a checklist of how to use Boxes, Pure. With a second list of “Never do this.” Such as, download a special video player from a skin site.

100%.
also

2 Likes

Many rooted phones have viruses. The phone owner gives the viruses its permissions on purpose. Actually, it is the virus that gives the phone owner root access and in many cases, keeps for itself, the root access for its own purposes.

For most of us, the only way we can get root access to our Android or iPhone, is to do business with unknown parties who give you something semi-illegal (technically legal for use on your own phone) for free and ask you to trust them. Generally speaking, mainstream businesses won’t help you to root your phone (give you complete Admin control). They don’t want to be responsible either criminally or civilly. So you download an executable from a relatively anonymous website and follow the instructions that come with that executable. Generally, the instructions include disabling all of the antivirus programs on your phone and pc, enabling un-trusted sources to install programs on to your phone, and plugging the phone in to your pc (via USB) and executing an exploit against the phone, from your PC. The result is that you gain root access to your phone, along with anything else the provider of the exploit wants to do to your phone.

The exchange is much like meeting a stranger in a dark alley and exchanging goods. He gives you something that has some legally questionable validity. You give him your bank account login name and password. He promises to only take out the agreed-upon amount from your bank account.

People do this. It is nice to have a rooted phone. But at what price? Once that exploit has been run, you’re on your own. The phone warranty is voided. The person who wrote the exploit has used root access to your phone to do what they intended to do. As long as you don’t figure out what they’ve done, you continue using your phone. It can wake up every night and go do the exploit writer’s bidding and you may never find out until the FBI knocks on your door.

If you’re lucky the exploit writer is just a geek who is honest and just wants the kudos that come with circumventing a lock-out built by Samsung or Apple. Either way, you have to trust a complete stranger. Unless you wrote the exploit yourself, you’ll never know if your phone is clean after that. Whatever the root user says, is the ultimate law of the phone.

The price of buying a Librem 5? :slight_smile:

For a more whole picture of the challenge (not just W-related or software content that can be scanned with a malware/virus scanner), see a good “taxonomy” of USB-related threats. Even on top of any good system, user still should know their USB-devices and practice good “device hygiene” (as stated by @Kieran already). Looking at the article gives an idea of “why” and of the varying threats.

2 Likes