This seems a bit misleading to me. From README.md:
This project aims to be useful when you get/find a USB key
that you can't trust, and you want to look at its contents
without taking the risk of plugging it into your computer
directly.
Its method of operation is given as:
The content of the untrusted key will be copied or/and
converted to the second (blank) key following these rules
(based on the mime type as determined by libmagic)
This process does not make the key trustworthy. From the BadUSB intro:
Once reprogrammed, benign devices can turn malicious in
many ways, including:
1. A device can emulate a keyboard and issue commands on
behalf of the logged-in user [...]
2. A modified thumb drive or external hard disk
can [...] boot a small virus, which infects the
computer’s operating system prior to boot.
Assuming that the first USB stick can infect the second USB stick, CIRClean will not protect you against these attacks.
They can mitigate against badUSB by only whitelisting the generic USB mass storage class driver. No keyboard, no mouse, etc... I am not confident they do this though.
However, that could be bypassed if the USB key acted like a USB hub with a keyboard attached.
If you do get a keyboard working, it looks like you can just log in with raspberry / raspberry and then full privileged access since sudo from the raspberry user, and /dev/kmem from root is enabled. That would allow arbitrary content to be copied on to the user supplied USB, and depending on the device, possibly firmware reprogramming.
> They can mitigate against badUSB by only whitelisting
I'd say just don't run a graphical environment or, if you do, lock it. With a normal password, good luck to the USB thumb drive that pretends to be a keyboard.
As for booting, well, don't have it in there at boot time.
As for malware in the files itself -- I don't think that's the point of this project. It says "if you don't trust the transport medium (i.e. USB)", it's not about the contents.
But it's the assumption that is in itself inaccurate.
Case #1 is about a modified firmware of the USB controller in the USB stick, case #2 assumes that a boot is initiated from the USB stick.
What the Circlean thingy does is more similar to an antivirus, it examines the contents (files) on the USB stick filesystem and only copies to the second stick those files of known type, according to the given rules.
Whether this is effective against everything is another thing, of course.
Only "plain" files are directly copied, other supported ones are analyzed and converted, some more detiled info is here:
No, I think the assumption is entirely correct. If you can't trust a USB stick's contents then you probably can't trust its controller itself.
But your OS doesn't have to say "Oh, you are a keyboard? Here, open a terminal and type arbitrary commands." It can say "Sorry, I only talk to USB mass storage class devices."
Yes, this is how I believe the RPi works, we are by now too used to the "automagic" features of the common OS's (and BIOSes/UEFI's), I presume that the same effect could be obtained by using an old DOS machine with (say) the Panasonic driver, or something like that.
1. You can avoid inserting anything before the OS boots up.
2. You can disable booting from USB in the BIOS. However I think you can't disable keyboards there, so a badUSB device can potentially enter the bios, enable USB booting then infect the machine by booting into the virus. Disabling USB booting and setting a strong BIOS password can be safe, I would still prefer the first option though.
Circlean seems to run on RPi - that won't boot off USB by default. In fact, you have to jump through extra hoops to get a similar effect, such as "bootloader runs from SD card, then explicitly switches to USB". So unless the makers of this have deliberately implemented this vulnerability, it's not there.
Oh, you are right, this can be bad. But I doubt that CIRCLean does any of the badUSB mitigations. They could fix all of these including the instructions. But that they copy unrecognised binaries ("Octet-stream" in their readme) without marking them dangerous is the most worrisome for me [1]. It seems to be useful only for office documents.
Not necessarily, it should be possible to do this correctly, although I doubt this specific device does so. The device itself needs to be hardened against USB attacks, otherwise it would be pointless, of course. Then it copies the contents of the malicious USB stick into a buffer storage, analyses the buffer and cleans up the documents on it, and then it unmounts the first device, mounts the second device and copies the contents of the buffer to it.
If it also allows for write-protection, then it might be interesting for forensic work. (AFAIK, USB write protectors cost a few hundred bucks, and maybe this device is the cost range.)
The crucial question is, of course, how well the device is hardened against targeted attacks. Just using some seemingly secure Linux won't suffice.
Keep in mind that it is completely feasible for the µC to activate malicious payloads only after the n-th usage. Kind of like a PS3 exploit worked, albeit not on the descriptor layer, but the MSC layer.
> In the worst case, only the CIRCLean would be compromised, but not the computer reading the target (trusted) USB key/stick.
If the CIRClean device is compromised, I don't see how the trusted USB stick, which is connected to the now compromised CIRClean, can be guaranteed to not be infected.
Isn't there also a physical switch on the SD card to mark it as write-protected? I'm sure that could be bypassed, but it would make it more difficult to hide the contamination.
I can buy a USB stick with 32 gigs of memory for a couple of Euros and fill it in minutes. My friends can read the stick in minutes, without having to install software.
