Temporary safety storage/communication solution

Thread Starter

ketchup123

Joined Feb 15, 2018
4
Gents, ladies,

This is my use case :
- I have two desktop devices, one is compromised - device 1 (infected by a malware, for example) and another one totaly safe, device 2. device 2 is not connected to Internet or any network.
- I need to build a safe communication system/protocol based on USB between device 1 and 2 which can minimize the risks of infection of device 2
- device 1 needs to send+read certain type of files to device 2 (.json files, timestamped) and device 2 needs to read files send by device 1,, and also send files to device 1

My proposal:
- A usb 2.0 cable with, in the middle, a temporary storage sd-card + a controller to manage the I/O + a way to manage a 'stack' : when device 1 is using the sd-card (let say, writing on it), device 2 cannot write on the sd-card but write in a temporary 'stack', then, write on the sd-card when it's free.
- each device is able to read from the sd-card
- idealy, the middle controller is able to check the nature of the files and be sure files are from a certain type
See attached.

My question is:
Is this process manageable and how can i build it from a hardware perspective ?
I need the device that will be positioned in the middle of the cable to be the smallest possible, can anyone advise on the minimal requirements i'll need for hardware?
Thanks in advance
 

Attachments

Last edited:

wayneh

Joined Sep 9, 2010
17,153
I'm not seeing the logic of this strategy. Instead of setting up some difficult, in-line system, why not focus on disinfecting device 1? For any strategy to work, you're going to need a way to scan and disinfect files on device 1 anyway, so why not do it in bulk at the source (device 1)?

There are ways to network over USB. It's been a long time but I remember doing it once. It was kind of dicey but it did work. What you're describing would be like a USB network with a network storage device, your micro SD card. Actually it might be like two networks each sharing the same network drive as the only connection between the two isolated USB networks. Hmmm....
 

Thread Starter

ketchup123

Joined Feb 15, 2018
4
Thanks for your replies :)
Awesome.

@wayneh : I don't want a software solution, i'm just supposing device 1 can be compromised because connected to the network .. and i'm trying to find a way to transfer certain types of files or data to another device without risking to be infected.

@nsaspook : USG seems what i'm looking for. Kind of hardware firewall. Do you think i can build that based on USB-C ?

Thanks guys
 

Reloadron

Joined Jan 15, 2015
5,997
I don't want a software solution, i'm just supposing device 1 can be compromised because connected to the network .. and i'm trying to find a way to transfer certain types of files or data to another device without risking to be infected.
Wouldn't it all be software solution?

Rather than USB I would just get a switch and connect the computers via Ethernet connection. If you feel that you have any infected files scan them before moving them. Years ago you would need a crossover cable but newer operating systems do not require that and matter of fact for only two computers you don't even need a switch.

Ron
 

wayneh

Joined Sep 9, 2010
17,153
I don't want a software solution, ... i'm trying to find a way to transfer certain types of files or data to another device without risking to be infected.
That's impossible. If the file moves, the infection can go with it. You need software to prevent that. Nothing you do to filter by file-type changes that.

You could set things up on both devices, with nothing extra in between, that would only allow access to certain directories and file types in those directories. But again, an infection could easily hide within the files you move.

One other thing that comes to mind is to disable the OS of device 1 and access its drive directly from device 2. This is easy on a Mac (target disk mode) but I'm guessing you're not using Macs? I'm thinking maybe there is a solution to enable that on a peecee? Anyway, this would at least prevent the infected machine from running code, since it's not running.
 

Thread Starter

ketchup123

Joined Feb 15, 2018
4
@wayneh
You are right about the fact that :
If my files get corrupted on device A, they'll be corrupted on device B... but that doesn't mean it's a door to hack B. A corrupted file is not necessarily a hacking entry point if i'm controlling the operations i'm doing on the file and if i'm able to 'isolate' it on device B (save it, to a totally separated hard-disk which doesn't interfere with my OS).
What i need, to be precise, is to have a 'middle' hardware firewall that control, at least, the nature of the files : json files, containing some informations with a specific format.
Anything else would be rejected with an error.
Direct connection between A and B through USB expose B to common attacks.
device B read the json files, but the files themselves cannot have any action on the OS.
On device B, there will be some software control, of course, but i want the hardware/connection part to be as safe as possible.

@Reloadron
Thanks for your reply. I'm afraid a direct connection, even through Ethernet, can corrupt B.

To explain my need, maybe it'll be more clear :
- Device A contains sensitive banking encrypted informations, but the device is potentially exposed to Internet (malwares, attacks, virus, ..) so is vulnerable.
- Device B, which is a totally offline hardware, has the encryption key and is the only one able to decrypt the informations given by device A.
I want to avoid any exposure of the encryption key, and any data leak when the data will be decrypted.
That means theoretically :
. I need to avoid any direct connection between A and B
. I need to be sure anything happening on B, stays on B and there's no way to corrupt the system through the connection that will be made.
 
Last edited:

nsaspook

Joined Aug 27, 2009
8,521
Just use a Linux box for the safe machine and OS. You can NFS remote network boot the compromised system to Linux via ethernet using a seperate NIC card on the host Linux machine to have full access to all storage space on the remote computer.
 

Thread Starter

ketchup123

Joined Feb 15, 2018
4
@nsaspook
Yep, sounds like what i'll do.
Device 2 will be kind of Raspberry (without ethernet cable) with a screen/keyboard
Under Linux, the OS itself is on a separated sd-card.
The exchange file 'stack' will be on a separated sd-card. Accessible from the OS to read deposited files, and form device 1 through USB.

Do you guys have any idea how i can, at the same time read/write on the sd-card from both devices ? (or manage a stack when sd-card is in use).
 
Top