USB Dead Drops

Dead Drop

The first time that I heard about Dead Drops, I was intrigued by the idea behind them. Offline public file sharing using USB thumb drives that were built into buildings; but then I realized how bad this idea is from a security stand point. Auto run scripts, viruses with images in them, etc. could very easily be planted in these thumb drives and then installed on an unsuspecting machine. The faq page at deaddrops.com suggests to use a virtual machine to read the drive, but even then it is not always easy to tell whether or not the USB port is directly sent to the virtual machine or if the data first gets sent to the host OS. If the latter, this is not any more secure than no virtual machine. Another option is to use a machine that is dedicated to connecting to Dead Drops. This works as long as it stays dedicated to Dead Drops. Even then though, if the Dead Drop isn’t actually a real Dead Drop and is actually connected to 110v wall power (for example), good luck trying to fix your computer.

See also:

http://www.instructables.com/id/USB-Dead-Drops/
http://deaddrops.com/
http://deaddrops.com/dead-drops/faq/
[EDIT: After I posted this I was checking xkcd and the current one is relevant- http://www.xkcd.com/956/] 

Image above credited to Aram Bartholl (Creative Commons By-NC-ND).

Advertisements

One thought on “USB Dead Drops

  1. I thought the picture was a joke at first. Then I went to the website (deaddrops.com) and watched the video to find out no, it is not a joke. Some of the comments at http://hardware.slashdot.org/story/10/10/30/2035243/USB-Dead-Drops were pretty funny about this. It might sound like a neat idea and it is. But like you said, it is an awful idea as far as security is concerned. Also, I’m wondering about the legality of carving out holes in walls in public places (vandalism much?). Check out http://www.dailytech.com/USB+Drive+Malware+Exploit+Windows+7+Flaw+in+Apparent+Espionage+Effort/article19065.htm to read about a Windows 7 exploit that takes advantage of Autoplay by installing malicious drivers with fake digital signatures. Someone could put malware like that on the drives and ruin everyone’s day.

Comments are closed.