On 3/29/19, npdflr <npdflr@zoho.com> wrote:
I am giving a scenario: (Devices: PC Hard Disk having important files for offline use, USB Device for data transfer and Mobile Device which has internet connection)
1. I have a hard disk that is offline (Linux OS). 2. I use a mobile device for internet, gather some data and transfer that to a usb device (via OTG). 3. I have to mount the usb device to the hard disk since I need the gathered data. 4. Give read and write permission to the usb. 5. I copy the gathered data from usb to the hard disk. Use/process the data as per needs. 6. I write some data back to the usb if needed. 7. Connect usb to the mobile device if needed.
Data from mobile --> usb --> Hard disk Data from Hard disk --> usb --> Mobile
How do I make sure that only the hard disk can read and write to the usb device and prevent the usb to read/write any hard disk data so that the files on the hard disk are always safe?
Search "BasUSB", "HDDHack", etc. Excepting the direct hardware to hardware hacks that bypass the OS entirely, such as read write address space via hardware interfaces (firewire, pci-usb, etc), the latest memory and cache exploits etc, perhaps put or left in the HW by spies since there are no... #OpenFabs , #OpenHW , #OpenSW , #OpenDev , #OpenBiz , #OpenAudits , etc to help improve and defeat that... Today's kernels still don't provide any sort of storage block device command firmware update opcode filtering that could help prevent implantation of firmware exploits. Many OS still allow unpriviledged users raw access to portable devices. Then filesystem hierarchy access control schemes, and install and boot infrastructures, are also cumbersome or impossible to protect from user, root, or physical level access. To the extent CD-R, DVD-R, and tape "specifications" are just blocks with no firmware being plugged across the gap, and if no "media updates firmware" capabilities, those, or even serial and parallel port transfers, could be more secure than USB. But since it's not open, you never really know. People need to start doing those #Open* things above before they can start to have even the slightest bit of trust in systems.