How unsafe is a USB flash drive vs DVD for OS (Tails linux)?



  • Compared to a DVD live Tails Linux, how unsafe is using the USB version?

    I'm trying to help a friend who for years has been mired in the laborious iterative process of remastering their own DVDs of Knoppix in the name of security.

    The use case:

    • Tails Linux
    • Only used in own laptop with no other users
    • No HD, but does have RAM, Intel CPU, GPU, etc.
    • Supply chain assumed safe for now
    • Laptop considered unsafe as soon as it connects to the internet
    • Only online banking and email
    • No use of Tails Persistent Storage

    Research:

    • Bad/Evil USB articles
    • HW-switch locked USB flash, MBR can still be accessible user comments
    • Tails Persistent Storage risks page
    • Tails known limitations page
    • Searching security.stackexchange

    Conclusion so far:

    • USB is definitely unsafe (if I had to say 'safe' or 'unsafe')

    However, I don't know what level of effort would be required to compromise it in this use case. Are we a few years away from such scale and automation or is it already here? State-actor only? Would it be equally bad to have a DVD drive in the computer where the firmware could be compromised? Is this level of scrutiny ridiculous or not out of the question of mass automated infection or surveillance technology?



  • However, I don't know what level of effort would be required to compromise it in this use case.

    In order to modify either the USB device firmware or the operating system image stored on the USB device, an attacker would need to not only compromise your Tails installation, but also escalate privileges to root. If an attacker has root and is able to use that to compromise the kernel, they can do pretty much anything. In that case, having a read-only DVD won't save you, since the attacker could modify your BIOS. In other words, against an attacker who has root on your system and wants to persist malicious code, neither DVD nor USB flash drive will protect you.

    If the attacker is physical, then a read-only DVD may be marginally more secure, since a USB stick could be modified without changing its physical appearance, whereas modifying the code on a read-only DVD is effectively impossible and the attacker would have to replace it with a new, pre-modified DVD with whatever code they wanted on it. But are you really comparing each and every scratch on the disc to ensure that it's legitimate and not a replacement?

    Are we a few years away from such scale and automation or is it already here? State-actor only?

    No one automates such high-skill attacks since it would give away their capabilities very quickly. This would only be done by a sophisticated adversary (yes, including state actors) on specific targets. It's unlikely that you would be targeted personally. If you are, then the attacker will very likely not care about modifying the Tails image, but would instead either do what they want and leave, or pivot to another device (such as a router or mobile phone) which is harder to analyze.

    Is this level of scrutiny ridiculous or not out of the question of mass automated infection or surveillance technology?

    It's pretty much out of the question. Mass automated infection is done as quickly as possible and with minimal stealth. It uses exploits to install something like ransomware or to attempt to steal credentials with monetary value. A state actor is not going to throw their code around willy-nilly.

    But let me answer the question you never asked: Am I safe? Unfortunately, you aren't able to begin determining if you are safe until you formulate your threat model. You need to know who is after you, what resources they have and are willing to spend on you (yes, the NSA could get into your system. No, they haven't assigned a whole team to go after you), what they want from you, and what the result would be if they got what they want. Until you do that and perform adequate risk analysis to ensure that you're worrying about the right threats, you'll have no idea if you're safe or not. But asking yourself "what am I really trying to protect, and from whom?" will go a long way.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2