views:

59

answers:

3

We have an auto update for our software that is installed via USB key (with the auto run). If I wanted to ensure that only authorized USB Keys were used, what's the best way?

Our installer is already signed, and it won't run otherwise. But I'm more wanting to inspect the USB Key for a signed installer, and if it's not there, just ignore, or even "Eject" the USB device.

And I should be able to tell the difference (in code) between a usb storage device, and say a camera, or keyboard.

I'm only wanting to disable non-authorized storage devices.

Thank you for your ideas.

+4  A: 

non-authorized storage devices? This depends on how secure you want it to be. For the most secure level, it would consist of:

  • special firmware written to the flash drive to get extra "meta info" (read: expensive custom manufacturing of flash drives)
  • special windows driver to read that meta info from the flash drive
  • your program talking to that device driver to confirm it's authorized.

Or to the least secure level you have these options:

  • using a hidden file and a special key(possibly hashed time of last filesystem modification or something?) (dd breakable)
  • dropping below the filesystem level and recreating your own very simple filesystem.. (more security through obscurity though and dd could break that)

Also, for the "most secure" option, you really need a more secure way of running the program than auto-run and a device driver(which could be half-baked to make anything appear authorized). Why do you want it to only update from an authorized flash drive anyway?

Earlz
I'm just trying to make sure the avg Joe can't stick a usb key in, and get an autorun window.In a perfect world, I could attach to a windows event of "New USB Device Found" whatever that is ... inspect the device, if it's storage look for a known signed piece of software and run it. If that software isn't found - just ignore the device.
ScottCate
Yea, I'd go with that and/or @pkaeding's answer then. I wasn't sure on how secure you needed it to be.
Earlz
+2  A: 

You might be able to read the USB drive's serial number (assuming you get USB drives that have serial numbers; not all do). Then your application could call home to get the latest list of authorized serial numbers, and check to see if there is a match.

pkaeding
Thats a good "secure to most people" approach +1. (can always be faked with a microcontroller or custom device driver though)
Earlz
A: 

Earlz response is good, though I don't think you'd need custom manufacturing of flash drives... you would just need flash drives with some sort of unique firmware encrypted identifier. Perhaps something in the Kingston Data Traveler Line might do the trick. (I've never actually used one of these encrypted usb sticks, so I'm a bit foggy on the actual implementation details).

Dan