Since I have to deal with infected computers and hard drives, ssd’s and usb sticks I came a long way to determine what the best hardware write protected setup would be. Upfront: Most manufacturers don’t care about a simple hardware write protection. Whether in the case of data storage nor firmware protection. Most manufacturers simply don’t care about a mechanical write protect switch that offers proper hardware write protection.
At least there are some options available to buy and choose from. Plus there are some workarounds and DIY solutions to securely transfer files from an infected pc to another one without risking to spread the infection any further. There are ways to protect yourself form Bad USB attacks and keep safe on the firmware side of USB sticks, hard drives and Solid State Disk Drives as well.
There also are options to create a non writable boot medium. If you want to boot from a hardware write protected drive you have several options like S-ATA Adapters with hardware write protection and commercial grade SSDs (DOM) with hardware write protection. This way you could boot a live linux that doesn’t allow any alteration of the system files and folders.
Table of Contents
- USB flash storage (USB sticks) with write protect feature
- Professional Hardware tools (Forensic)
- Cheap DIY real hardware write proctection for sd cards
- USB to S-ATA Write Blocker / Serial Adapter
- mSATA-Write Blocker to USB Adapter
- Retail SSD (Solid state discs) with real hardware write protection / switch
- CF to SATA/PATA Adapters
General USB Vulnerability: Bad USB
While the firmware of many USB devices should be secure by design, it often isn’t. You should always check if the built in microcontroller is vulnerable to bad usb attacks. However this by itself doesn’t tell anything about proper implementation of a hw write protection for the flash memory storage.
Vulnerability check for:
Non confirmed devices
- ICY BOX IB-256WP External Enclosure with Write Protection Switch for 1x 2.5″ HDD/SSD, USB 3.0
- ICY BOX M.2 NVMe Mac Pro Design Case for M.2 SSD USB 3.1 Gen2 (10Gbps) Passive Cooling System Write Protection
USB Sticks with a hardware write protection
Regarding the security level we have to split the USB Flash Storage devices into 3 groups. Group 1 has no hardware write protection at all. Group 2 has a hardware enabled write protection for the storage space that is accessible by the OS but still has a unsecured firmware that can be tampered. Group 3 has a hw write protection and a secured firmware (Option 1: Crypto signed Firmware which may get flashed from within an OS & Option 2: a read only firmware & Option 3: a flashable Firmware that requires external SPI programming)
USB Sticks with write protection (No special efforts for secure firmware)
- Docooler Netac U335S
- Trekstore USB-Stick CS 3.0
- Trekstore USB-Stick CS 2.0
USB Flash storage with write protection and tamper proof firmware (cryptosigned)
- Kanguru Flash Trust USB-Stick
- Kanguru FlashBlu30 USB
- Kanguru SS3
- Nitrokey Storage
- Nitrokey Pro
- Nitrokey Start
- Nitrokey HSM
- Nitrokey FIDO2
External SSD Drives with hardware write protect
The Kanguru UltraLock USB 3.0 SSD comes in different capacities 240GB, 480GB, 1 Terabyte and 2 Terabyte.
SD cards with write protection
The problem with most of the micro sd cards, while offering a write protection or read only switch, they still rely on a simple flag that is set by switching to the protected state. However this flag may or may not be recognized by the micro sd card reader you use. Even if it is recognized by the card reader, the reader itself only reports the state of the flag to the operating system. After that the OS has to decide if it will comply with the “standard routine” or simply ignore it. Even if the OS does comply with the read only state, a malicious piece of software may still perform write actions to the card’s storage space by using exploits. Therefor a virus, trojan, rootkit or anyone with remote or physical access to the computer to which the card is connected, may perform write commands and alter the contents of the sd card.
Conclusion: mostly all Micro SD Cards may be altered regardless of the state of the write protection switch.
Proper implementation: Hardware sided write protection (card internal)
There are some micro sd cards which offer a card internal write protection. The card itself then doesn’t allow writing to the flash storage by filtering out any write commands. The write protection is within the card’s responsibility.
However, these cards rarely seem to exist in the wild. While there might be devices available somewhere, most of the time these aren’t made available to the public a.k.a. average joe.
These cards with an internal hardware based write protection are available to military and governments or businesses that aquire them directly from OEM’s (Original Equipment Manufacturer).
Workarounds – DIY write protection for Micro SD Cards:
If you don’t mind the hassle and really want a secure and write protected micro sd card, you can rely on a “man in the middle” device that filters out any write commands to the card’s storage. Unfortunately (or excitingly) you have to assemble these kind of devices yourself. The effort to do so isn’t that big.
Option 1: The SD Locker (Price range 7-10 $ US)
You just have to be able to solder simple stuff and get your hands on these parts:
- ATmega328p microcontroller (2-5 $ US)
- 3.3 VDC boost regulator (4-5 $ US)
- SD card socket (less than 2 $ a piece)
- A simple and cheap Perfboard (DOT PCB even less than 2$)
Even if you can’t solder yet I advise you to just get a cheap solder iron and some solder wire. Soldering isn’t hard to learn and it makes so much fun to be able to manufacter electronic devices yourself. There are so many opportunities within the maker space. Get yourself a go and enter the hacker space – you really should start to learn how to solder in 10 minutes.
Beside the soldering process (which really is simple to achieve) you have to follow the information from https://www.seanet.com/~karllunt/sdlocker.html to assemble your device.
Option 2 – Sdlocker-Tiny (Price range 7-10 $ US)
For this enhanced version you need the following parts:
- Attiny85 (less than 3 $)
- Texas Instruments LM3940 + 2 capacitors (less than 2$)
- SD card socket with grnd (less than 2$ a piece)
- A simple and cheap Perfboard (DOT PCB even less than 2$)
More information and downloads: https://github.com/Nephiel/sdlocker-tiny
Professional Write Blocker / Read Only Adapter (Forensic tools)
Forensic Bridges are mainly used in the professional field. They offer tamper proof connections to connected drives and storage options and secure file transfers from infected drives to another computer / storage solution.
- Tableau Forensic SATA/IDE Bridge TK35U SiForce
- Wiebetech Forensic ComboDock, model FCDv5.5 / HDD (switchable Read/Write access)
- Wiebetech Forensic UltraDock, model FUDv5.5 (Read only)
- Wiebetech USB 3.1 WriteBlocker / Read only USB Adapter
- Coolgear USB 3.0 SATA / IDE Adapter with Write-Protection (discontinued)
The Wiebetech Forensic UltraDock is a read only device and offers a write protection based on it’s hardware design. The Firmware of the connected drives might not be manipulated as well. However the Forensic UltraDock’s firmware itself maybe altered without an external programmer since the device offers firmware updates by using the application Wiebetech offers for download.
Drives connected over PATA/IDE allow transfer speeds up to 133 MB/s. By using SATA standards, 6Gbps are the maximum. The homepage states only up to 3Gbps for I/O SATA but the product specifications say 6Gbps.
It seems to be one of the few safe and bootable forensic write blockers. As long as the computer is able to boot from one of the various ways you are able to connect the Wiebetech Ultradock to, the boot process should not be interrupted. Mainboards capable of booting from USB Media (3.0 up to 5 Gbps) should do well in the booting process. eSATA (up to 6Gbps) and Firewire (800 Mbit) are also available forms of connecting the Wiebetech Forensic Ultradock with a PC or MAC running Windows XP, Vista, Windows 7, 8, 10, 11, Windows Server 2003 or later as well as Mac OS X 10.4.x or higher (USB 3 requires 10.8 or later) and Linux distributions.
The Ultradock from Wiebetech comes with an AC adapter & power cord USB 3.0 cable, 1x eSATA cable, 1x SATA drive cable, 1x IDE drive cable, a Molex MiniFit to legacy power cable adapter, a metal drive plate (for optional use) plus a packet of screws, bumpers and also a full 3 year warranty.
Adapter Bundles are available for 2.5in & 1.8in IDE, ZIF, mini PCIe, mSATA and MBA2010 connectors. Also a m2 Adapter is available as well. It works as described with SATA 512n and 512e type drives but is incompatible with 4Kn type drives.
It complies with EMI Standard: FCC Part 15 Class A, CEEMC Standard: EN55022 and EN55024RCM.
The UltraDock is a bit pricey for the casual user. But for people who have to deal with infected drives on a regular base, nerds and hardware enthusiasts this is one of the premium options to choose from if you want secure file transfers from unsafe media to another computer.
The Coolgear Adapter with the ability to write-protect data,the USB 3.0 Sata / IDE Adaptermakesa perfecttool for any tech bench and forensics workshop. Supporting the latest USB 3.0 design with speeds of up to 5Gbps, the USBG-127ASDsupports SATA 3G drives with speeds up to 3Gbpsand ATA100 IDE drives with speeds up to 1Gbps, Write-Protect mode automatically reports the drive as un-writable to any computer it is plugged into.
Most “write protected” adapters simply allow the operating system to think it is writing data, when in fact it is silently ignoring write commands. This leaves an uneasy feeling where you aren’t sure if the data was actually written or not until you verify. With the USBG-127ASD USB 3.0 SATA / IDE Adapter, there is no uncertainty when in write-protect mode, the operating system cannot write data to a connected drive and will present you an error if you attempt to do so.
Quote from Coolgear’s website:
https://www.coolgear.com/product/usb-3-0-sataide-adapter-with-write-protection
S-ATA to USB Adapter / Write Blockers (write protect)
The Sharkoon device sets a write protect flag. However the firmware should be safe since the HDD’s are connected through USB protocol as a spokesperson of the company said. The Firmware of Disk Drives should only be writable through the native SATA or IDE port. At least no tool is known to them that realizes firmware updates over a USB connection. However, a tool that does so might exist in the wild told us Mr. Klein from Sharkoon Technologies. The device uses the Innostor Modell IS611 chipset. If anyone has more information about how this chip realizes the write protection, please share your knowledge in the comments below.
The Delock Converter allows to connect any SATA device like SSD, HDD, DVD, CD-ROM by using the USB 3.0 standard while the built in hardware write protect function prevents the writing of data to the connected SATA drive. The manufacturer yet has to confirm that tampering with the connected drives firmware will also be impossible as well as if the firmware of the Delock Converter is safe by design / not flashable.
mSATA to USB 3.0 Adapter with Write Blocker (write protect)
Delock Converter USB 3.0 > mSATA 2,5″ (Item No. 62468)
SATA-DOM and mSATA SSDs with hardware write protection
S-ATA DOM with hardware write protection
- Delock SATA 6 Gb/s DOM Module 32 GB MLC SATA Pin 8
- Innodisk SATADOM-MV 3ME4 (8GB, 16GB, 32GB, 64GB, 128GB, 256GB)
- Apacer SDM5A 7P/90D MP2 (optional write protect by hardware switch)
- MagicRAM SATA III DOM (optional support write protect with PCBA only)
CF Card (Compact Flash Cards) with hardware write protect
Resources:
https://vkldata.com