Thanks for opening this new thread.
- Make sure that the USB storage you get your hands on is not malicious initially.
You can be certain of this if you’ll use some open hardware and open source firmware USB storage for which you can build and flash the firmware yourself.
Exactly. Any “trust” in a proprietary thing is forceful and is not actual trust but should rather be called compulsion.
Maybe such devices are already available but otherwise it’ll be cumbersome to make and use but possible.
Nitro/Librem Keys storages are such devices, the only FOSS/H ones I am aware of.
Or you can protect yourself from a targeted attack and buy the consumer USB storage at some random store by yourself without using delivery. With this you can be almost certain that the USB storage couldn’t be used for a targeted attack on you but you’ll have to live with the probability of this USB storage containing some mass-targeted malware in its firmware.
Exactly. The latter is not impossible.
- Make sure that this USB storage firmware can’t be infected while using it.
Always keep USB storage to yourself so other people can’t get a hold of it.
That excludes swimming and similar activities.
Use separate USB controller that will be used only to connect this USB storage and no other USB device will be connected to it.
Only if a second controller exists.
Maybe I’m not getting the question right.
You are.
If that’s the case then can you state some examples of a threat or more details to your question?
See:
A malicious USB storage device can contain a hidden partition, visible only to its own firmware, where malware can reside forever. We also have USBKill as a technical possibility.
Now you understand my concern in regards to booting from USB or having any USB devices connected at boot time. The inevitability of USB keyboards and mice (although undesired) actually seems more acceptable, as the firmware of those devices is far simpler and for economic reasons it seems less likely that an attacker would target those devices. BTW, I have seen a FOSS USB keyboard… it costed about $300.