The takeaway for me is that you can program a Raspberry Pi Zero to be a USB device (not just host). I wonder if it can do both at the same time...
I sometimes think about building a "USB Condom". There already exist devices that only pass through the power lines, if you want to charge a phone from a dubious plug. However, I would go a step further and try to support data. For example, I would emulate a USB pen drive (with a FAT32 file system), and then mirror the contents of an attached drive. If the attached drive is malicious, it cannot easily attack the host.
You wish to build your own USB condom because you want to be absolutely, 100% sure it's built without any kind of backdoor and you don't trust anyone else to do this for you?
I wish to build - or I wish someone would build - a USB condom that passes through USB stick drives, by reading files on one side, and emulating a filesystem on the other.
It's not because I want to be 100% there is no backdoor. Rather I want a minimum of safety when I have to access a USB stick given to me by a stranger.
(Speaking of building your own, simple power-only USB condoms - like you linked to - are actually pretty easy to make. They have been used to teach (SMD) soldering at CCC events, hackerspaces and the like.)
Hm, this sounds like a software-based solution right? But if you have software only letting certain data pass, couldn't the same software just be run by the main device instead of an intermediate one?
Two reasons speak for a separate hardware for that purpose:
1: conventional computers have no mechanism to indicate what you expect from a USB device, and you can't ask for confirmation that the user wanted to plug in a keyboard, because the user might need that keyboard to confirm hits intention
2: the USB software stack can be attacked at many layers, including firmware, generic OS code and the OS-chosen driver. That software stack varies depending on OS, motherboard, BIOS version, installed drivers etc. A hardware device can provide protection invariant from those factors
I don't know from the top of my head about USB, but for FireWire there was a hack that allowed a malicious device to access all memory (read-write). Basically, a new device is placed on the DMA bus (for speed reasons) with no authentication and can do whatever it wants. There is a proof of concept that unlocks OS X, Windows, and a popular Linux desktop.
There was a USB bug where you could infect some USB controllers with mal-firmware that would spread like a worm! I believe the NSA was actively using this, but I might be mixing things up.
With a condom, a malicious device would have to take over two pieces of hardware, not just one. This is one advantage of a hardware solution.
The other advantage is, if there is an exploit in the USB filter software, the malware lands in my condom (hihi). It would likely have to be adapted to work on it and to move to my PC (the condom is ARM, has no network besides USB, can have a read-only file system, ...).
I sometimes think about building a "USB Condom". There already exist devices that only pass through the power lines, if you want to charge a phone from a dubious plug. However, I would go a step further and try to support data. For example, I would emulate a USB pen drive (with a FAT32 file system), and then mirror the contents of an attached drive. If the attached drive is malicious, it cannot easily attack the host.