USB-To-Serial Data Diode and Secure File Transfer Method For Windows PC's

This was a fun project.  Computer security is a big hobby of mine.  There's a thing called a "data diode" which is meant to enforce one-way communication from an isolated and secured node to an unsecured node (you can have multiple "secured nodes" if you want).  I had been wanting to build one of these for a long time but never knew how!  Whichever device you use to transmit, needs to be as secured as you can possibly make it, no malware, no side-stepping the data diode via wifi, bluetooth, audio, optical, or other RF channels.  From the insecured node you connect to a network like the internet and transfer the file to another recipient, and they push the file one way to a receiving computer.  The purpose of doing this is keeping malware off machines which you transfer files to and from.  Also, mainly for doing encryption and zipping of a file not on a networked device, which could be keylogging the plaintext material.  If there's a keylogger on your offline PC, it would have to encode that information into the encrypted and zipped file, which is feasible but would probably be noticeable. It becomes much harder when you just take away the network aspect (internet).  Requires some fancy end-run attacks.

The design I was testing was this one located here, I'll link some of the pictures on this blog post too:  imgur.com/a/5Cv19

Very simple, nice design.  I won't repeat much of what's there.  The optocoupler used was an Avago HCPL 7723, this is the most important part enforcing isolation of TX and RX pins, to deal with potential of pin-remapping on USB-Serial converters (highly unlikely but probably possible).  If you can do this with discrete parts and not an IC, it would be easier to verify and catch potential hardware backdoors in the optocoupler.  There is a design here for such a thing: (link Uni of Iowa paper on data diodes).  The other part is an FTDI232 USB-serial converter board.  You can get those really cheap, like $6 for 2.  The optocoupler seemed unnecessarily expensive...$22.  I just used that one since that was original design called for, any optocoupler would work I believe.  I would like a cheaper optocoupler.

My contribution here though was I wanted file transfer, that's useful.  The guy who made this design (who I'm leaving nameless for now) only did some basic experiments (for time reasons I think) and sent some characters over the data diode and checked with an oscilloscope to verify it worked.  I was pretty confident some terminal programs would work to send full files over it.  Thankfully one terminal program did work, Realterm.  The problem for me is I want to know exactly how the file is being sent and it's not very clear in the Realterm docs and I couldn't get access to the code just yet.

So first off you need to install any FTDI virtual comm. port drivers if you don't already have some installed (don't need this on Linux usually as these drivers usually get included in the kernel, but I haven't tried Realterm via Wine on Linux).  Then you need to install Realterm on each device.  Next you'll need to build the data diode.  For now, I just soldered wires directly to the optocoupler pins, as well as soldering the 47nF capacitor again directly to the pins (the capacitor acts as a low pass filer, it's a necessary component according to the datasheet).  You connect +5V and GND pins from each USB-serial converter, and *ONLY* the TX pin on the TX side, and the RX pin on the RX side.  This is very important, in essence you have 2 things that are enforcing the isolation of transmitting one way.  First, by not even connecting an RX pin back to TX, then the enforcing of the unidirectional path for data flow with the optocoupler which has an LED on one side, and a photodiode on the other.  Tranducers are bidirectional however, a simple experiment to try is to take an LED, attach a digital multimeter to it, and shine a flashlight on the LED, you will see some voltage.  Depending on the strength of the flashlight it may get up to 1.3 or even 2V, which may be enough to do something.  It may still be possible (though highly highly unlikely) to inject enough power via RF or optical channels to turn the photodiode into a transmitter and the LED will receive that, but I think it would be a ridiculously high level.  I'm not sure, that's an experiment to try sometime.

Be careful that you do not connect anything to pins 3 or 7 on the optocoupler, or it will not work.  I can tell you that for sure.

I used the male-female wire connectors that you typically get with an Arduino kit, however you wire it up is up to you, but I do want to make a simple PCB for this.  Once you have your data diode made, connect each side to your TX computer and RX computer, you'll need some mini-to-normal USB cables for this as well of course.  Create some make up file, for this example I'll transmit this text file I'm making and take pictures for the blog post. 

Once file is created, open up Realterm (installing Realterm should be very easy so I'm skipping over that).  Click on the "Port tab", let's keep the baud rate at the default of 57600 (but I've tried it 115200 and it still worked), now you need to see what port your USB Virtual Comm. Port is at, it can be different numbers.  You need to find which one it is, for me it's #3.  Leave all the other settings alone, they're fine.  Once you have your port setup, you click on the "Change" button with the green check mark.  Now setup your RX side, same thing, set the baud rate at 57600, find what USB Virtual Comm. Port you use, for me it's #11, then go to the "Echo Port" tab, and use the same settings for baud rate and the Port, click on the "Echo On" and the "Monitor" check box, then hit the "Change" button with the green check mark.  For some reason the "Capture File" feature wasn't working for me, so you don't even need to mess with that.  Now go back to the TX side, go to the "Send" tab, and look at the "Dump File to Port" text at the bottom.  Click on the box with 3 dots, and search for your file you've saved on your PC.  Once found, hit "Send File" and you should see text start showing up on the RX side terminal.

It's really not too bad once you've done it a couple times.

What you need to do is then copy/paste that text into another file and save it to some file on the RX side.  This is the one thing that really irks me about this setup, I wanted "Capture File" feature to work but it wasn't.  But in all honesty, if you're doing this level of setup for your secure file transfer, it won't be that bad to do this manual transfer.  Now that you have a file from an offline secured PC onto a less secure networked PC, and the networked PC could not send any malware to the offline machine during file transfer, you're set.

Another use case is to type out some message to someone you want to keep secret on your offline PC.  Next you can base64 that file (it's easy on Linux), then encrypt that file with GPG or OpenSSL, then base64 that file again so it's a nice ASCII text string.  Then save that to a text file and send it over.  Next you could send that file as an email attachment, exchange public keys and encrypt a message with the key to the file to whoever you're talking to.  That's a nice secure method of sending something you want to keep secret to someone.

Wishlist:  I want the following features...
1) Linux support with a terminal program, I may try Realterm on Wine.
2) No drivers to install.
3) Sending directories/folders of material instead of just contents of one file, with a drag-n-drop GUI application.
4) PCB made up and you just need to solder components to board and nice case made.

*Update*
I'm making a serial to data diode with SD cards using the Arduino platform again (this will be my last Arduino project for a little bit), I will put it on the blog when I get something worth posting.  Stay tuned if this topic interests you.