Secure Removable Media Without Breaking How People Actually Work
A NIST-Aligned USB Security Solution Built on Raspberry Pi
The Problem Nobody Likes to Admit
When a USB device plugs directly into a workstation, control is gone instantly.
It is not just about infected files anymore.
Some of the most dangerous USB threats today:
Pretend to be keyboards
Type commands faster than a human can react
Never store a file
Never trigger antivirus
A cable can do it.
A “keyboard” can do it.
A device that looks like storage can do it.
Once that device touches a Windows system directly, the damage can already be done.
And users cannot tell the difference. That is not a training failure. That is physics.
Why “Just Disable USB” Fails in the Real World
On paper, disabling USB ports sounds decisive.
In reality, it pushes the problem underground.
When USB is blocked completely:
Files get emailed to personal accounts
Shadow cloud storage appears
One “exception computer” becomes the riskiest machine in the building
IT spends time approving workarounds instead of managing risk
The work does not stop. It just becomes invisible.
Security that forces people to sneak around it is not security.
The Idea That Finally Clicked
Instead of trusting endpoints to handle removable media safely, this design removes removable media from endpoints entirely.
USB devices never touch workstations.
Not storage.
Not keyboards.
Not composite devices.
There is one safe lane in. One safe lane out.
And that lane is isolated.
The Raspberry Pi Media Gateway
The solution is built on dedicated Raspberry Pi stations, intentionally designed to do one thing only: safely handle removable media.
Each Pi acts as a media airlock.
USB drives and SD cards are connected to the Pi, not the workstation
Files are transferred through a controlled process
Executables are blocked
Nothing runs
Nothing types
Everything is logged
System is in a read only state
All config files are checked for modification "SHA HASH"
Simple Accountability by using SSH keys
The workstation never sees the device. It only receives approved files.
That single architectural decision eliminates entire classes of attack.
How This Stops the Attacks People Do Not See Coming
Keyboard Injection and Malicious Cables
Devices that impersonate keyboards rely on trust. If a workstation never accepts USB devices, there is nothing to trust. (Zero Trust)
No keystrokes. No commands. No silent compromise.
Composite USB Devices
Devices that pretend to be multiple things at once are neutralized. The Pi handles storage only and ignores unexpected behavior.
Human Error Under Pressure
There is no chance to double-click the wrong thing. Files move. They do not execute.
Security is enforced by design, not by hoping someone remembers a rule at the worst possible moment.
What This Replaces
This approach replaces:
The “scan it on a Windows PC first” computer
The dusty air-gapped laptop nobody patches
An IT department that "Get's around to it"
Endless USB exceptions in endpoint policies
Training that asks users to identify invisible threats
Expensive kiosk solutions that are overkill for many environments
It replaces all of that with one predictable, boring workflow.
Boring is good.
Aligned With NIST, Designed for Humans
The architecture aligns with guidance from National Institute of Standards and Technology, particularly around controlled media use, least functionality, audit logging, and system integrity.
But alignment was not the goal. Effectiveness was.
This is what NIST guidance looks like when it is translated into something people can actually live with.
Accountability Without Drama
Every interaction with a Pi station is logged:
Who used it
When media was connected
What files moved
Logs are retained and monitored independently, creating a clean audit trail without slowing anyone down.
When questions come up later, answers exist.
Why People Accept This So Quickly
Because it feels fair.
Users are not blamed
Workflows are clear
Security makes sense
Nobody has to ask for special permission
SIMPLE, FAST, EASY, BORING
People stop fighting the controls because the controls finally respect reality.
The Outcome
USB-based hardware attacks eliminated by design
Malware delivery paths removed, not monitored
Workstations stay locked down
The organization still functions
This is not about fear.
It is about clarity.
Once people see how these attacks actually work, they stop asking “why do we need this” and start asking “where is the station.”
That is the moment security starts working.