When I want to read a "dangerous" USB stick, I launch my "test VM" in VMware and mount it there. AutoRun is disabled on both the host and the guest OS. Never had any issues in 25 years of Windows computing.
How can mounting a USB stick on an AutoRun-disabled VM affect your host's BIOS? Honest question, I want to know.
Well, I must admit that I dont know all the possible attack vectors. But as one potentially eye-opening matter, your example of AutoRun indicates you are
assuming that the device identifies
only as a storage class device, and that said storage device contains only a filesystem that is know to Windows.
Dont lost track of the fact that USB is an acronym for
Universal Serial Bus. That device could contain any number of USB endpoints, each implementing a different device class. What if one of the endpoints identifies as a Human Interface Device for example a keyboard and injects a number of commands to the system? From the users perspective, invisibly. Or even deeper, a bridge device, giving it access to the underlying I2C bus - maybe even the SMB?
What you're saying makes sense, I did assume that we were talking about a storage class device. I admit I wasn't aware of the "BadUSB" exploit. Will look it up, thanks for this. I guess I was lucky enough to not receive a "BadUSB" device (or maybe I did, and not aware of it?).
As others have pointed out, the best option is a separate, clean PC, with everything sanitized after use by restoring from known, clean images.
@jojo69, @xyzzy099, @vapourminer, also thanks -- merited.