Consumer electronics and embedded devices often allow the installation of applications and firmware upgrades from user-provided mass-storage devices. To protect the integrity of these devices and the associated electronic markets, the software packages are protected by cryptographic signatures. The software installation code assumes that files on attached mass-storage devices cannot change while the storage device is connected. The software installation is therefore not bound to the file integrity check, thus laying the foundations for a time-of-check-to-time-of-use (TOCTTOU) attack. This work presents a TOCTTOU attack via externally attached mass-storage devices. The attack is based on emulating a mass-storage device to observe and alter file access from the consumer device. The TOCTTOU attack is executed by providing different file content to the check and installation code of the target device, respectively. The presented attack effectively bypasses the file content inspection, resulting in the execution of rogue code on the device.