So apparently anyone can reprogram USB stick firmware

Reported today: The firmware of USB sticks can be reprogrammed just by plugging them into an infected system. When the sticks are then plugged into the next system, they might stealthily act as keyboards or network cards, doing basically whatever the hell the malware writer wants.

There’s no technical solution. Karsten Nohl, one of the researchers who will present proof-of-concept software next week, says the only option is to treat USB sticks like “hypodermic needles”: once they’ve been in a potentially unsafe system you must throw them away. Wheee.

Jesus, what a horrible design approach. It’s as if the designers somehow emerged from some pre-personal-computer cryocapsule having been frozen in the 60s, not even having read Shockwave Rider back in the 70s, and had no idea that someone would ever want to do something bad with a computer. I admit I’ve never bothered to learn anything about USB formats and protocols, but I would have fondly supposed that memory sticks wouldn’t actually have programmable firmware, but just some primitive identifier code saying “I am a storage device dumbass” and everything else hardwired. But no, evidently someone thought it would be a good idea for a memory stick to spontaneously start emulating a keyboard in mid-career.

Can’t companies just start making USB sticks with non-upgradable firmware? Most people never bother to actually update their sticks and probably wouldn’t even notice.

Other USB peripherals would still be at risk, but those aren’t usually shared between computers.

Yeah, you’d think that would be a simple solution. Like Miramon I’m stunned that anyone would make USB sticks with reprogrammable firmware in the first place.

Our company took the nuclear option - no USB sticks. We can’t even use our USB ports to charge devices.

I’d have thought they’d be fairly simple devices too, but upon reflection, you’d probably want them to do at least a minimal amount of things like wear leveling and bad block detection, even if not nearly as robustly as an SSD. That the firmware remains writable after manufacturing is probably just them being cheap so they don’t have to put in a fuse or such to disable the write path once the initial firmware is loaded.

Yeah, I do wonder if this is true of all USB devices. I also wonder how easy it is. Are there readily available apps that allow you to flash firmware on USB devices? Do they work for all USB devices, or is this a pretty damn specialised attack vector?

The articles do not seem to make much mention of the process.

The proof-of-concept software will be shown next week, at this point we should also see which devices are susceptible to the attack.

I’ve heard of companies literally glue-gunning USB slots over all new computers.

Anyway, I have a few with a hardware read-write switch on them. I don’t know if that applies to the firmware too, but it seems like this would be something easy to address (with all new USB sticks!)

The DoD banned USB flash drives in 2008. Still can use USB ports though…we’ll see for how much longer now.

Question: What makes you think the ‘bad’ firmware isn’t already in the USB device when you buy it?

USB would still be widely used for stuff like keyboards and mice and such, right? You can’t even really substitute a wireless solution easily, because most of them have the receiver plug into USB. Built-in Bluetooth is possible, but if you’re paranoid enough about banning any and all USB devices, you gotta be paranoid about transmitting anything over the air without heavy duty encryption, which Bluetooth is not.

So, back to serial and PS2 ports, right?

Blah I hope not. I’m not comfortable commenting further on what we can and cannot use in the office. Suffice to say most of you would hate it. I do have a pair of 24" monitors on my desktop, so it’s not a complete dungeon.

Plugged in to the same computer? :)

Yes, that strikes me as a legitimate concern today. Put sleeper code in, activate it remotely with a seemingly harmless request…

You betcha ;-)

The Register has indicated it’s some specific brands of USB sticks.

It’s already well known that you can have specific malicious USB devices made up which spoof their ID (indeed, USB keyloggers do it for instance).

Fugitive - Actually, most USB devices do have a firmware no-write bit set.

There’s a similar issue in SD cards, where I don’t believe you CAN block writing firmware. On the other hand, you can use them safely via an adaptor which does SD to SATA, since that won’t pass firmware control commands. (On the gripping hand, you know those SD cards in phones? And that internal storage in phones uses very similar, if not identical, chips?)