Reported today: The firmware of USB sticks can be reprogrammed just by plugging them into an infected system. When the sticks are then plugged into the next system, they might stealthily act as keyboards or network cards, doing basically whatever the hell the malware writer wants.
There’s no technical solution. Karsten Nohl, one of the researchers who will present proof-of-concept software next week, says the only option is to treat USB sticks like “hypodermic needles”: once they’ve been in a potentially unsafe system you must throw them away. Wheee.
Jesus, what a horrible design approach. It’s as if the designers somehow emerged from some pre-personal-computer cryocapsule having been frozen in the 60s, not even having read Shockwave Rider back in the 70s, and had no idea that someone would ever want to do something bad with a computer. I admit I’ve never bothered to learn anything about USB formats and protocols, but I would have fondly supposed that memory sticks wouldn’t actually have programmable firmware, but just some primitive identifier code saying “I am a storage device dumbass” and everything else hardwired. But no, evidently someone thought it would be a good idea for a memory stick to spontaneously start emulating a keyboard in mid-career.
I’d have thought they’d be fairly simple devices too, but upon reflection, you’d probably want them to do at least a minimal amount of things like wear leveling and bad block detection, even if not nearly as robustly as an SSD. That the firmware remains writable after manufacturing is probably just them being cheap so they don’t have to put in a fuse or such to disable the write path once the initial firmware is loaded.
Yeah, I do wonder if this is true of all USB devices. I also wonder how easy it is. Are there readily available apps that allow you to flash firmware on USB devices? Do they work for all USB devices, or is this a pretty damn specialised attack vector?
The articles do not seem to make much mention of the process.
USB would still be widely used for stuff like keyboards and mice and such, right? You can’t even really substitute a wireless solution easily, because most of them have the receiver plug into USB. Built-in Bluetooth is possible, but if you’re paranoid enough about banning any and all USB devices, you gotta be paranoid about transmitting anything over the air without heavy duty encryption, which Bluetooth is not.
Blah I hope not. I’m not comfortable commenting further on what we can and cannot use in the office. Suffice to say most of you would hate it. I do have a pair of 24" monitors on my desktop, so it’s not a complete dungeon.
The Register has indicated it’s some specific brands of USB sticks.
It’s already well known that you can have specific malicious USB devices made up which spoof their ID (indeed, USB keyloggers do it for instance).
Fugitive - Actually, most USB devices do have a firmware no-write bit set.
There’s a similar issue in SD cards, where I don’t believe you CAN block writing firmware. On the other hand, you can use them safely via an adaptor which does SD to SATA, since that won’t pass firmware control commands. (On the gripping hand, you know those SD cards in phones? And that internal storage in phones uses very similar, if not identical, chips?)