ALERT: Serious Security Flaw in USB Drives - Comments Page 1

Maybe what is needed is a Flash Drive Anti-Virus scanner. When you plug in a Flash Drive the AV scanner monitors the USB Flash Drive for suspicious activity and then unistalls/disables the defective flash drive before it has a chance to infect the host PC?

This would be a decent solution. If the Malware is embedded into the firmware on the Flash drive how did it happen? At the factory?

I must say that I have never encountered this problem that I know of, and I scan my system regularly.

WOW!!!

Every Time one thinks that one is ahead of the game in Cyber Security and shoring up one's defenses here comes yet another hurdle to overcome!

It makes one SO tired that one wants to go and lie down with the shades drawn - - and never leave home!

SAD, Indeed!

i

Yikes! That is one scary proposition. I suspect though that it is possible for USB drvice makers to work with anti virus companys to create a way to detect compromised USB devices using standard AV software.

Hmmm. There is something fishy with this.

Either firmware cannot be patched - in which case you can't overwrite it with malware, or it can be patched - in which case you could "repair" any device that was already infected. You can't have one without the other.

The drivers on the operating systems can be written to check for valid firmware - adding validity should be as easy as adding an certificate.

But, in the meantime - before solutions are written - that is when this scenario is dangerous.

Discarding and replacing most of my USB thumb drives would not be an issue. But there will be sometimes that I will want to move data from computer A to computer B when file sharing (e.g., dropbox) is not an option. Will the anti-virus/anti-malware scans on computer A detect malware before it can be put on the USB device? I.e., would the AV software on computer A detect the BADUSB malware (mentioned in the story) while it is on computer A, delete it, and therefore prevent infection of the USB?

As a measure to cure USB devices that have been promiscuous, would it be possible to make a version of BadUSB that rewrites the firmware with "clean" code ?

One of the ways public computers (libraries, schools, Kinko's --- after that incident where a keylogger had been installed on one of their computers) are protected is that nothing can be saved on them. If you want to work on that computer and save your work, you put it on your own USB drive. The solution, I guess, would be to have a pocketful of low capacity, ie cheap, drives that you could discard after every use. Yikes.

Bob - I don't understand the caution about plugging into a non-trusted computer. If the firmware on my USB can be rewritten (with virus) by the attacking system isn't a "fix" to just rewrite the firmware to a trusted version anytime it's mounted? I didn't think it was that simple to rewrite the firmware. I've worked in software for years and every time we had to write (flash) firmware it took a special test stand. Please explain.

So what do you do with all the data that is stored on your flash drive. Will copying the data to a new flash drive bring over any malware with it?

Now that is just plain scary. Thanks for the news. I do practice safe USBing but that's not to say it would never happen to me. Forewarned now.

Ooops, if a public computer doesn't allow you to save anything, then it is also protected from being infected, duh. So your pocketful of USB drives would only be necessary if you use friends' computers OR work/school computers that do allow you to save to their hard drive.

Many thanks. A most interesting and informative post

So, if my hard drive fails and I restore it from my backup drive I may reinfect myself. Right?

Would a cloud backup be safer?

EDITOR'S NOTE: Right. And Yes. :-)

Seems like one answer is to have the firmware in read-only memory. How often does the firmware in a USB device get updated?

If a PC is infected with whatever would change the firmware in a USB device, then wouldn't that infection be visible to virus scans? And, if the PC can write to the firmware area, then shouldn't virus scanners be able to read it also?

ATTENTION!

The Big Bucks Bank at the corner of *** and ***, has a defective lock on the back door.

The safe is open, and will be unattended for an hour, (today,) between 9pm and 10pm, while the bank guard takes a break.

I am posting this information to the general public, to help protect your accounts, and make the bank a safer place...

Please inform everyone you know, about this egregious bank flaw!

That was a very interesting article about USB ports. I use them all the time. You would think that you could wipe them clean. Hopefully someone can figure out way to get rid of any virus, so you can continue using them. I find them very handy when traveling.

I have had several USB devices that are over 16gb capacity, and not one of them has lasted more than a week. All of these devices were manufactured in China, and I chalked it up to bad manufacturing. After reading your article, I'm not so sure anymore. Each of these devices showed failure to read or transmit data from machine to machine, and as soon as I ran a new virus scan with VIPRE on them, they lost their functionality. They have to be formatted with exfat to accept the larger capacity, but when you fill them up over 32 gb, they fail when you try to retrieve the data. I'm suspicious now that they may have had the malware you wrote about, and when I reformatted them with the long format (not the quick formatting), the programming for the malware was destroyed, but also rendering the device useless because it no longer had its firmware that controls the USB drive’s basic input/output functions.

Hopefully, anti-virus programs will soon have a way of comparing the firmware code of common USB devices to what was shipped with the device. Also, they might be able to look for code that doesn't seem to belong in the firmware.

Of course it won't sit well with consumers but in effect, what they wrote is true. We take painstaking care to lock our homes and cars, phones and computers because we believe in taking care of our stuff and keeping it safe. Why should using USB devices be any different? I always think before using any strange computer or connection.

Bob - it gets worse! "If you have a flash drive that's been connected to unknown or public computers, you might want to discard it." Before I discard it, I'd want to erase it, and that means plugging it into a computer somewhere. A conundrum if I ever saw one! I guess it could be smashed with a hammer...