ALERT: Serious Security Flaw in USB Drives - Comments Page 2

If the anti malware can't access the firmware, how do the virus's access it and change it over the USB connection?

EDITOR'S NOTE: I don't understand all the techie stuff that happens at the operating system level when a USB device is inserted, but Really Smart People tell me they don't see any way for the OS to detect if there's malicious code coming from the USB device at that point.

I wonder if using an SD card would be safe since it doesn't use a USB connection.

EDITOR'S NOTE: Good point. SD cards do not have this vulnerability, and will make a good alternative for some users.

Is this danger universal, or only windows?
If it is so, maybe one can connect the u-drive to a Linux computer to check the alien...

If the problem is in the firmware, then it would have to be installed in the chip manufacturing process at the factory, right? Or does "firmware" mean something to you that it doesn't mean to me.

This reads like a tempest in a teapot. Presumably, this "firmware" is stored in read-only memory, which means that a virus can only be planted at the factory. No manufacturer could afford the loss of business that would occur if even one of its drivers were found to have infected firmware, so I am quite certain that precautions are already in place. The only way to exploit this alleged vulnerability would be to set up one's own production line to make counterfeit USBs bearing fake, trusted brands. That requires an investment far beyond the means of a typical criminal hacker.

EDITOR'S NOTE: Unfortunately, not true. Firmware is not read-only, and can be modified.

Next viral app: USB condoms!

This is a bad problem. Question is whether this threat is for windows machines or all other OS'es also. If it is OS independent then we might as well stop using USBs and disconnect. Every need cannot be fulfilled by networking computers and one cannot get on a network always.

Pat, it may have been a long time since you worked on firmware. I don't need any special equipment to update the firmware of my router, for example; I download a firmware update app and it updates the firmware.

Jim, to patch bad software one must first determine what good software looks like. Every USB device has its own firmware written by its maker; even different models and capacities of USB drives from the same maker may have slightly but significantly different firmware. That's a lot of different firmware parcels to reverse-engineer, for a third-party antivirus developer.

The USB device makers simply must digitally sign their firmware so that it can be tested by third-party software and verified as "good." That they shirk this duty and just say, "consumer beware" is willful, knowing, reckless endangerment. Somebody's begging for a class action lawsuit.

But now that the cat's out of the bag, I expect to see "secure firmware" highlighted as a selling point on USB device packaging in the near future.

I don't know if I'll believe that label, but we have white hat hackers to test such claims.

The exploit was discovered and made public *now* ... by *one* group of researchers... that's no oroof it hasn't been discovered by others before... who exploited it instead of publishing it. And if we didn't know to look here before now, we wouldn't have known if it was *already* being used/exploited... damn the potential disruption here is really, really ugly...

Bob, are you indicating that, on the one hand, if a USB drive, that is infected with a virus or malware is connected to my computer, and my security software cannot scan/detect it; does that mean that the virus/malware is functional, only within the USB drive connected, and if I simply discard the suspect USB drive, this particular problem is ‘solved?’ In other words, is discarding a potentially infected USB drive the equivalent of purging the infection? Of course, I’m assuming the infection was not injected, and missed by my security software. Thank you.

EDITOR'S NOTE: No, unplugging or discarding the USB drive will not solve the problem, as I understand it.

Thanks Bob for bringing this to the attention of the hacking community. They now have something new to work on.

EDITOR'S NOTE: As much as I'd like to take credit, I can't. You can thank the researchers who originally published their findings, and yesterday presented this to the global BlackHat 2014 conference.

What about USBs sticks that have hardware encryption built in. Are they immune from this issue ?

EDITOR'S NOTE: No, the encryption is only protecting the files on the disk, not the firmware.

Is it still OK to use CD and DVDs? If a computer has a trojan that has been quarantined, can the trojan jump to a USB drive that is later attached to the computer?

EDITOR'S NOTE: This problem does not affect CDs, DVDs or SD cards. If a virus is quarantined, it can't go anywhere.

What about USB card readers? They too use the USB port...

To alter firmware you have to burn it to the chip (EPROM what ever). Most burning programs have a warning notification before the burn begins, but they don't have to. We need an app where before ANY program executes, it examines the code and places a burn warning, if present. Just plugging a USB drive in would start the app. The same could be installed on a phone - kind of a little "prophilatic" app.

The real question (at least for USB drives) is why do they even have updateable firmware? Why not just plain, old ROM? Has ANY manufacturer of thumb drives, since Ogg carved the first one out of an antelope's thighbone, EVER issued a legitimate firmware upgrade for it? Certainly, if it had happened much, we'd already all have seen it happen and become aware that USB controller firmware is upgradeable and potentially hackable.

OTOH, other devices (cameras, external hard drives and the like) can and do need upgrading and making them less vulnerable (never mind invulnerable) is going to be a worse, perhaps intractable problem.

@ Tom Janzen
I wonder if using an SD card would be safe since it doesn't use a USB connection.

EDITOR'S NOTE: Good point. SD cards do not have this vulnerability, and will make a good alternative for some users.

The other reason to use SD cards at photo kiosks, for instance, is that handy little Write Lock slide switch.

Thanks Bob ... I have been considering using some USB Flash Drives, to help some of my family out, when they have PC issues. I will now ... Completely, delete that whole idea!!!

This is reminiscent of the old days, when everybody was using Floppy Disks, to transport information back and forth, for their business and all of the virus infections, that occurred, during that time!!! I know, the old Floppy Disks, did not have firmware, but, they were such an easy source, to promote the passing of the viruses, that got on the disks, to other PCs.

The USB Flash Drives and Sticks are a whole different ball game, though!!! This is some serious stuff. I really do, have to wonder why China is doing this to the world, in general. I easily, could think, it is for world domination, and that is partly, the truth. The world is so Internet connected, that "He who holds the power ... Is the one in charge." I am thinking of all the hospitals, doctor's offices and many, many medically related business', who will be affected by this information. Medical Patient Confidentiality is definitely being threatened!!!

Again, I ponder ... Why must we have good advancement on technology ... To only, have it destroyed and compromised by governments, hackers and crackers???!!!

I am forced by my college to save my work on a flash drive & then work on it on my own computer at home. Is there any device that I can use as an intermediary for reading the files off my school-used flash drive and then safely copying them to my computer without also transferring any malware in the flash drive's firmware?

What about the external Hard Drive.It's like a giant usb stick. If a usb stck can be infected then dont see how the HDD that I back up my data to can be safe.

EDITOR'S NOTE: I think we have to go with the assumption that USB devices purchased new, or those that have not been connected to untrusted computers will be safe.