And it’s only a partial fix at that. Last week, a couple of hackers released the code for malware that exploits a serious security flaw found in every single USB device, in hopes someone will come up with a fix. They have now released a partial solution themselves, and it involves coating your USB stick in epoxy.
In case you haven’t been following the whole saga, Wired first reported a couple months ago that all USB devices have a fundamental security flaw in which the firmware, controls the device’s basic functions, can be altered in ways that are virtually undetectable.
The security researchers who found the flaw, Karsten Nohl and Jakob Lell, also wrote a piece of malware called BadUSB that exploits it. With BadUSB installed on a USB drive, a hacker can stick it into a USB port and “completely take over a PC, invisibly alter files installed from the memory stick, or even redirect the user’s internet traffic.” Last week, two other security researchers, Adam Caudill and Brandon Wilson, also reversed-engineered the flaw and posted the malware code on Github.
Caudill and Wilson now have now also released an incomplete fix. Their patch code, posted on Github, disables “boot mode”, a mode that allows firmware to be reprogrammed. But this patch only works the latest version of USB code, so devices with older versions are out of luck.
And then there’s the epoxy. The firmware on a USB can still be reprogrammed with “pin shorting” as long as hackers have physical access to the device. Wired explains it this way:
That method involves plugging the drive into a computer while placing a piece of conductive metal across two or three of the pins that connect the controller chip to the USB stick’s circuit board …That finicky method acts as a sort of “hard reset” that allows the firmware to be reprogrammed.
So if you coat the insides of a USB drive with epoxy, Caudill and Wilson, suggest, then it can’t be opened up for pin shorting.
Ultimately, these “fixes” are only stop-gap measures. The real heart of the problem is that firmware can be altered without any visible traces, which a security researcher tells Wired is technically possible to fix. Until then, it’s probably easier to be very, very wary of your USB devices — especially ones from strangers — than to subject them to a sticky craft project. [Wired]
Picture: You can more/Shutterstock