I'm not surprised manufacturers don't do it. It probably allows them to
do firmware updates although I doubt memory stick makers are likely to
produce new firmware. And don't think of it as only affecting flash
drives. It (quite literally) affects every kind of USB device in the world.
All possible USB devices have not been checked for the problem but a
single Chinese manufacturer produces most of the USB control chips.
They all conform to the standard and the standard explicitly allows the
device to change its identity or to have multiple identities. It also
says nothing about locking down the control memory or filling the unused
space.
I have no idea how you would check the vulnerability of the older
Memorex flash drives. But, if I were you, I would no longer stick any
kind of flash drive in (of all places) a university library computer.
Now that the technique and sample code have been published I would
surmise they will all be hacked within weeks if not already. You'd
better switch to CDs or DVDs. If you must use the flash drives I'd
dedicate a non-networked computer to reading those drives and rewriting
their contents to CD or DVD before allowing your other computers to read
it. Even then you'd better disable "Autorun" since the malware on the
memory stick could insert an executable file on your CD or DVD and
Windows could run it without your knowledge. But, of course, you
already have "Autorun" disabled on your machine... right?
Undetected, surreptitious installation of malware is one of the main
reasons to get off those XP and Win98/SE machines and on to Win7 or
later. Of course, if the infection vector is one of these infected USB
devices even Win7 or 8 or iOS or Linux or any other OS can have it's
boot sector hijacked before the OS is even running... ergo no software
defense is possible against such an attack.
Chuck Norcutt
On 10/6/2014 9:37 AM, Chris Trask wrote:
And now, having watched it, I agree with the conclusion of the
presenters: the only way to prevent this is to provide a hardware
fuse that is opened in manufacturing, before the device is shipped,
to prevent reprogramming. Of course, that simply shifts the burden
of security to the manufacturers...
I'm surprised that they don't do this already.
Is this problem true for ALL USB flash drives, or is it something
new? I only use the older USB 1.0 Memorex flash drives so I can go
between the WinXP laptop, the office Win98/SE machines, and the
continunally updated ASU library computers.
Chris
When the going gets weird, the weird turn pro - Hunter S. Thompson
--
_________________________________________________________________
Options: http://lists.thomasclausen.net/mailman/listinfo/olympus
Archives: http://lists.thomasclausen.net/mailman/private/olympus/
Themed Olympus Photo Exhibition: http://www.tope.nl/
|