Fixing the unfixable USB bug

Security experts have been haunted by the prospect of unpatchable, potent, fundamental bug in USB devices; the tension only heightened when sourcecode for an exploit went live last week.

Now there's a technique for partially mitigating some of the harm in some USB devices — cold comfort. And to be certain it works, you need to cover your USB devices with epoxy. But it's a start — and chances are that there were bad guys and spy agencies who were award of this and exploiting it in the wild long before its disclosure to the general public so we need to get started on fixing it in any event.

Rather than try to prevent any of those specific attacks, Caudill and Wilson's fix is meant to prevent firmware changes altogether. Their patch code, which they've released on Github, does this by disabling "boot mode" on a USB device, the state in which its firmware is meant to be reprogrammed. Without boot mode, Caudill says it would become far harder to pull off any BadUSB attack, and would virtually eliminate the threat of malware that spreads from USB stick to PC and vice versa. "By making that change, you can drastically change the risk associated with this," says Caudill. "It makes any type of self-replicating, worm-type malware very, very difficult to use."

Caudill and Wilson's firmware patch is far from universal: it only works for one version of USB code, the latest USB 3.0 firmware distributed by the Taiwanese firm Phison, the world's top manufacturer of USB controller chips. That's the same USB maker whose code Nohl reverse-engineered for his presentation in August, and that Caudill and Wilson targeted with the demonstration exploit code they released last month at the Derbycon hacker conference. They're working now to extend the fix to all Phison USB firmware.

That Unpatchable USB Malware Now Has a Patch … Sort Of [Andy Greenberg/Wired]