Unpatchable USB malware, 1.0

[cranky]

Wonder why nobody picked on the biggest topic over the last few days?

Seriously hope this is the beginning of the end of the slow, buggy, virus-prone and unreliable USB interface.

It’s been just two months since researcher Karsten Nohl demonstrated an attack he called BadUSB to a standing-room-only crowd at the Black Hat security conference in Las Vegas, showing that it’s possible to corrupt any USB device with insidious, undetectable malware. Given the severity of that security problem—and the lack of any easy patch—Nohl has held back on releasing the code he used to pull off the attack. But at least two of Nohl’s fellow researchers aren’t waiting any longer.

http://www.wired.com/2014/10/code-published-for-unfixable-usb-attack/

Wait, there's worse....

Caudill says that by publishing their code, he and Wilson are hoping to start that security process. But even they hesitate to release every possible attack against USB devices. They’re working on another exploit that would invisibly inject malware into files as they are copied from a USB device to a computer. By hiding another USB-infecting function in that malware, Caudill says it would be possible to quickly spread the malicious code from any USB stick that’s connected to a PC and back to any new USB plugged into the infected computer. That two-way infection trick could potentially enable a USB-carried malware epidemic. Caudill considers that attack so dangerous that even he and Wilson are still debating whether to release it.

Moving firmware to ROM would help, but at a cost - every USB flash drive carries their firmware on the flash memory itself (which is one reason why corrupted cells result in the drive not being recognised at all), and this will also increase validation and QC time. You can expect any certified perma-firmware enabled device to cost more.

A LOT more.