BadUSB virus and Sandisk products

Here is a recent report of a new USB stick firmware threat:

http://www.theverge.com/2014/10/2/6896095/this-published-hack-could-be-the-beginning-of-the-end-for-usb

Unlike conventional malware that resides in the visible file system area, this new threat infects the normally invisible firmware/control code on the stick, making it immune to most standard anti-malware scans.  Even though it is very rare today, the cat is out of the bag.

What Sandisk products have firmware/control code that can be overwritten from a PC?

What steps can a consumer take to ensure the Sandisk products they own have not been infected?

Ideally the device cannot be reprogrammed at all, or can rewritten with factory firmware.

:smileyvery-happy:  An October 2014 article can hardly be classified as “recent”.

So what are you really trying to sell tns1?

Yes, I misread the date of the article. The BadUSB exploit was “new” to me, and judging from the lack of any prior discussion on this forum, it is new to a lot of consumers. I have many Sandisk sticks from 256MB to 32GB, and they didn’t all come in a bubble pack straight from Sandisk. If they are going to be a vector for extremely hard to fix malware, I’d like to know.

Have the questions I posed ever been addressed:

What Sandisk products have firmware/control code that can be overwritten from a PC?

What steps can a consumer take to ensure the Sandisk products they own have not been infected?

https://github.com/brandonlw/Psychson/wiki/Known-Supported-Devices

No Sandisk devices are known to work with that particular exploit you linked, but probably many could be made to if people were interested in doing so.

I think if you are worried about security you should try to avoid anything but hardware bought directly from trusted manufacturers.

Is there ANY test a consumer can do to ensure that a Sandisk Cruzer is genuine and running factory firmware?

Call SanDisk Tech Support/Customer Serviceand give them the serial #. They can verify the authenticity.

@tns1 wrote:
Is there ANY test a consumer can do to ensure that a Sandisk Cruzer is genuine and running factory firmware?

No, and in fact it would be impossible to create such a test.  

I received a similar reply from Sandisk support. 

After a little bit of searching I see that isn’t entirely correct. One problem people have run into is buying USB drives that claim higher capacity than they really have. These are genuine drives that are running hacked firmware. There are several 3rd party utilities that test the capacity to spot these “counterfeits”. 

http://www.ebay.com/gds/All-About-Fake-Flash-Drives-2013-/10000000177553258/g.html

In this case the validation test is a test of behavior, which is less ideal than a direct verification of the code. It stands to reason that if someone can hack a drive to mis-report the capacity, they may also be able to get it to perform other malicious behavior that may not be so obvious.

While there are tradeoffs in design for security, the design choices made by the flash drive makers do not seem to be the best ones. No ability to validate the code or restore it to factory condition? That only makes sense if the code can never be overwritten in the first place. The code that provides the basic storage funtionality shouldn’t need to be updated anyway. 

It is not that hard to design a system with one or all of these attributes and cost maybe 25c more: Code is write protected, code can be verified, and/or can be restored to factory condition regardless of what it is currently running. Lots of products exist that can do these things. Not totally hack-proof but less reliant on “security thru obscurity”.

@tns1 wrote:

 

 

It is not that hard to design a system with one or all of these attributes and cost maybe 25c more: Code is write protected, code can be verified, and/or can be restored to factory condition regardless of what it is currently running. Lots of products exist that can do these things. Not totally hack-proof but less reliant on “security thru obscurity”.

  

If you can think of a way to do that over USB, you should patent it and become very rich.  

USB is a networking protocol between two computers (host and device).  Trying to figure out if one of the devices is malicious is the same problem as trying to figure out if a computer on the internet has been hacked.  This is a very difficult problem to solve because all you can do is ask the computer if its been hacked, and of course, if it has been hacked it will simply lie.  Likewise you can ask it for a copy of the firmware it is running… but if its been hacked it will simply give you fake firmware.  Without taking apart the memory stick, there is no way to know if it is lying, and few people want to unsolder memory chips to figure that out.

I was specifically addressing simple flash storage devices and firmware security, not all the other USB widgets, ssds, mp3s, etc, but even most of those designs could offer better firmware security than we are seeing.

As a minimum, I should be able to take a pure flash storage device and plug it into a clean PC and run some program that will verify that flash device has factory firmware (or the OS could do this automatically). Another acceptable option is if the firmware can’t be changed at all since it sit in ROM or other HW write protect area. If I can’t have either of those I should at least be able to restore to firmware factory somehow. To design a device that has none of these options might be OK if this were still 1990, but today it is an inherently bad design. Do you really want to see a firmware version of Cryptolocker? As far as never letting a stick out of your possesion, this severely limits the very purpose of the product, and some of the reports suggest that firmware hacking of SOME sticks only requires an infected PC. It never need leave your possession to be hacked!

Perhaps Sandisk offers some of these security features, but I don’t see any official statements about how these devices are designed to be secure, or how they fit in a world with increasingly sophisticated exploits. I’d love to find out that the only brand I have ever bought is more secure than those other brands, but I am disturbed by their silence on the matter. “Head in the sand security?”

How can you design a flash stick that has some of the security features I mentioned? Take a trip back to the 90’s and understand that most firmware sat in ROM, PROM, or UV-EPROM. To change it you needed to pull chips. Not convenient? How about EEPROM or FLASH with HW write-protect. It has all been done before by granddad. I’d gladly live with a tiny write-protect jumper hidden under the plastic shell, since I’d probably never need to use it. At the volumes we are talking about here, adding a custom ROM to a microcontroller costs pennies. All that really needs go into that ROM is a boot-loader/monitor that can R/W/verify the rest of the firmware and maybe support a one-wire data stream. Nothing hides from a proper boot-loader, and since it runs first it has ultimate control. Malware can’t lie to you if it isn’t running. Only HW hacking can get around that. I am sure there are even better/smarter ideas, but we don’t seem to be getting any of that.

@tns1 wrote:

 

As a minimum, I should be able to take a pure flash storage device and plug it into a clean PC and run some program that will verify that flash device has factory firmware (or the OS could do this automatically).

If you can think of a way to do this, you’ll become a very rich man.  Plenty of companies and governments would love to license that invention.  I’ve been hacking Sandisk hardware for 10 years and I’m not worried that this is going to happen anytime soon though :wink:

@tns1 wrote:

 

How can you design a flash stick that has some of the security features I mentioned? Take a trip back to the 90’s and understand that most firmware sat in ROM, PROM, or UV-EPROM. To change it you needed to pull chips.

This is the best you can do, and some drives do work this way with the firmware burned into the chip at the factory.  Unfortunately figuring out which do is very hard, and you still don’t know that any given unit really does have unwritable ROM without opening it, since chips could easily be swapped for a batch (maliciously or otherwise).  

@saratoga wrote:


@tns1 wrote:

 

As a minimum, I should be able to take a pure flash storage device and plug it into a clean PC and run some program that will verify that flash device has factory firmware (or the OS could do this automatically).


 

If you can think of a way to do this, you’ll become a very rich man.  Plenty of companies and governments would love to license that invention.  I’ve been hacking Sandisk hardware for 10 years and I’m not worried that this is going to happen anytime soon though :wink:

 

 

@tns1 wrote:

 

How can you design a flash stick that has some of the security features I mentioned? Take a trip back to the 90’s and understand that most firmware sat in ROM, PROM, or UV-EPROM. To change it you needed to pull chips.


 

This is the best you can do, and some drives do work this way with the firmware burned into the chip at the factory.  Unfortunately figuring out which do is very hard, and you still don’t know that any given unit really does have unwritable ROM without opening it, since chips could easily be swapped for a batch (maliciously or otherwise).  

 

 

 

 

The way I see it these are two different classes of hacking. If someone has the resources to fabricate a clone of a flash drive but with different chips, built-in malware etc, that is an entirely different level of threat. I am more concerned with a firmware exploit of a genuine product. The manufacturers should first provide a way to prevent or detect that possibility since it has the potential to destroy trust in these products overnight.

When someone designs a security algorithm these days, it is validated by having an open review. I’d prefer that HW design and operation should be just as transparent. This might have avoided some of the embarassments of the so called “secure storage devices” that were easily hacked. Publish the design and offer rewards for every flaw that is found. This is being done for some SW. Why not HW?

I think you’re right tns1.  You should find some other type of drive to use.  And when you find one that satisfies your security concerns please report back so we can follow your lead.

Thank you.