Half of USB Devices Have Unpatchable Security Flaws

Following up na article on Wirth Consulting, the security researchers that discovered the vulnerability have since tested the USB controller chips from eight of the major suppliers. Hacker Karsten Nohl presented at the recent PacSec security conference in Tokyo that he and his fellow researchers Jakob Lell and Sascha Krissler have analyzed every USB controller chip sold by the industry's most prominent vendors to see if they are vulnerable. The good news is that they found that the exploit can only affect about half of USB devices. The bad news is that it is nearly impossible to identify which devices are secure without physically disassembling every last device and identifying its USB chips:

"It’s not like you plug a thumbdrive into your computer and it tells you this is a Cypress chip, and this one is a Phison chip," says Nohl, citing two of the top USB chip manufacturers. "You really can't check other than by opening the device and doing the analysis yourself... The scarier story is that we can't give you a list of safe devices."

Nohl's continuing research is in response to critics who argued that his original BadUSB presentation was too narrowly focused on chip maker Phison. Subsequently, Nohl's team tested the vulnerability of USB controller chips sold by the industry's biggest vendors: Phison, Alcor, Renesas, ASmedia, Genesys Logic, FTDI, Cypress, and Microchip. Their methodology included checking the versions of each chip by analyzing their published specifications and plugging it into a PC and attempting to rewrite the chip's firmware. The test results were largely unpredictable, and each USB controller chip/device was rated as "vulnerable", "secure", or "inconclusive":

·  All of the USB storage controllers from Taiwanese firm Phison were vulnerable to reprogramming.
·  USB storage controllers from ASmedia were not.
·  USB controller chips from Taiwanese company Genesys that used the USB 2 standard were not vulnerable, but those that used USB 3 standard were.
·  Other USB devices, such as USB hubs, keyboards, webcams, and mice were even more unpredictable.

Nohl’s team also discovered that at least one company already protects against BadUSB attacks: USB device maker Imation employs its Ironkey technology that requires any new firmware updates to its USB flash-memory "thumbdrives" are signed with an "un-forgeable" cryptographic signature that prevents malicious reprogramming. On the other hand, security researcher Richard Harman subsequently found that the popular flash-memory vendor Kingston uses USB chips from up to a half-dozen different companies. Nevertheless, Nohl says that some of the USB controller chips that were found to be immune were protected "by accident" and were deliberately custom-designed ("defeatured") for unique applications for economical considerations that oh-by-the-way, also makes them immune to reprogramming. However, Nohl warns that "every chip that could be reprogrammable is reprogrammable," and vulnerable to BadUSB.

In summary, Nohl states that because of lack of transparency (openly identifying the source of the USB controller chips), and the unpredictable mix of secure and insecure USB controller chips, practically every device produced by the USB device industry is suspect.

Source: It’s Official: Half of USB Devices Have Unpatchable Security Flaws