Sign up to our newsletter
Since the BadUSB malware was released to the public with hopes of forcing a fix, a solution has emerged from the researchers who posted the code, but the fix is definitely not without its problems.
It’s a two part solution that will only assist with a limited number of USB sticks, and requires manual modification to be thorough.
Wired reports that the first part involves a patch released by the hackers that disables boot mode on some USB devices, thus making it tougher for hackers to exploit the vulnerability. The catch here is that it only works with the newest version of Taiwanese firm Phison’s USB 3.0 firmware, which understandably only includes a limited number of drives.
But Wired adds that this fix alone isn’t a 100% foolproof way of blocking the exploit, even for supported devices: “With boot mode disabled, Caudill says an attacker can still alter a USB stick’s firmware if he or she has physical access to thumb drive using a technique called ‘pin shortening’. That method involves plugging the drive into a computer while placing a piece of conductive metal across two or three of the pins that connect the controller chip to the USB stick’s circuit board”. They describe this as a ‘hard reset’ allowing firmware to be reprogrammed.
Slashgear explains that countering this is done via a fiddly fix that involves manually covering the pins of a USB drive in epoxy, stating that “for a thumb drive, this would mean popping open the plastic case and squirting a clear epoxy inside, which will prevent a hacker from manually compromising the drive.”
A Gorilla-brand epoxy is the recommended variety – with the thinking behind it being that anyone trying to remove epoxy would end up destroying the drive in the process.
The researchers are well aware that these are too complex and fiddly for most users, and are merely proof-of-concept. As Gizmodo states, “the real heart of the problem is that firmware can be altered without any visible traces”. Wired states that this is technically possible to fix, but that “a future fix could be years away”.
Author Alan Martin, ESET