Researchers who recently demonstrated how the firmware of USB-sticks can be modified to attack computers released a patch today to protect specific USB-sticks against Bad USB attacks. During the DerbyCon conference, Adam Caudill and Brandon Wilson demonstrated several attacks based of an apparently innocent USB-stick. The sourcecode of their so called Bad USB hack was released on open source hosting site Github.
For the Bad USB attack the researchers modified the microcontroller of an USB-stick so it could be used to attack computers. Using the modified microcontroller it was for example possible to make the PC believe a keyboard was attache which then executed a set of commands on the attacked computer.
To prevent attackers from modifying the microcontroller of the USB-sticks, Caudill, one of the researchers, has developed a patch that disables the boot mode of the USB-sticks. That way it's no longer possible to modify the USB-stick firmware with e.g. the code of the Bad USB hack. The patch only works for USB 3.0 sticks that use the latest firmware of USB microcontroller developer Phison.
The researcher warns that attackers can undo the patch with physical access to the USB-stick. By creating a short circuit of two pins it's possible to update the firmware again. Caudill advises users that really want to be secure to cover the pins in epoxy resin so the pins are inaccessible and the firmware can't be updated anymore.
