USB vulnerability “fix” includes using epoxy

Brittany A. Roston - Oct 7, 2014, 9:33pm CDT
USB vulnerability “fix” includes using epoxy

The BadUSB vulnerability first detailed at Black Hat was just recently released to the public after a couple hackers reverse-engineered it and published on Github. That move was believed to be necessary for prodding manufacturers to come up with a solution, but it had the added effect of leaving USB users vulnerable. A patch will be difficult, it is believed, but until then a “fix” for the issue has been published that doesn’t so much solve the vulnerability as it does remove certain avenues for infiltration.

There are two parts to the “fix”, one that involves the messy manual operation of using epoxy to manually cover the pins on one’s USB drive. For a thumb drive, this would mean popping open the plastic case and squirting a clear epoxy inside, which will prevent a hacker from manually compromising the drive.

The hackers recommend Gorilla-brand epoxy for this task, according to Wired, but any “thick hard material” should do the trick. The idea is that not only will this prevent manual tampering, but would likely destroy the drive if someone tries to scrape away the epoxy.

In addition to using epoxy, the duo also released a patch that will disable boot mode on certain USB devices, making it harder for hackers to take advantage of the vulnerability. That patch is limited, however, to the newest version of the USB 3.0 firmware from Phison, and won’t work on any others. This remains only a minor solution for certain aspects of the vulnerability for a limited number of users, however, and no solid solution yet exists.


Must Read Bits & Bytes