21

How can I know in Linux (or otherwise), if the firmware of my USB flash drive can be rewritten using the USB port (when sticking it in an USB port)? Eg. for a cheap EMTEC 16GB.

I was thinking about using udevadm monitor, but do not have any clue on how a USB controller ID looks like (and whether it is printed by udevadm) and where to look further for details for that USB controller. I have read in How to prevent BadUSB attacks on linux desktop that it one of conditions behind the BadUsb attack.

V G
  • 353
  • 1
  • 3
  • 8
  • 1
    Even if the firmware was rewritable, there is no standard way for USB mass storage devices to advertise this. Usually it's done with a manufacturer-specific command. The only way to be sure would be to obtain a dump of the firmware already installed, disassemble it and see if there are any routines for updating its own firmware in its code. –  May 04 '15 at 14:06
  • @AndréDaniel Than another question: how would a virus try to rewrite the firmware of my USB flash drive? Is there at least a standard way to rewrite (not to check whether rewritable) the firmware? – V G May 05 '15 at 07:12
  • Malware could have a database of USB IDs and the associated firmware flash commands, or just throw them all at the USB device and hope one succeeds. –  May 05 '15 at 07:18
  • 1
    See [flashboot.ru](http://flashboot.ru/files/), russian website that has downloads of manufacturer's official tools used to program USB sticks. You could download one and disassemble it.. I wouldn't recommend running anything from that site on your own personal machine though. –  May 05 '15 at 07:20
  • 1
    OK, (although not booletproof) a solution to my problem would be to identify the vendor ID of my USB stick, and then check on that website (or on the one of the vendor) if the USB stick is writable. If no information on the large internet, then there are big chances that a usual malware cannot do it. Did I miss anything? – V G May 05 '15 at 07:27
  • Malware authors could download the tools on the site I linked above and build its database their way (disassemble each tool and see whether the products the tool is compatible with are capable of being evil). –  May 05 '15 at 07:29
  • Is there any website which lists usb sticks and if there is a known vulnerability in the controler or something like this? – student Jul 03 '15 at 14:32
  • Something like this: https://github.com/adamcaudill/Psychson/wiki/Known-Supported-Devices – student Jul 03 '15 at 14:36

1 Answers1

12

In short, there is no way to know this.

There are to many 'badly written' USB controller chips out there that either not report that you can write to them. or worse report you can. but simply ignore any attempt to write to them.

So without knowing specifically what chip it is you can not know how it reacts to such an instruction.

As a even worse case there are USB devices out there which are either USB stick's or USB HDD's that when written to an extreme address instead of writing it to disk, write it to the internal memory (e.a. the flash EEPROM) and you simply can not check for it without writing your own software to do that and test it by uploading your own firmware. (or brick the USB device).


The only reliable methodology for knowing if a USB device can be used in this manner is by White listing the known USB Controllers that allow writing. and writing your own test software to check for this.

LvB
  • 8,336
  • 1
  • 27
  • 43
  • I see. Let's suppose that the controller correctly reports whethe writing to the USB port is allowed or not. How can one find that out? – V G May 04 '15 at 10:00
  • Only reliable way I know is with white listing / testing. – LvB May 04 '15 at 10:02
  • 5
    Are there any such whitelists in existence already? – oliver May 04 '15 at 12:28
  • 1
    Not a public one to my knowledge I'm afraid. :( – LvB May 04 '15 at 12:35
  • Since there's only a limited amount of ways you can communicate with a USB stick, couldn't you exhaustively test whether or not you could overwrite the firmware, such as by trying to write to huge extremes, trying ATA commands for overwriting firmware, or even fuzzing? I imagine you could built up a whitelist easily that way. – forest Apr 05 '16 at 09:13