[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Probably a false alarm Re: Have I caught a firmware attack in the act? Or am I just paranoid?

On 15/08/2019 21:57, Rebecca N. Palmer wrote:
Paul Wise wrote:
Based on the serial number deletion, I'd speculate that some internal
part of the flash holding details about the device identity
malfunctioned, so the firmware reverted back to the default hardcoded
product id for Alcor flash drives. No idea if this is a reasonable
theory or what caused the malfunction, malware or otherwise.

It makes sense for the firmware to have a fixed bootloader part: USB is a complex enough protocol that accepting firmware updates over it is likely to itself require firmware, and the (different) brand that has publicly been attacked does have one:

I disassembled another Alcor stick (also 058f:6387 in its normal state, but several years older) and tried to trigger this deliberately by shorting pins (using pinout [0] and assuming pin 1 is marked by the corner spot, _not_ the orientation of the writing):

Flash always "busy" [1] (shorting pins 47+48 to connector shell ground) just makes it not connect (presumably waiting indefinitely for the flash to become ready)...

...but shorting flash data pins to each other to turn reads to garbage (roughly 39-44 as that was the width of my screwdriver point - the full set is 37-44 + 27-34) *does* trigger the 058f:1234 state. This state persists after removing the short if the stick is left plugged in, but the normal 058f:6387 returns after unplugging and replugging it.

Hence, I now consider the first stick to be broken, not malicious.

Paul Wise wrote:
IMO proprietary software is worrisome in any context

For Phison sticks, [2] is an at least partially open source firmware, including an option to deliberately break the update mechanism (preventing future changes, malicious or otherwise, without physically disassembling the stick), but it uses non-free tools to install. (I haven't tried it.)

(non-trust warning: found via search and/or Wikipedia)
[0] https://www.alldatasheet.com/view.jsp?Searchword=AU6983
[1] http://www.onfi.org/specifications
[2] https://github.com/brandonlw/Psychson#running-no-boot-mode-patch

Reply to: