Probably a false alarm Re: Have I caught a firmware attack in the act? Or am I just paranoid?

To: debian-security@lists.debian.org
Subject: Probably a false alarm Re: Have I caught a firmware attack in the act? Or am I just paranoid?
From: "Rebecca N. Palmer" <rebecca_palmer@zoho.com>
Date: Sat, 24 Aug 2019 17:25:20 +0100
Message-id: <[🔎] 2f2caa9e-9fdb-12e5-6802-555aa6f7549c@zoho.com>
In-reply-to: <[🔎] 326068cc-a7e0-65c6-1a2c-b628167b149f@zoho.com>
References: <[🔎] b2489138-53ee-e747-31cc-cdce48339dbe@zoho.com> <[🔎] c73abd85-7913-5bea-fac0-960aebc11ff4@gmail.com> <[🔎] 326068cc-a7e0-65c6-1a2c-b628167b149f@zoho.com>

On 15/08/2019 21:57, Rebecca N. Palmer wrote:

Paul Wise wrote:
Based on the serial number deletion, I'd speculate that some internal
part of the flash holding details about the device identity
malfunctioned, so the firmware reverted back to the default hardcoded
product id for Alcor flash drives. No idea if this is a reasonable
theory or what caused the malfunction, malware or otherwise.
It makes sense for the firmware to have a fixed bootloader part: USB isa complex enough protocol that accepting firmware updates over it islikely to itself require firmware, and the (different) brand that haspublicly been attacked does have one:

I disassembled another Alcor stick (also 058f:6387 in its normal state,but several years older) and tried to trigger this deliberately byshorting pins (using pinout [0] and assuming pin 1 is marked by thecorner spot, _not_ the orientation of the writing):

Flash always "busy" [1] (shorting pins 47+48 to connector shell ground)just makes it not connect (presumably waiting indefinitely for the flashto become ready)...

...but shorting flash data pins to each other to turn reads to garbage(roughly 39-44 as that was the width of my screwdriver point - the fullset is 37-44 + 27-34) *does* trigger the 058f:1234 state. This statepersists after removing the short if the stick is left plugged in, butthe normal 058f:6387 returns after unplugging and replugging it.


Hence, I now consider the first stick to be broken, not malicious.

Paul Wise wrote:

IMO proprietary software is worrisome in any context

For Phison sticks, [2] is an at least partially open source firmware,including an option to deliberately break the update mechanism(preventing future changes, malicious or otherwise, without physicallydisassembling the stick), but it uses non-free tools to install. (Ihaven't tried it.)


(non-trust warning: found via search and/or Wikipedia)
[0] https://www.alldatasheet.com/view.jsp?Searchword=AU6983
[1] http://www.onfi.org/specifications
[2] https://github.com/brandonlw/Psychson#running-no-boot-mode-patch

Reply to:

References:
- Have I caught a firmware attack in the act? Or am I just paranoid?
  - From: "Rebecca N. Palmer" <rebecca_palmer@zoho.com>
- Re: Have I caught a firmware attack in the act? Or am I just paranoid?
  - From: Elmar Stellnberger <estellnb@gmail.com>
- Re: Have I caught a firmware attack in the act? Or am I just paranoid?
  - From: "Rebecca N. Palmer" <rebecca_palmer@zoho.com>

Prev by Date: Re: Have I caught a firmware attack in the act? Or am I just paranoid?
Next by Date: Re: [Git][security-tracker-team/security-tracker][master] Add radare2 to dla-needed.txt with comments.
Previous by thread: Re: Have I caught a firmware attack in the act? Or am I just paranoid?
Next by thread: Re: [Git][security-tracker-team/security-tracker][master] Add radare2 to dla-needed.txt with comments.
Index(es):
- Date
- Thread