Probably a false alarm Re: Have I caught a firmware attack in the act? Or am I just paranoid?
On 15/08/2019 21:57, Rebecca N. Palmer wrote:
Paul Wise wrote:
Based on the serial number deletion, I'd speculate that some internal
part of the flash holding details about the device identity
malfunctioned, so the firmware reverted back to the default hardcoded
product id for Alcor flash drives. No idea if this is a reasonable
theory or what caused the malfunction, malware or otherwise.
It makes sense for the firmware to have a fixed bootloader part: USB is
a complex enough protocol that accepting firmware updates over it is
likely to itself require firmware, and the (different) brand that has
publicly been attacked does have one:
I disassembled another Alcor stick (also 058f:6387 in its normal state,
but several years older) and tried to trigger this deliberately by
shorting pins (using pinout  and assuming pin 1 is marked by the
corner spot, _not_ the orientation of the writing):
Flash always "busy"  (shorting pins 47+48 to connector shell ground)
just makes it not connect (presumably waiting indefinitely for the flash
to become ready)...
...but shorting flash data pins to each other to turn reads to garbage
(roughly 39-44 as that was the width of my screwdriver point - the full
set is 37-44 + 27-34) *does* trigger the 058f:1234 state. This state
persists after removing the short if the stick is left plugged in, but
the normal 058f:6387 returns after unplugging and replugging it.
Hence, I now consider the first stick to be broken, not malicious.
Paul Wise wrote:
IMO proprietary software is worrisome in any context
For Phison sticks,  is an at least partially open source firmware,
including an option to deliberately break the update mechanism
(preventing future changes, malicious or otherwise, without physically
disassembling the stick), but it uses non-free tools to install. (I
haven't tried it.)
(non-trust warning: found via search and/or Wikipedia)