BadUSB Denial?

You can more/

Pentagon, White House won’t address specifics of problem.

Editor's note: An earlier version of this post briefly displayed an outdated story. The post has been updated.

I asked the Pentagon and the White House what they planned to do about vulnerabilities in Universal Serial Bus drives used in practically every computer and received generic and not very specific replies.

SRLabs of Germany says controller chips in the ubiquitous USB drives have no protection against reprogramming. Once reprogrammed, benign devices can turn malicious in many ways including installation of malware and stealing files.

"No effective defenses from USB attacks are known. Malware scanners cannot access the firmware running on USB devices. USB firewalls that block certain device classes do not (yet) exist,“ SRLabs said.

Wired, which reported Oct. 2 the BadUSB code had been released to the public, said today "Unpatchable USB Malware Now Has a Patch … Sort Of."

The fix, Wired said, requires the messy process of coating USB drives with epoxy to keep them being opened and a patch which disables boot mode that "would virtually eliminate the threat of malware that spreads from USB stick to PC and vice versa…"

But that patch has problems, Wired said. "Karsten Nohl, who first put the fundamental insecurity of USB firmware into the spotlight, dismissed the new patch as an impractical Band-Aid. He points out that while boot mode is the manufacturer’s intended way of altering a USB drive’s firmware, bugs in that firmware would likely allow hackers to find other ways of altering it," the publication wrote.

The Pentagon did not address the specifics of what looks to be a really bad problem from BadUSB. Lt. Col. Valerie Henderson, Defense Department spokeswoman said, "We have multiple network protections in place and continuously take appropriate actions to patch and secure our networks." She did not provide any more details.

A White House official said on background: "Current federal statutes and policy requires agencies to take a risk-management approach to securing systems and data. This approach requires agencies to review and implement NIST-published security controls based on the assessment of risk.’

As October is National Cybersecurity Awareness Month, I had hoped for a more on the mark response from the Pentagon and White House on a vulnerability that hits practically every computer and USB drive on the planet -- literally, billions of gadgets.

Wired’s original article linked above may explain why the Pentagon and the White House are mum on the subject of BadUSB – the National Security Agency has already used the device attacks in its operations.

(Image via You can more/