TransWikia.com

Can an empty, but used, usb flash drive that has NO firmware within it be infected with malware?

Information Security Asked by 888.999 on January 10, 2021

QUESTION: Can an empty, but used, usb flash drive that has NO firmware within it be infected with malware?

I have been told by a networking and security expert that malware will only attach to (write to) firmware on an empty microsd card or empty usb-flash drive; that there is no where else for it to write to in this case (empty).

PLEASE NOTE: SANDISK rep just told me that none of their usb-flash drives or microsd cards have any firmware; actually 2 of the reps, one being very knowledgeable about the inner workings of media. this is not the "expert" I referenced above.

firmwaremalwareusb drive

2 Answers

I believe that there is a misunderstanding on the rep's part about what "firmware" means. ixpand has encryption built-in, so there would need to be extra functions on the device to make that work.

But regardless of what things are called, you are worried about malware infecting the USB device itself, and not files, like BadUSB does. BadUSB does not require fully-functioning, extra-featured firmware. It goes after, let's call it a "widget" on the device that allows the USB to communicate with the computer. And yes, all USB drives have this "widget".

So, the "widget" can have vulnerabilities that can be targeted. Not all of them are vulnerable, and there are so many different types of "widgets" that it can be difficult to predict which devices might end up being vulnerable.

Your security expert is also not quite right, or the phrasing is strange. Some malware will write new infected files on the drive. And, yes, if it is designed to, it could seek out vulnerable "widgets" to infect. This is not a normal function for malware and it would have to be specially written for this use case, and the USB would have to be vulnerable. It's not an automatic fallback for malware.

Answered by schroeder on January 10, 2021

Just to combine the several commented replies and add my own view:

  • There is NO usb device without Firmware (even if you call it something else).
  • There are usb devices where you can NOT update the firmware (it’s on a rom chip of worm memory chip). -There are more ways than just firmware to hide code.
  • The firmware on the usb chip of the flash drive has to hold Atleast the following :manufacturer id. Device id. Device version. Usb version, device type is. It must also interact with the host controller in the computer (which means running a program which means there is a firmware)
  • there are several different type of malware and malware delivery mechanisms. You can not assume any of them in general.
  • data can even be stored in “empty space” (especially on solid state storage) since malware can ignore normal operation limitations.
  • the rep from SANDISK does not know what he’s/she’s talking about if he / she really think there is no firmware. There is no user upgradable firmware maybe but that is not the same as no firmware.

As a final note. We are not doubting the rep said those things to you. We are doubting the validity of what the rep said. (Because it’s wrong technically)

Thanks to the following people for there amazing responses in comments:

Answered by LvB on January 10, 2021

Add your own answers!

Ask a Question

Get help from others!

Recent Answers

Recent Questions

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP