It's not going to get fixed. Not now, not next year, not ever. Not because of the NSA or whatever, but just because fixing it would be very inconvenient for everyone involved, and unlikely to produce an immediate profit.
We've already had USB devices come with preinstalled malware, straight out of the store, so I'm going to say "no" on that. Edit: it's not "just" USB storage devices BTW. This is done through firmware on USB peripherals.
This is enough to make one reconsider using USB devices to transfer files between PCs. As seldom as I need to do this, I might go back to using CDs and accept the inconvenience. The way I see it, the malicious USB issue boils down to 2 separate but related problems. 1, How to prevent your own USB devices from being compromised and becoming infection vectors for your equipment. 2, How to prevent an adversary from using a malicious USB device to infect your equipment. I totally expect that 3-letter agencies are already doing this. I also expect that law enforcement will be following suit if they aren't already doing so. The first basically requires keeping your devices under lock and key and making certain that they never get plugged into a PC that you don't totally control. If you can solder and are comfortable working in the cabinet, there's ways to mitigate the second problem that are much nastier than using epoxy in the plugs. Disconnect all of the existing wires from the USB jacks and replace them with wires to the 110VAC. Any device an adversary plugs into those jacks will be fried on the spot. If you hook the hot lead from the AC line to the USB ground, you might get to nail the attacker in the process. You can also reroute the existing USB wires to a non-USB jack, a PS2 jack for a mouse for instance, then assemble a pigtail with a PS2 plug on one end and a USB jack on the other. Only when plugged into the pigtail will USB devices work. Given sufficient time, an adversary could figure out what you've done (after they fry their first device) but it would make it nearly impossible to slip in, compromise your equipment, and slip out in a short period of time.
This is an age where we have gaming mice and other devices with with onboard memory. It's amazing the sheer number of USB connected stuff we have. As I was saying a while back on the discussion of BIOS malware- that to combat it you'd have get a bank and file hash list of every BIOS. This sounds the same, although it'd be firmware. But there's just so many devices out. Though everyone is focusing on first getting infected by a USB device; why couldn't you get infected from something you download online first that then infects your own USB devices and then deletes itself from your OS? That's the real scary thing to me.What a nightmare that'd be to scrub off, if not having to throw away hardware. That's one of the first things that came into my mind. Short of getting an old legacy computer that doesn't even have USB ports, you could just also go back to PS/2 mice and keyboards and disable the USB in the BIOS (depending on the board). Then just physically plug all your USB ports by filling them with silicone adhesive or something. I'm personally not going to that level myself, but.
Sounds like there could be a profitable line in a usb hub/firewall device that had known integrity with codesigning and ability to detect malware attempts.
Is this malware of a type that some way of detecting it might be possible to develop? Is this malware only able to infect a USB device (stick) or can it infect a USB connector? A USB hub? Could a device be made you could plug a USB device into to detect the malware? By watching it's behavior? To determine if the USB device is infected/carrying bad firmware? I understand it's undectable on/in the device but is it possible to see what it does/injects/steals from your PC? Thinking if a service could be developed that would test your USB device by plugging it into a test machine? Can it be loaded onto a a device plugged into your PC by malware on your PC? In other words, is this as bad as it sounds? Do you think it was a good idea for the white hats to have published the code? Reminds me of the crazy scientists that used previously vaulted smallpox virus to study?
