HP Admits Selling Infected Flash-Floppy Drives

bergkamp writes "Hewlett-Packard has been selling USB-based hybrid flash-floppy drives that were pre-infected with malware, the company said last week in a security bulletin. Dubbed "HP USB Floppy Drive Key," the device is a combination flash drive and compact floppy drive, and is designed to work with various models of HP's ProLiant Server line. HP sells two versions of the drive, one with 256MB of flash capacity, the other with 1GB of storage space. A security analyst with the SANS Institute's Internet Storm Center (ISC) suspects that the infection originated at the factory, and was meant to target ProLiant servers. "I think it's naive to assume that these are not targeted attacks," said John Bambenek, who is also a researcher at the University of Illinois. Both versions of the flash-floppy drive, confirmed HP in an April 3 advisory, may come with a pair of worms, although the company offered few details. It did not, for instance, say how many of the drives were infected, where in the supply chain the infections occurred or even when they were discovered."

In case anyone wonders

[initialE]

The main purpose for having floppies in servers is because Windows requires them to install mass storage drivers during installation on hardware such as RAID arrays and SATA drives

Security improvements

[headkase]

Although still in a woeful overall state, Vista has one critical security difference from XP that helps here. By default in XP the device will autorun. By default in Vista it will ask you if you would like to autorun. So in Vista you can plug a new device when it asks you to autorun say No and then format the sucker. This default is something Microsoft should seriously back-port to XP.

So where's the recall?

[Animats]

Here's the HP HP security notice. [hp.com] This was discovered in January/February, according to HP, but not announced by them until April.

Where's the recall notice? HP should be recalling these items. Failure to do so immediately is willful negligence.

Here are the part numbers:

• Part # 442084-B21 HP 256MB USB 2.0 Floppy Drive Key
• Part # 442085-B21 HP 1GB USB 2.0 Floppy Drive Key

They're still for sale on Amazon [amazon.com], for example.

In a situation like this, HP should recall the product and reissue a replacement product with a new part number to distinguish old product from new product.

What about BIOSes?

[Anonymous Coward]

What stops those who were able to put viruses in USB sticks from installing viruses in BIOSes directly in the factory?

Re:Security improvements

[Lxy]

There's an option in Group Policy to disable autorun on all drives.

Start --> Run --> gpedit.msc
Computer Configuration --> System --> Turn of Autoplay
Enable on all drives

You're right, this should be default, but at least there's a fix.

Re:In case anyone wonders

[MBCook]

OK, I missed something. I don't know if anyone else did because it the summary wasn't clear to me.

This thing is not an actual floppy drive with some flash storage built in, which is what I thought (and a somewhat stupid idea). It's a standard flash drive that is capable of identifying it's self like a floppy drive so that Windows will find it when looking for a floppy drive.

That's actually a very smart idea.

With that detail this this is not a real floppy drive of any kind, this all makes more sense. Question withdrawn.

Re:In case anyone wonders

[cyanid3]

When I tried to install XP, I found it could recognise a USB drive. It would even allow me to install Windows onto it! But it wouldn't read the SATA drivers off it. I needed to find a working floppy disk in order to get those drivers onto the machine! Reminded me of Slackware back in the mid 90s. It's just as well most Windows users get the OS preloaded by the PC manufacturer. If they all had to install it themselves, surely most would give up and install Linux instead. The installer boots from the CD and includes all the drivers? What crazy person thought of that insane idea.

You can slipstream your storage drivers into your Windows installation media with nLite (www.nliteos.com). Just add them as textmode drivers and the setup will pick up your storage controllers without any fuss. Vista, otoh, allows you to supply drivers via USB drives too.

Proliant diag. CDs don't recognize other drives...

[ramirez]

An intersesting things about this is that HP ships diagnostics CDs with their Proliants (PSP "Proliant Support Pack"). The offline hardware diagnostics CD can provide a lot of data, which needs to be provided to HP to get support (sometimes). The diagnostics software has the option to write the data to a USB device. I've tried 3 different types of USB drives and none of them were recognized by the software... I was told by HP support that the USB floppy drive that they provide would work.

Fortunately, we bitched enough to get better support and we don't run Windows so wouldn't be vulnerable to this particular problem.

I bring this up because there may be a number of people out there with Proliants who aquired these drives so that they can get data from HP diagnostics software

Re:Security improvements

[creepynut]

Unfortunately, you can't use the Group Policy Editor on Windows XP Home Edition.

In addition, it's nice to have the autorun. Having a dialog asking permission is a nice balance I find.

Only on WinPE 1.x

[SEMW]

The main purpose for having floppies in servers is because Windows requires them to install mass storage drivers during installation on hardware such as RAID arrays and SATA drives

IIRC, Only on Windows installers that use WinPE 1.x. That includes 2003 Server, but not 2008 Server (which uses WinPE 2.1). So hopefully now floppies should actually become a thing of the past.

Not, of course, that that in any way absolves MS -- it's still shocking that floppies were sometimes needed for a server OS released a mere half decade ago! Although at least you could always install remotely over a network using RIS [wikipedia.org] or WDS and avoid the issue entirely, which is I suppose what most enterprises probably do anyway.

Re:Dear Smart People,

[SEMW]

No-one's suggesting that this was a deliberate policy decision by HP; the suggestion is that it was a disgruntled worker or somesuch that did it deliberately for some unknown ends.

Re:Security improvements

[Nimey]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"


We're deploying that here to stop Autorun viruses that can start via just opening the drive (or right-clicking on Explore, etc.). Nasty things enabled by a Windows design flaw reminiscent of Outlook Express 4 opening attachments automatically.

Re:In case anyone wonders

[rickb928]

I've had success in the past using HP's USB tools to create floppy-formatted USB keys and install drivers with that. It's worked on several ProLiant servers... Well before this particular gaffe, and not HP-branded keys. The servers passed all their security checks 2 years ago.

You can do it without the HP keys, just use their software to prep the stick.

Re:Security improvements

[Actually, I do RTFA]

Computer Configuration --> Administrative Templates --> System --> Turn of Autoplay

But it's a server...

[Shuntros]

What kind of idiot runs a workstation OS on a SERVER? Last time I looked, proper server operating systems didn't "autorun" things, especially w32 executables!

HP software is malware *anyway*

[joe_n_bloe]

Anyone who has ever installed an HP scanner or All-in-one knows that the consumerware/bloatware that HP deliberately installs is truly awful. The print monitor behaves strangely, faceless apps hang and get respawned without the existing processes being killed, all kinds of crap is installed that is difficult to remove, and et cetera. If you don't seek out and install the thin "enterprise driver," and find alternative helper apps, you wind up with all this junk.

So I don't see what the big deal with shipping some more malware is. It's HP. *shrug*

Re:Where's the factory?

[Dr. Cody]

I've purchased/received three MP3/video players during trips to China, and both of them had viruses on them. China is the next big market for botnets, I suppose.

I've seen this kind of thing before

[Whuffo]

Products shipping with unplanned "additions" has been going on for years. I remember well when a software company I worked at had something like this come up - the install floppy in our shrink-wrapped packages had a boot sector virus on it.

After digging into what happened it was found that the duplication house where our disks were being duplicated had a QC station where each one was tested to verify a good recording. The operator of that station faced a brain-numbing job; insert disk, hit enter, remove disk, repeat. Of course, that job was filled by the production manager's son - who filled in his free minutes by playing a "free" copy of a game that he got from "someone" on the QC machine.

We had to recall all the packages and ship free disinfecting software to everyone who had bought one; fun times. The duplication house (grudgingly) paid the cost of cleaning up the mess, then we found a different duplication house to use in the future. This time we checked their procedures out a little more closely before signing up.

Something like this is probably what happened to HP. The factory where those drives were made had some worms / viruses loose on their network and when the new drives were plugged in for testing / formatting the malware automatically copied itself over. This would happen after the format / test was complete; the operator wouldn't even know it happened.

Sloppy security practices at the factory was most likely the "source" of the problem. They weren't evil, just stupid. But for HP to know about this and wait for 3 months before letting their customers know - that's criminal. At least it should be...