HP Admits Selling Infected Flash-Floppy Drives

bergkamp writes "Hewlett-Packard has been selling USB-based hybrid flash-floppy drives that were pre-infected with malware, the company said last week in a security bulletin. Dubbed "HP USB Floppy Drive Key," the device is a combination flash drive and compact floppy drive, and is designed to work with various models of HP's ProLiant Server line. HP sells two versions of the drive, one with 256MB of flash capacity, the other with 1GB of storage space. A security analyst with the SANS Institute's Internet Storm Center (ISC) suspects that the infection originated at the factory, and was meant to target ProLiant servers. "I think it's naive to assume that these are not targeted attacks," said John Bambenek, who is also a researcher at the University of Illinois. Both versions of the flash-floppy drive, confirmed HP in an April 3 advisory, may come with a pair of worms, although the company offered few details. It did not, for instance, say how many of the drives were infected, where in the supply chain the infections occurred or even when they were discovered."

Strange (as insider activity?)

[nweaver]

The speculation that it was deliberate activity does strike me a little strange:

If you are going to get your malcode onto this, why do something old and crufty when you could do something new.

IIRC, this is used for BIOS updating as well as windows driver schlepping. So why use old-n-crufty known malcode when you could get a clean rootkit (no existing signature) and install it that way.

Software on these drives? Use Linux to format.

[deragon]

I do not understand it. Do these USB drives are meant to come with software? I believe they are just formated. If such is the case, then they should use some non Windows machines such as Linux to format them with Windows filesystems. I fail to grasp how on a factory floor where drives only need to be formated, worms have an actual chance to jump on the drives. This can only happen if they are using web connected and unsecured Windows machines to format them.

Corporate Response Missing

[CambodiaSam]

Neither articles indicate that HP is planning on making changes at the factory floor level to prevent further infection. If their only response is to scan and clean it myself, then I might be motivated as a consumer to purchase my flash drives with a big "Gauranteed Fully Formatted" on the box. Plus, this seems REALLY sloppy to me. If HP is allowing this type of software to slip into flash drives, what other types of defects, errors, and all around laziness is going on with other products?

Who made them? What country? What are HP QCs?

[dickmc]

What is notably left out is: Who made them and in what country? What are normal HP quality controls? What is HP planning on changing to prevent this in the future?

Re:In case anyone wonders

[utopianfiat]

Does anyone here have a problem with the fact that HP is clearly not checking the contents of their drives before they leave the factory? Because I think that's pretty important.

Someone's going to reply "blah blah chain of supply blah blah limited liability" but (back in my day) a manufacturer was liable for tainted/poisoned product that originated at the manufacturer. Everyone should be able to demonstrate that a product works before selling it.

Coincidence?

[rickb928]

I see a story about Hannaford Bros (supermarket chain in the Northeast U.S.) servers being pwned, sending credit card numbers all over. And they passed PCI, seeming to be secure enough for the card industry. Darn, pwnage is so sucky, especially when your SERVERS are compromised.

Now I see this story about HP accidentally selling branded keys with worms pre-installed. Darn, selling malware is so sucky, especially when you sell it to your favorite customers, for example server customers.

Any chance not just Hannaford, but other HP customers are nailed by this?

The takeaway from this episode, for those of you who aren't quite getting this:

- When you buy a USB key, be sure your machine(s) have functional antivirus and antispyware running,and it's updated.

- Look around for instructions on keeping stuff like USB keys from autorunning. Make it so.

- Format that rascal USB key immediately. Immediately. IMMEDIATELY.

- Don't buy USB keys cause they have cool software preloaded. Pointless to CHOOSE to risk infection. make the manufacturers pay for this by avoiding/refusing this crap. Just sell me a simple key, ok? Sheesh...

And trust no one and no thing.

Amazing, is all I can say. And yes, I wonder if these were manufactured and loaded in China. Bet they are.

We are in so much trouble. Mark my words, soon, 'Made in China' will really mean 'Pwned by China'. If ti doesn't already.

Re:Coincidence?

[rickb928]

Easy for you to spew.

Surprisingly, much of the software Hannaford settled on using is jut plain Windows. They did use some Sun for certain things, but the store servers were almost all Windows.

I'm unaware of any settlement software available for *nix. There must be some, but I haven't look so hard for it. And Hannaford isn't unique in the industry for using Windows.

It wasn't long ago that Blockbuster used Alpha-based servers at the stores, running customized SCO SysV. nasty, but it worked really well. Sadly, Alpha CPUs are hard to come by, and I bet they have moved to Windows. But that environment would move to Lunix very well. Other businesses need to build the entire Linux infrastructure, from development environments to remote management. Windows makes it too easy.

And the bottom line here is that the malware got inside the firewall. Most likely, IMHO, via a support tech either browsing or on media, obviously. And they were certified PCI-compliant. Darn.

Frankly, I suspect even a Linux server system could be pwned. I've had to scrape out some very tough trojans from my servers over the years. It ain't easy. 80% of the time I reinstalled clean. Why bother.

While we're talking naïvety

[xouumalperxe]

From the summary:

"I think it's naive to assume that these are not targeted attacks," said John Bambenek, who is also a researcher at the University of Illinois

I think it's also pretty naïve to assume that it is a targeted attack, as such an assumption shifts the blame enormously. While a targeted attack is arguably more dangerous and more worrisome for a certain group of people, such an attack could happen at any number of stages of fabrication, so the fabrication process itself isn't to blame. Reversely, if a random infection makes it to a device sold as a server accessory, that puts both fabrication and quality assurance at fault, the former allowing the infection, the latter for not detecting it. If that's what happens to enterprise products, one has to wonder how much crud gets through in consumer stuff.