This hack has been known for years.
All USB devices have a micro-controller (CPU) and you can hack the code that it runs.
Typically a USB thumb drive has a 100mhz ARM processor running it. When you plug one into your PC you are plugging a small computer into your big computer and trusting that the ARM in the thumb drive has not been tampered with.
It’s quite easy to modify a thumb drive to do all sorts of stuff. You can stick in a tiny SM oscillator and key it on/off with an ARM I/O pin and send data to a remote receiver nearby....this is one of the easier hacks.
You can reprogram the ARM to make a 64GB thumb drive look like a 32GB drive and save data on the hidden 32GB that the user cannot erase.
SATA hard drives also have a controller on board that can be tampered with.
To be fair, every hard drive ever made had a controller attached to it. This is not new. If there's no controller, then it's a floppy or optical drive. Anything with non-volatile storage (i.e. not RAM) has a controller of some type attached to it.
This is already spawning a large number of policies in corporations to restrict USB disk access. As an engineer and solutions architect, this is no big deal, because we don't use USB drives that often anymore with cloud computing and high speed Internet connectivity. This does, however, make offloading of secure data somewhat perilous if you're paranoid and keep things like TPM-generated private keys on USB drives in your safe deposit box or even home fire safe.
Yep. For the doubters: what happens when you stick a USB thumb into your computer? That little message, "loading device driver" or somesuch? That's the attack vector. And if you expect to read the drive you don't turn it off.
There will be, I am sure, a market for a device driver scanner that stands between you and this exploit and uses signature files like an antivirus app, and if this story serves to hurry it along, so much the better.