We have recently had reports from some users of a virus being detected when first connecting their new mbed Microcontroller to a Windows PC. Further investigation has shown this to be a real problem, impacting some units of an mbed LCP1768 batch manufactured in December.
We are taking this very seriously and will be doing all we can to audit all devices from this batch within the distribution channels, but we have to assume more will have made it through to end users. Please read this report carefully to understand if you need to take action.
On receiving a virus report from a user, with their help we investigated the possible source of the problem. These investigations confirmed it was a new device, and the source of the problem was not likely to be the user’s machine. At this point we initiated an audit of our manufacturer.
With support from the manufacturer's staff and production records, we identified a potential vulnerability window in one of the production line test machines between the 4th and 12th of December, caused by their method of applying a production test software upgrade. During this time, units tested with this test machine had the potential to become infected. This means some units within the particular batch in production at that time are at risk from containing a low risk virus.
What is the threat?
The virus impacting some of the vulnerable batch is "Win32.SillyFDC" (but goes by a number of different names), which is an autorun.inf script plus files in a RECYCLER folder placed in the root of removable media, impacting Windows PCs. It has been around since 2004, and is generally considered a low risk, low impact virus. It does not impact Mac or Linux. All reputable antivirus software will find, isolate and remove the virus, with no long term effects. More detailed information about nature of this virus can be found at:
Is my board from the batch at risk?
We have identified the batch that was in production when the vulnerability occurred, and their corresponding packing serial numbers. Whilst only a small percentage of these could have been impacted, we will be auditing the entire batch.
The packing serial numbers this batch fell within are:
- MBED-1226 to MBED-2356
We will aim to narrow it further as we confirm audit information further. If your microcontroller falls in to this range, please read on to see if you need to take action. If not, you should not be impacted. If anyone finds anything to the contrary, please contact us immediately at email@example.com.
To check your packing serial number, find the orange sticker on the base of the box for the mbed Microcontroller, as shown below:
In this example, the details would be:
- Product Number: MBED-005.1
- Serial Number: MBED-2334
What should I do if my board is from the batch at risk?
If your board is from the batch at risk, then please carefully follow these instructions.
If you have not yet used your mbed, you have a number of options to check for and avoid the problem:
- If you have access to a Mac and Linux machine, you can plug in your mbed and check for an autorun.inf file. If one exists, delete *everything* from the disk (any files and directories like autorun.inf, RECYCLER, ...). Mac and Linux PCs ignore autorun.inf, so are not impacted. Your MBED.HTM will get automatically restored after you power cycle the board.
- If you only have access to a Windows PC, ensure your systems antivirus software is up to date. If it does exist, your antivirus software should detect and quarantine the virus.
- If you would prefer, we can arrange to audit your board for you and fix the problem if one is found; please contact us directly at firstname.lastname@example.org
If you have already plugged your mbed microcontroller in and there was an autorun.inf file, your antivirus software should have already detected, quarantined and removed any virus. We recommend you run a full system scan with your mbed plugged in to verify your machine and the microcontroller are clear of the virus.
If you do not have antivirus software and you do find an autorun.inf file on the mbed, it would be highly recommended to install some to check and, if necessary, clean your machine. Below is a list of a few different packages that would be suitable, many including free trials:
Note: if there is no autorun.inf file on the disk, then the problem doesn't exist.
If you do find your board to be infected, we would be very greatful if you could email us the MBED-xxxx Serial Number to email@example.com to help validate our records. If you have any questions, please do not hesitate to contact us.
What else are we doing?
We are working with distributors to audit all stock we can find from this batch, to limit as much as possible the numbers that get out to users in the first place. Whilst the problem only impacted a production test machine for a short time and is no longer a problem, we have also taken steps to ensure this can't happen again. We are moving from windows to linux-based test machines, and have ensured our manufacturers have the appropriate processes in place to upgrade test software.
This is a problem that shouldn't have occurred in the first place, so please accept our apologies that it has. We believe we are doing everything appropriate to address it, and will continue to do so to ensure it won’t happen again.
Finally, a big thank you to all the companies and people who have worked so quickly with us to identify the problem and put in place all the logistics to resolve it.
Last week I released a set of updates to the mbed website. Many of these are a direct response to suggestions/requests made in the forums. There is now a dedicated forum for requests/suggestions/bug reports - Bugs & Suggestions - please keep them coming!
There is also a public bug/wish list.
Here's a quick summary of what changed:
- Multiple forum support
- Forum now tracks which posts you have read
- You now have the option of auto-subscribing to topics/pages you comment on - found in your Account Settings area
- Added RSS feeds for just about everything
- Activity area now split by type
- Improved format of alert emails
- Reformatted date display on the site so the dates are useful regardless of local timezone
- Several other bugfixes and behind the scenes improvements/changes.
Please note that this update only covers the website and not the online compiler IDE, which will be the subject of a forthcoming update.
Since launch, the mbed manufacturing elves have been putting in their overtime and it looks to be paying off; Digikey, Future and Farnell have caught up on their backlog and are all now showing mbed in stock!
So if you are a discerning geek, or know someone who is, perhaps this year an mbed is the perfect late christmas gift. Get one on order today and start inventing your own gadgets. Maybe even next years hit xmas gadget?!
And while we're talking christmas, here are a couple of festive mbed projects to inspire you:
If you are working on a festive project, make sure you write it up and we'll share it with everyone.
mbed may only be 2 months old, but things are going really well so we're planning for the future; that means we're looking for people to join the team!
We've setup a jobs page which lists more details on the roles we're looking for, but here is the summary:
- A ninja microcontroller coder to work with us on libraries, middleware, toolchains, etc; this is a Full Time role, starting as a Contractor with a view to employment
- Undergraduates or recent graduates to work on peripheral hardware, libraries and projects using mbed to pro-actively support our users; this would be as 3-12 month full-time internships
An important note: We're based in Cambridge, UK, so please only apply if you are from the area, or willing to commute or move here!
For the full details, and the links to apply, take a look at the mbed jobs page.
Please pass this on if you know someone you'd recommend who could be interested.
It has been really great to see the response that the mbed Microcontroller form-factor has been getting. We spent a lot of time researching, testing and trialing prototypes to end up with what we have now, and it is good to know the effort was worthwhile. On our wall are all the different mbed prototypes, and it is funny to look at e.g. the one that is 2-eurocards big, and see how our thinking changed over time as we tried things out in the field. I'll perhaps write them up at some point...
But we do still sometimes get asked why mbed doesn't have a screen? Or a certain connector? Or a flavour-of-the-month peripheral chip? There are obviously lots of factors why we haven't gone that route, and here is a good example of one of those reasons.
Check out this mbed-compatible baseboards that Embedded Artists have just announced:
Looking at the specs, it's got OLED screen, SPI SD card socket and Flash, I2C port expander, accelerometer and light sensor, joystick, push button and rotary switches, XBee, Ethernet and CAN sockets. Sounds like a great mix of peripherals.
We've used Embedded Artists stuff before and always been very pleased with the quality, so whilst we haven't got hold of one yet so can't fully comment, if you want to try it out yourself it looks like you can pre-order the Embedded Artists baseboard and get it some time in January.
Great job EA!