There's nothing in the USB spec that requires an internal processor at all. USB is a wire protocol only. Obviously it happens that complicated wire protocols are most sanely implemented in software, so most devices have CPUs and firmware. But that's a fact of engineering expedience and not spec compliance.

I guess it depends on your definition of processor, but a finite state machine is certainly necessary to use USB.

The firmware could be locked down, but doing so is inconvenient for the manufacturers.

For example, I believe that the firmware flashing allows for easy configuration of the USB storage size, so there's no need to hard-code values in the hardware. As a result, you can easily re-use components and repurpose them as needed.

It might also be used for mapping out bad sectors during device testing? That way you can stuff low quality flash storage into a USB stick and then blank out the bad parts during testing. This could be more difficult to do if the firmware isn't easily updateable.

It could still be locked out before being sent to market as a final step, something like an internal fuse in an EPROM being blown in such a way that the only way to re-access the "manufacturer" bits would be to get a new chip.

Tricky part is finding a bug in the firmware after release. If locked out, then can't update the stuff in the warehouses. Would need to scrap all parts in inventory, potentially costing hundreds if not thousands of dollars.

The logical thing to do, then, is making the firmware unaccesible once it's been used by the final user. Adding a fuse that breaks once the 5V from the user computer are sensed for the first time, for example.

How do you define "user computer"? We run a bazillion tests on our stuff during manufacturing. Stuff is plugged in/out of Windows boxes over and over on the manufacturing line.

It's hard to tell where that "last step" might be. Boxing? Shrink wrapping? Delivery to Amazon's warehouses?

Our ASICs have efuses to disable insecure firmware changes. (Need insecure fw updates during fw development.) During dev we wind up having to scrap parts because we blew the fuse prematurely.

It's a tough logistical problem.

Haven't read the spec, but yes they can.

I know several common USB devices that actively prevent field upgrades of their firmware for security reasons, an example would be the Yubikey (http://www.yubico.com/faq/upgrade-yubikey-firmware/).

No, there's nothing in the USB spec that requires the internal processor to be updatable. The headline is clickbait.

To get this to work, you need to solder wires onto the USB flash drive's PCB, and then program a "burner" firmware image into the microcontroller. Only then you can remove the wires, and further program its firmware over USB. The stock firmware for nearly any USB device would never allow itself to be upgraded over USB.

This strategy allows you to give someone a malicious flash drive that enters keyboard commands into the computer (this has been done before), or infects the computer by pretending to be a device whose driver has a security flaw. It would not allow you to infect the other USB devices connected to that computer, because they don't have burner firmware.

I think you're wrong: as I understand it, many of the consumer USB sticks can be flashed over USB. No soldering required.

Yes, you're right - I've done some more research on the github site, and figured out how they do it. The burner image can be sent to RAM over USB, to cause the microcontroller to boot from it. Then, that burner is used to flash the malicous firmware image.