The USB standards board has a unique opportunity in front of them: the upcoming Type C plugs — which, as I understand it, can replace the Type A sockets on the computers themselves.
The standards board could coincide the release of the new plugs with a “repaired” standard (call it v3.2 or even USB4) for the communication bus. This would break some backward compatibility on old computers, but the new plugs wouldn't exactly fit in them without assistance either. (Perhaps C->A adaptors could include bridges that, while themselves prone to the vulnerability, would provide a compatibility layer.)
It would be a rough pill to swallow, but the inevitable disruption of both changes to the standard (new plugs, and a backward-compatibility-breaking security update) would be condensed to one event, and consumers would be able to easily identify safe USB devices. That's a huge win.
How would you actually fix it? Ban HID devices from being plugged into a USB hub at all? Because outside of that I haven't heard of any proposals, and that is frankly unworkable given the how many devices are designed with a single USB port under the assumption that you can HUB-in more.
An OS level policy is what I think would be best. Notify the user, "Did you just insert a USB keyboard?", and wait for their approval to enable the HID.
This can be worked upon, e.g., automatically allowing the first keyboard and pointer devices, or allowing all devices if the user feels lucky etc.
One large problem I see, that can be be rectified by perhaps only the USB standard-setters, is whitelisting. Currently, the best handle are the idVendor and idProduct properties, but a BadUSB can easily spoof those too. Cryptographic signatures for identification is what I'm thinking would be best.
Many devices have internal hubs as well. My notebook chains one external USB interface through two nested internal hubs (the deepest of which also controls the mouse and keyboard) before it even gets to the physical port, the other USB port goes through yet another hub. There's three total hubs in the system before even plugging in anything external. A rule like this would kill all of my existing HID devices except for my webcam, which is the only device on directly connected to the USB host.
Fits with the coincidental marketing of "USB condoms" which now seem like an extra good idea where charging is the goal.
Makes me now wonder about the infection potential of a lot of USB powered devices. I could imagine a lot of "dumb" devices incidentally using a vulnerable controller chip, even if the application of USB is purely for power. Maybe most USB powered devices have a safe / invulnerable way of sipping power? Anyone faniliar with USB power-only devices want to comment?
The standards board could coincide the release of the new plugs with a “repaired” standard (call it v3.2 or even USB4) for the communication bus. This would break some backward compatibility on old computers, but the new plugs wouldn't exactly fit in them without assistance either. (Perhaps C->A adaptors could include bridges that, while themselves prone to the vulnerability, would provide a compatibility layer.)
It would be a rough pill to swallow, but the inevitable disruption of both changes to the standard (new plugs, and a backward-compatibility-breaking security update) would be condensed to one event, and consumers would be able to easily identify safe USB devices. That's a huge win.