The Qubes Documentation on Anti-Evil-Maid states
Given the practical feasibility of attacks like BadUSB and revelations regarding pervasive government hardware backdoors, this is no longer a straightforward decision. New, factory-sealed USB drives cannot simply be assumed to be “clean” (e.g., to have non-malicious microcontroller firmware). Therefore, it is up to each individual Qubes user to evaluate the relative risk of each attack vector against his or her security model.
I wouldn’t put it past contemporary governments (i.e. US, China, Russia) to try and put backdoors in USBs manufactured in their countries or the firmware used on those USBs. But I also wouldn’t expect them to have the bureaucracy or technical skills necessary to accomplish this, en masse, since USBs were first invented.
Is it possible to fix a certain date or year(s) before which USBs manufactured in certain, perhaps more trustworthy nations, can be trusted to probably not come with a hardware or firmware backdoor? Hopefully by the time USB 3.0 came around, but USB 2.0 even?
For example I’d trust the USB 2 drive I got in 2011 much more than one I got today-- has this perceived trust been ever grounded in news reports, or other (factual?) information?
Has the Free Software Foundation or GNU Project developed a Free USB? I know they have a Free (but hard to find) firmware called GnuK for PGP smart cards.