USB devices and the computers their users connect them to are vulnerable to malicious code that can totally take over a user’s computer, manipulate files stored on the drive and redirect Internet traffic.
Security researchers Karsten Nohl and Jakob Lell first demonstrated the attack this summer at the Black Hat security conference in Las Vegas where they showed a large crowd how their malware embeds itself in the firmware that allows USB devices to communicate with computers, .
Nohl and Lell did not publish their code, called BadUSB, for fear that it would be used for nefarious purposes; but now two other researchers have opened Pandora’s Box.
At last week’s Derbycon hacker conference two other researchers, Adam Caudill and Brandon Wilson demonstrated that they’d reverse engineered the BadUSB malware and then published it on Github for anyone to see.
“The belief we have is that all of this should be public. It shouldn’t be held back. So we’re releasing everything we’ve got,” Caudill said at Derbycon. “If you’re going to prove that there’s a flaw, you need to release the material so people can defend against it.”
Caudill’s statement highlights a philosophical split among security researchers: those who elect to keep the flaws they find under wraps in order to protect the public directly, and others, who believe publishing their software exploits is the best way to put pressure on the industry to fix security flaws quickly.
In an interview with Wired, Caudill said even if this particular flaw isn’t being used by garden variety hackers already, he believes well-funded organizations, like the NSA, may already have the capability and are using it.
“You have to prove to the world that it’s practical, that anyone can do it … That puts pressure on the manufactures to fix the real issue,” Caudill said. “If this is going to get fixed, it needs to be more than just a talk at Black Hat.”
Because the malware is stored on the device’s firmware, which controls the basic functionality of the device, it’s very difficult to detect and can’t even be deleted by clearing the storage contents. Caudill also demonstrated how the malware can be used to hide files and secretly disable password-protected security features.
Before last week’s demonstration Nohl told Wired that he considered this exploit to be basically unpatchable. In order to mitigate against these types of attacks, he said, the entire security architecture would have to be rebuilt from the ground up with code that cannot be changed without the manufacturer’s signature. Even then, he said, it could take more than a decade to get rid of vulnerable devices and smooth out all the new bugs.
Both research teams reverse engineered the firmware from USB devices made by Phison, a Taiwanese company and one of the largest USB device makers. Even if you don’t use Phison devices yourself, your computer is still vulnerable, especially if you swap files with other users or happen to pick up a new free thumb drive at a business conference.