A few months ago, white hat security expert Karsten Nohl of SR Labs revealed that computer USB devices are wide open to malware attack through a hole named “BadUSB.” Nohl held off on releasing the code behind the vulnerability at the time. But now, at the DerbyCon hacking conference in Louisville, Kentucky, computer security researchers Adam Caudill and Brandon Wilson have made the decision to release full details about BadUSB to the public.
“The belief we have is that all of this should be public. It shouldn’t be held back. So we’re releasing everything we’ve got,” Caudill told the DerbyCon audience. “This was largely inspired by the fact that [SR Labs] didn’t release their material. If you’re going to prove that there’s a flaw, you need to release the material so people can defend against it.”
According to Caudill and Wilson’s research, a hacker could use a readily available USB microcontroller to impersonate a keyboard and run any number of dangerous, data-stealing commands on any computer it's plugged in to. Because of the nature of BadUSB, the attack would not be caught by a computer’s anti-virus program nor would traces of it be left behind after. In short, BadUSB can turn any USB storage stick into a weapon.
One of the most worrying aspects of BadUSB is that the vulnerability is not easily patched. Many USB devices would require major redesigns, and some currently in use might never be secured. Full protection against BadUSB could take many years, if not a decade. “It’s unfixable for the most part,” Nohl admitted.
Releasing the code behind BadUSB to the public is a double-edged sword. One the one hand, it gives hackers the information they need to readily exploit it, which significantly increases the risk to the public. But at the same time, shedding light on the security vulnerability makes it easier for researchers to come up with defenses against it. It also sends a strong message that USB is not secure and pressures device makers to fix the issue with haste.
How can you stay safe? Exploiting BadUSB would require an infected USB device to be physically attached to your computer. It makes sense, then, to use extreme caution when dealing with USB devices (thumb drives, etc.) of unknown origin. Only use USB storage devices you know to be new and untouched by others, if possible.
[Removable USB thumb drive via Shutterstock]