"BadUSB" Is Pretty Bad - And The Code Is Now Out
The so-called BadUSB firmware vulnerability seems to be pretty dire, and now the exploit code is available on Github. Given that this is reportedly an "unpatchable" vulnerability and potentially affects all manner of USB devices, putting it "out there" seems like an extraordinarily bad idea.
Previously, it was demonstrated by Karsten Nohl and Jakob Lell at the Black Hat security conference in Las Vegas, showcasing that the firmware of USB devices made by Taiwanese electronics manufacturer Phison could be injected with undetectable, unfixable malware.
Crucially, however, Nohl did not release the code used for the exploit at the time. But Caudill and Wilson have subsequently made the decision to release fuller details about BadUSB at the recent DerbyCon hacking conference in Louisville, Kentucky.
“The belief we have is that all of this should be public. It shouldn’t be held back. So we’re releasing everything we’ve got,” Caudill said to the audience at DerbyCon. “This was largely inspired by the fact that [SR Labs] didn’t release their material. If you’re going to prove that there’s a flaw, you need to release the material so people can defend against it.”
The vulnerability functions by modifying USB device firmware, hiding malicious code in USB sticks and other devices in a way that is undetectable. Even wiping the contents of a device doesn’t work, and Wired called the vulnerability “practically unpatchable.”
Once a USB device is infected, it will attempt to infect anything it connects to, or any USB stick that comes into it.Lumension