Science and Tech


Critical USB Hack Goes Public; How Bad Is The Risk?

Security researchers have published some of the code behind a firmware exploit which can turn USB devices into malware.
Posted at 11:01 PM, Oct 04, 2014

Because we just didn't have enough tech security problems to worry about, computer science researchers have just published a potentially catastrophic security exploit. It's ubiquitous, it's nearly impossible to fix, and it's all thanks to these little devices.

The problem first came to light several months ago, when a pair of researchers, Karsten Nohl and Jakob Lell, unveiled BadUSB, a way to transform common USB devices into malware-laden attack vectors which could hijack any computer they were attached to.

The firmware-based exploit involves altering the very nature of how a USB device communicates with a computer — which meant traditional malware detectors wouldn't pick up on the attacks, and countering the threat would be nearly impossible. (Video via Vimeo / Offensive Security)

When they first revealed BadUSB, the hackers declined to reveal how they made the malware, citing security reasons. But another pair of researchers has now reverse-engineered the hack — and they've opened up their work to the public.

Adam Caudill and Brandon Wilson have made some of the code behind their version of BadUSB freely available on GitHub. The hackers say they're publishing their work so the community can come up with a solution.

ADAM CAUDILL VIA YOUTUBE / ADRIAN CRENSHAW"If you're going to say something, if you're going to prove that there's a flaw, you need to release the material so people can defend against it."

But The Verge notes a fix is likely to require "a full update to the USB standard itself, which means years of insecurity. However the industry responds, we're likely to be living with it for a long, long time."

It's also possible we've already been living with this problem: BadUSB looks a bit like COTTONMOUTH, a National Security Agency product revealed during the Snowden leaks which hijacks USB devices.

Now that the instructions for building BadUSB attacks are out in the wild, it's possible malicious hackers could start building these types of attacks. So, should we freak out?

In a blog post, Caudill stated his release is just a harmless demo, and doesn't contain anything that might enable malware. "The kind of people that have what it takes to do this, could do it regardless of our release. ... I firmly believe that by releasing this code, the risk to the average user isn't increased at all."

And Mashable notes there are a few basic ways to guard against BadUSB attacks — for one thing, don't let suspicious or untrusted USB sticks anywhere near your computer. It's also possible to lock USB port use on Windows systems, or by using endpoint security software.

Boing Boing's Cory Doctorow has a slightly more apocryphal bit of advice — apparently, someone with high-level connections to the U.S. intelligence community told Doctorow "the spooks he worked with would only trust USB thumb-drives from one vendor, a U.S.-based firm that had been vetted by American spies."

So, y'know, if you can find that vendor, you should be safe from most black-hat USB attacks! Until then, it's probably better to not put anything in your computer if you don't know where it's been.

This video includes images from Nrbelex / CC BY SA 3.0MOS6502, Evan-Amos.