Source Code For Bad USB Malware Released

Chuck Bednar for – Your Universe Online
BadUSB, the critical security flaw that could allow hackers to smuggle malware onto devices undetected, has been reverse engineered and a version of its source code has been released.
The malware, which was revealed by SR Labs security consultants Karsten Nohl and Jakob Lell at the Black Hat security conference in Las Vegas in August, cannot be detected by scans because it can target the miniscule chips used to control the operational system used by USB equipment such as a mouse, keyboard or flash drive.
Nohl and Lell demonstrated a proof-of-concept of the malware at the Black Hat conference, showing how it could be installed on a USB device to completely take over a computer, secretly change files installed from a memory stick or even redirect Internet traffic – and the attack would be undetectable by computer security software and would be difficult to fix, according to Wired’s Andy Greenberg.
Since it resides in the firmware and not the flash memory, he said the attack could be hidden long after the content of a flash drive would appear to have been deleted, highlighting the potential dangers of sharing USB devices. Due to the destructive nature of the threat and the inability to detect potentially harmful USB devices, Nohl and Lell opted against publically releasing the source code for the malware.
Last week, however, independent security researchers Adam Caudill and Brandon Wilson demonstrated during a joint presentation at the Derbycon hacker conference in Louisville, Kentucky that they had reverse-engineered the same USB firmware as Nohl and Lell, and had successfully reproduced some of the properties of BadUSB.
Unlike the SR Labs researchers, however, Caudill and Wilson have published their code and demonstrated potential uses for it on the distributed revision control and source code management hosting service Github, “raising the stakes for USB makers to either fix the problem or leave hundreds of millions of users vulnerable,” Greenberg wrote on Thursday.
“The belief we have is that all of this should be public. It shouldn’t be held back. So we’re releasing everything we’ve got,” Caudill told the Derbycon audience, according to Greenberg. He added that the decision was “largely inspired” by Nohl and Lell’s decision not to release their material, and that if a security research team was “going to prove that there’s a flaw,” he felt that they needed “to release the material so people can defend against it.”
Caudill and Wilson, who declined to name who they were working for, said that publically releasing the USB attack code would allow penetration testers to experiment with the technique, the Wired reporter said. They also said that releasing the exploit was the only way to prove that USBs are nearly impossible to secure in their current form, and to pressure USB makers to make changes to their current, apparently flawed security structure.
“If this is going to get fixed, it needs to be more than just a talk at Black Hat,” Caudill told Greenberg during a follow-up interview. He claimed that the USB trick is most likely already available to NSA officials and other government agencies, and that those organizations could already be secretly using it.
“If the only people who can do this are those with significant budgets, the manufacturers will never do anything about it. You have to prove to the world that it’s practical, that anyone can do it… That puts pressure on the manufactures to fix the real issue,” he added. “People look at these things and see them as nothing more than storage devices. They don’t realize there’s a reprogrammable computer in their hands.”
Russell Brandom of The Verge also explained that fixing the problem will not be easy. Since the vulnerability allows attackers to reprogram USB firmware, preventing it would require a new layer of security around that firmware, which in turn would require a massive update to the USB standard itself.
“However the industry responds, we’re likely to be living with it for a long, long time. In the meantime, any time you plug a USB drive into your computer, you’ll be opening up a huge vector of attack,” he added. “Unless you can track a device’s provenance from the factory to your computer, the only real protection [is] avoiding USB drives and devices at every turn. … It’s an extreme response, but not an unreasonable one.”