BadUSB: The unfixable flaw that infects USB devices is now on the loose

“It’s been just two months since researcher Karsten Nohl demonstrated an attack he called BadUSB to a standing-room-only crowd at the Black Hat security conference in Las Vegas, showing that it’s possible to corrupt any USB device with insidious, undetectable malware,” Andy Greenberg reports for Wired. “Given the severity of that security problem—and the lack of any easy patch—Nohl has held back on releasing the code he used to pull off the attack. But at least two of Nohl’s fellow researchers aren’t waiting any longer.”

“In a talk at the Derbycon hacker conference in Louisville, Kentucky last week, researchers Adam Caudill and Brandon Wilson showed that they’ve reverse engineered the same USB firmware as Nohl’s SR Labs, reproducing some of Nohl’s BadUSB tricks,” Greenberg reports. “And unlike Nohl, the hacker pair has also published the code for those attacks on Github, raising the stakes for USB makers to either fix the problem or leave hundreds of millions of users vulnerable.”

“‘The belief we have is that all of this should be public. It shouldn’t be held back. So we’re releasing everything we’ve got,’ Caudill told the Derbycon audience on Friday. ‘This was largely inspired by the fact that [SR Labs] didn’t release their material. If you’re going to prove that there’s a flaw, you need to release the material so people can defend against it,'” Greenberg reports.”In an earlier interview with WIRED ahead of his Black Hat talk, Berlin-based Nohl had said that he wouldn’t release the exploit code he’d developed because he considered the BadUSB vulnerability practically unpatchable. (He did, however, offer a proof-of-concept for Android devices.) To prevent USB devices’ firmware from being rewritten, their security architecture would need to be fundamentally redesigned, he argued, so that no code could be changed on the device without the unforgeable signature of the manufacturer. But he warned that even if that code-signing measure were put in place today, it could take 10 years or more to iron out the USB standard’s bugs and pull existing vulnerable devices out of circulation. ‘It’s unfixable for the most part,’ Nohl said at the time. ”

Much more in the full article here.

Related article:
Why the security of USB is fundamentally broken and cannot be fixed – July 31, 2014

16 Comments

    1. Actually, FireWire is worse, as the protocol has a bunch of nice ways to DMA data to and from memory. Basically, you have to trust whatever you are plugging into your computer, whether it be USB, FireWire, Thunderbolt and even PCI cards.

  1. I assume this also affects microUSB?

    The next time the Euro Commission tries to persuade Apple to replace the iPhone Lightning port with a microUSB port, Apple can bring up security.

  2. The comments in the article are very informative. Several industry professionals give long detailed reasons why there are a lot of problems with article. One big thing this is about thumb drives, not all USB devices. Not even all thumb drives. I learned a lot today.

    1. So in other words, don’t go sticking USB drives you find on the ground in your computer. (This was an actual method used to get spyware onto government computers.)

      ——RM

  3. The company I work for has a simple policy regarding connection of USB devices to their network (HIPPA Compliant):

    Connect a device and get fired. seriously.

    If you bring your own it connects to a completely separate network.

  4. Let’s bring back even Firewire 400.
    Better, Faster, More stable, No edispu nwod plugging it in..
    and SECURE.
    *sigh* short sighted cheapness won the day, and again like the flaws in Windoze– we Mac Users are stuk with the lesser tech full of holes..

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.