The seriousness of a USB security weakness, which could potentially allow hackers to reprogram USB drives, has been ratcheted up a notch, with the release of prototype code.
Researchers Karsten Nohl and Jakob Lell, from German security skunkworks SR Labs, demonstrated how it might be possible to reprogram the firmware within some flash drives with malicious code at the Black Hat conference in Las Vegas, back in July. They dubbed the attack BadUSB.
Then just last week, Adam Caudill and Brandon Wilson went one step further during a talk at the DerbyCon hacker conference in Louisville, Kentucky, by not only demonstrating the flaw but also publishing proof of concept code on Github. The move was designed to push USB makers into formulating a fix.
The release of the prototype code that accompanied Caudill and Wilson's Making BadUSB Work For You talk is controversial, as Nohl previously described BadUSB as practically unmatchable. Caudill argues that the security community and manufacturers need to know exactly how bad the problem is, and what form it takes, in order to build defences.
We believe all of this should be public, Caudill told DerbyCon delegates Wired reports. "It shouldn’t be held back. So we’re releasing everything we’ve got."
"This was largely inspired by the fact that [SR Labs] didn’t release their material. If you’re going to prove that there’s a flaw, you need to release the material so people can defend against it," he added.
Both pieces of research came from reverse engineered USB firmware. The threat of malicious USB thumb drives more generally has been well understood for years, even giving rise to the observation from cyber security types that USB devices are "plug and prey" (a security-themed spin on "plug and play").
"The idea of re-flashing the firmware of devices such as PCs bios or HIDs for malicious purposes has been around for some time now," said Egemen Tas, engineering veep at Comodo Group. "For example, fraudsters have been using hacked firmware to sell USB drives which shows higher storage capacity than they actually have."
Moreover, intelligence agencies have been modifying USB controller firmware to hide and encrypt data within USB drives, added Tas. "It is only a natural evolution that somebody would make use of the same technique for malicious purposes."
BadUSB is nastier than typical malware that might happen to infect a USB drive. For one thing, it's capable of infecting anything based on a compatible micro-controller. Moreover, it's also a lot stealthier (especially in its capability to avoid detection by anti-virus scanners) than conventional malware. ®