BadUSB malware has been released to the world, and it cannot be fixed.
To quote our great golden robot god: We’re doomed.
BadUSB is a form of undetectable, heinous malware that was first demonstrated during the Black Hat security conference back in August. Security researchers Karsten Nohl and Jakob Lell demoed their reverse-engineered USB firmware, then showed how malware could come into play. The malware (or BadUSB, as it’s being called) resides in the standard’s firmware, which means it can reside on devices like USB thumb drives, then pass from machine to machine.
Once the compromised USB devices (which would carry reprogrammed firmware) interact with a terminal, the hacking options are various — one notable hack is taking complete control of a keyboard remotely. Due to its firmware-level nature, the exploit is nearly impossible to fix; a solution would require a redesign of the USB specification — not an easy task for the world’s most ubiquitous peripheral and storage connector.
The silver lining with BadUSB, at the time, was that Nohl and Lell did not release their findings to the world — while they demoed their findings at Black Hat, they kept the code under wraps in order to give manufacturers time to come up with a solution. But now that the grace period is over, another security-minded duo has reverse-engineered the USB firmware, and released their findings to the world.
Speaking at Derbycon in Louisville, Kentucky last week, Adam Caudill and Brandon Wilson showed the revealed code, and have now posted it on GitHub. Caudill and Wilson published the code in order to force the hand of major USB players, as they think a legitimate solution won’t come until the threat is recognized as real by hardware manufacturers.
“The belief we have is that all of this should be public. It shouldn’t be held back. So we’re releasing everything we’ve got,” said Caudill during the Derbycon convention. “This was largely inspired by the fact that [Nohl and Lell] didn’t release their material. If you’re going to prove that there’s a flaw, you need to release the material so people can defend against it.”
This USB vulnerability is considered un-fixable by some (including Nohl) because of how many USB devices are out in the world. New firmware security measures can be written to patch the vulnerability, but USB devices sold over the last ten-plus years would still be at risk.
While BadUSB and the vulnerabilities in USB firmware are only now publicly known, Caudill told Wired that the flaw was likely “already available to highly resourced government intelligence agencies like the NSA.” And while it’s fashionable to mention the NSA whenever computer security is mentioned, Caudill is not blowing smoke here. Various security agencies in the United States, and the world over, pay good money to hackers for unknown (to the public) exploits, which can be filed away to use at a later date. Many of these exploits aren’t even on a given developer or manufacturer’s radar, as the NSA and others pay to keep them a secret.