Don’t plug strange USB sticks into your computers. Don’t do it. A pair of hackers just made public the code for super scary malware that takes advantage of a fundamental flaw in USB firmware. They didn’t do this to be mean, but you can be sure some evil hackers will use it to be mean.
The malware in question is very similar to the so-called BadUSB attack we saw a couple of months ago. Security researchers Karsten Nohl and Jakob Lell basically reversed engineered USB firmware so that they could create virtually undetectable malware that can’t be patched. In brief, BadUSB can “be installed on a USB device to completely take over a PC, invisibly alter files installed from the memory stick, or even redirect the user’s internet traffic.”
Given the tremendous danger of this kind of thing getting out into the wild—literally, any computer with a USB port would be an easy target—Nohl and Lell opted to keep the code a secret. But now, researchers Adam Caudill and Brandon Wilson have more or less copied the BadUSB attack and uploaded the code to GitHub for all to download. This sounds very scary, but it might actually be a good thing.
“The belief we have is that all of this should be public. It shouldn’t be held back. So we’re releasing everything we’ve got,” Caudill told the audience of a hacker conference last week. “This was largely inspired by the fact that [Nohl and Lell] didn’t release their material. If you’re going to prove that there’s a flaw, you need to release the material so people can defend against it.”
They do have a point. Now the onus is on USB makers to fix the vulnerability. This is no easy ask, especially since Nohl said that BadUSB was “unfixable for the most part,” when he explained the exploit at the Black Hat conference in July. Since anybody can get their paws on the new BadUSB clone, there’s definitely a strong incentive to figure out a fix.