Two months ago, security researcher Karsten Nohl demonstrated an attack he called BadUSB. Nohl showed that it was possible to corrupt any USB device with undetectable malware; because of the severity of the problem, he did not release his notes to the public. Now, two other researchers believe that they have been able to replicate Nohl’s findings. However, they have elected to release this information on GitHub in the hopes that it will spark USB manufacturers into taking security more seriously.
Researchers Adam Caudill and Brandon Wilson showed that they have reverse engineered the BadUSB firmware that could be potentially used to perpetrate an attack at the Derbycon security conference. The code they used is now available to the public, which they intended to assist security firms in defending against the possible attack vector. Unfortunately, there is always the chance that malicious hackers will adopt the research for their own use.
Caudill told Wired magazine that releasing the information is not as damaging as people fear. He argues that it is likely that highly resourced government agencies are already aware of the exploit, and have potentially been using it against civilian targets. Caudill intends to demonstrate that this is a practical problem that can be used by anyone, and that it should be a priority for manufacturers to seal off the problem.
Nohl, who had originally discovered BadUSB, did not release his own data because he believes the problem to be unpatchable. The fundamental security architecture of USB would have to be rewritten to prevent devices from being used as potential carriers of the malware. Not only that, it could take decades for manufacturers to catch up and replace all the devices that are now vulnerable to the issue.
It should be noted that BadUSB is considered such a severe problem that even Caudill and Wilson have not released all their findings. The two are still debating whether it is safe to allow the world to know the details of the more debilitating problems of the USB security issue.