BadUSB, a thus far undetectable and unstoppable means of delivering malware via the ubiquitous USB port, was first announced to the world in July by Karsten Nohl, a researcher with SR Labs, who discovered that it’s possible to load malware onto any USB device. Bad USB hides not in the flash memory of the device, but in the firmware that controls the device’s basic function, allowing the malicious code to remain hidden, outside of the reach of malware-detection regimes and immune to any conceivable software patch.
At the demonstration, Nohl and his research partner, Jakob Lell, showed that it wasn’t merely a problem limited to thumb drives, that any device that interfaced with a USB could be corrupted, from mice and keyboards to smartphones, and once a BadUSB device is connected to a computer, the tasks that can be performed is virally limitless, from software replacement, initiation of commands, or hijacking internet traffic, basically anything that a keyboard can do, and that is to say nearly everything the computer can do, can be controlled by malware piggybacked in the USB device’s firmware.
Confirming that a USB devices firmware has not been tampered with is nearly impossible, and thus far manufacturers have resisted implementing safeguards. A pair of enterprising hackers, Adam Caudill and Brandon Wilson, reverse-engineered BadUSB, and demonstrated it last week at the Derbycon hacker conference, further they published the code of their USB firmware hack on Github – officially releasing it into the wild.
At their presentation, Caudill said that the reason they got involved with this reverse-engineering project was SR lab’s reticence to publish the exploit themselves, stating “This was largely inspired by the fact that they didn’t release their material. If you’re going to prove that there’s a flaw, you need to release the material so people can defend against it.”
For now, all USB devices should be treated as suspect, as the BadUSB exploit works from USB to computer and from computer to USB device, making any USB that has ever been used in a not known clean device a potential vector of attack.
In order to prevent USB devices’ firmware from being rewritten as accomplished by BadUSB, their security architecture would need to be completely redesigned, and with literally millions upon millions of USB devices in circulation, BadUSB has the makings of a truly catastrophic malware epidemic.