Unpatchable BadUSB code is now publicly available

Graham Cluley @gcluley

How sweet would it be to plug and play USB devices without the fear of viruses, malware and other security threats?

It’s everyone’s dream to own 100% foolproof USB devices for their file storage and transfer routine: Fascinating to think about it, but it simply isn’t gonna happen with the raft of current USB-related security threats.

Because even if a USB stick has been completely wiped, and contains no files, it could still pose a threat to your organisation.

I am highlighting an exploit recently spotlighted by two security researchers: Adam Caudill and Brandon Wilson of SR Labs. They reverse-engineered the USB firmware that powers millions of devices, which could enable hackers to inject malicious codes into computers.

Email Sign up to our newsletterSign up to Graham Cluley’s newsletter - "GCHQ"
Security news, advice, and tips.

Usb 600

What’s interesting and worrying at the same time is that the researchers have released the code on Github, a site accessible to any internet user.

The vulnerability goes by the name “BadUSB”.

It’s been only two months since I wrote about the initial discovery of the so-called “BadUSB” vulnerability.

Previously, it was demonstrated by Karsten Nohl and Jakob Lell at the Black Hat security conference in Las Vegas, showcasing that the firmware of USB devices made by Taiwanese electronics manufacturer Phison could be injected with undetectable, unfixable malware.

Crucially, however, Nohl did not release the code used for the exploit at the time. But Caudill and Wilson have subsequently made the decision to release fuller details about BadUSB at the recent DerbyCon hacking conference in Louisville, Kentucky.

“The belief we have is that all of this should be public. It shouldn’t be held back. So we’re releasing everything we’ve got,” Caudill said to the audience at DerbyCon. “This was largely inspired by the fact that [SR Labs] didn’t release their material. If you’re going to prove that there’s a flaw, you need to release the material so people can defend against it.”

The vulnerability functions by modifying USB device firmware, hiding malicious code in USB sticks and other devices in a way that is undetectable. Even wiping the contents of a device doesn’t work, and Wired called the vulnerability “practically unpatchable.”

Once a USB device is infected, it will attempt to infect anything it connects to, or any USB stick that comes into it.

The researchers point out that hackers could use a USB microcontroller to impersonate a keyboard on a computer and run data-stealing commands. In this way an attacker would only need a few seconds access to a computer to instruct it to follow a sequence of commands which could lead to data being stolen, security disabled, or malware installed.

Because of the nature of BadUSB, the attack would go undetectable, even if an anti-virus program is installed on the system the device is attached to, and may not leave any traces.

As the vulnerability can’t be easily patched, many USB devices could need major redesigns, and the current ones might never be secure.

Nohl admits “it’s unfixable for the most part,” and full protection could take years, even decades.

It’s also noticeable that Edward Snowden’s revelations revealed that the NSA owns a spying device called ‘Cottonmouth’ that utilizes a USB vulnerability to relay information and monitor computers, an indication of the potential danger of the vulnerability.

Cottonmouth 600

Releasing the BadUSB code on GitHub means that hackers have access to readily available information to carry out exploits, which significantly increases the risk to consumers. However, this release would also help researchers speed up endeavors to come up with defenses.

USB devices manufactured by Taiwanese company Phison have already been labelled as vulnerable. Security researchers have contacted the company, but the manufacturer denied the attack was possible. That said, it would require a complete redesign by Phison and other USB manufacturers to secure devices against the vulnerability.

The researchers stated they are working on another exploit that would inject malware into files invisibly as they are copied from a USB device to a PC. By hiding a USB-infecting function in the malware, it would be possible to quickly spread malware using any USB stick that is connected to a computer and back to any new USB plugged into the infected PC.

Of course, in that scenario, you would hope that traditional anti-virus software running on the computers would be able to detect malware-infected files residing on the infected PC – if not on the USB device itself.

“There’s a tough balance between proving that it’s possible and making it easy for people to actually do it,” Caudill says. “There’s an ethical dilemma there. We want to make sure we’re on the right side of it.”

Personally, I wish that Caudill and Wilson had found a way of raising awareness about this security vulnerability without giving criminals the blueprints required to exploit it. There’s a real danger that hackers could exploit the flaw more quickly because of the information that they have released.

But with the cat now out of the bag, we should all be putting pressure on USB manufacturers to get their act together, or many many folks will be potentially exposed. I also recommend caution when dealing with USB devices; where possible, only use devices that are untouched by others.

This article originally appeared on the Optimal Security blog.

Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.