Code That Exploits Inherent USB Flaw Shared with the World on Github
A couple months back we discussed the inherent security flaw present in all USB devices. Apparently all USB devices are capable of masquerading as another kind of device, given the “Universal” nature of the Universal Serial Bus (USB) interface. This means that a flash drive for example could technically pose as a keyboard or mouse, thereby inputting typing and mousing commands into the host computer
This problem has actually been known about for quite some time in the tech community. However, back in July of this year a pair of researchers from SRLabs showed off a special type of malware they had created to exploit the USB flaw at the Black Hat Security Conference in Las Vegas, once again bringing the issue to the forefront of the tech community. Now another pair of researchers have released a similar code on GitHub, available for any hacker to download.
Advanced USB Malware Free to the Masses
Given that, up until recently, researchers had not released the malware code to the public, we haven't really seen an influx of amateur hackers using it. Unfortunately, that could all change now that a couple of researchers have decided to go beyond what the team at SRLabs did – instead of just showing what their code can do, they've released the source code for the USB malware on GitHub. This gives anyone in the world access to code that has a lot of raw hacking potential on its own.
At the recent Derbycon hacker's convention, researchers Brandon Wilson and Adam Caudill showed off the fact that they had reverse engineered the malware shown off by SRLabs months earlier. They demonstrated that they were able to perform the same types of hacks done by the original BadUSB malware. They also announced that the code is now publicly available for anyone to download from GitHub, via the Psychson repository.
Helping to Protect, Or Increasing Vulnerability?
It seems that making such code publicly available on a source code repository like GitHub could be a huge mistake, giving hackers access to code that could make USB devices even more vulnerable than they already are.
However, during his Derbycon presentation Adam Caudill said he believes that the information should be made public and not held back, with the logic being - if you're going to tell people there is a flaw, any material related to that flaw and how it works should be released so that individuals and companies can adequately defend against similar or identical exploits.
In a follow-up interview after the convention, Caudill discussed the fact that the NSA may already be using the exploit. He also explained that if the NSA and other high budget organizations are the only ones that are able to use the exploit then manufacturers won't be under much pressure to fix the problem.
On the other hand, with the code being publicly available and people demonstrating that it can be practically done on a widespread basis, manufacturers will be under more pressure to do something about it.
If you'd like to learn more on the subject, we found the complete Derbycon presentation entitled "Making BadUSB Work For You" on YouTube:
