Code to exploit fundamental USB flaw posted on Github

Shawn Knight

Posts: 15,253   +192
Staff member

unpatchable malware infects usbs loose

Remember that fundamental USB security flaw that a pair of researchers unearthed back in July? You know, the one that allegedly affects every single USB device in the wild for which there is no fix for. While they did publically demonstrate the flaw using a piece of malware they created called BadUSB, the duo elected not to release the code.

A couple of other researchers, however, decided to throw caution to the wind by posting code for a similar attack on Github.

During the recent Derbycon hacker convention, researchers Adam Caudill and Brandon Wilson revealed that they were also able to reverse engineer the USB firmware that Karsten Nohl and Jakob Lell spoke of a few months ago.

As Wired points out, they were able to reproduce some of the same nefarious actions we saw with the BadUSB malware. 

Making such code available to the public seems like a pretty bad idea at first glance but as Caudill told those in attendance at Derbycon, their belief is that all of this should be public and shouldn’t be held back. If you’re going to prove there’s a flaw, you need to release the material so people can defend against it, he added.

In a follow-up interview, Caudill echoed a similar sentiment expressed by University of Pennsylvania computer science processor Matt Blaze. If you recall, Blaze suggested the attack may already be in use by the NSA. Caudill believes that if the only people who can use it are those with significant budgets, manufactures will never do anything about it. Proving to the world that it is practical and anybody can do it puts pressure on manufacturers to fix it, he said.

Permalink to story.

 
Releasing malicious code for public consumption... yet it makes sense in this crazy world. Well explained in the last two paragraphs.
 
It's like releasing a deadly disease and say "then they'll build up an immunity"
 
"If you’re going to prove there’s a flaw, you need to release the material so people can defend against it, he added." As ridiculous as this sounds, he is actually right. Good point.
 
No fix? bunk: there's always time to "do it over"

the presentation of a USB device must be treated the same as the presentation of any unknown program: you have to authenticate before you execute.

this requirement has been generally ignored by the computer industry since the microprocessor took over from the mainframe. "Back in the Day" when programs were sent on reels of 1/2" tape authentication was accomplished using traditional pen&ink on the package labels and enclosed transmitals.

on the net you have to use PGP digital signatures.
 
It's like releasing a deadly disease and say "then they'll build up an immunity"
it's not really like that at all. its more like, "the baddies have this, you should have it to, and the makers of these things need to address this. and this might spur them on."
 
It's like releasing a deadly disease and say "then they'll build up an immunity"
it's not really like that at all. its more like, "the baddies have this, you should have it to, and the makers of these things need to address this. and this might spur them on."
Yeah, and before the manufactures are able to fix million of devices already in use, the bad guys will be able to cause a lot of pain to users, a vast majority of them not tech-savy enough to even know this vulnerabilty exists.
Which do you think is easer: create an exploit when you already have the sample code, or create a fix for it (you're on your own)?
 
How can I get the code for the usb flaw just want to analyse it in other to broaden my knowledge and may be I can also design a solution for it
 
Back