Remember that fundamental USB security flaw that a pair of researchers unearthed back in July? You know, the one that allegedly affects every single USB device in the wild for which there is no fix for. While they did publically demonstrate the flaw using a piece of malware they created called BadUSB, the duo elected not to release the code.
A couple of other researchers, however, decided to throw caution to the wind by posting code for a similar attack on Github.
During the recent Derbycon hacker convention, researchers Adam Caudill and Brandon Wilson revealed that they were also able to reverse engineer the USB firmware that Karsten Nohl and Jakob Lell spoke of a few months ago.
As Wired points out, they were able to reproduce some of the same nefarious actions we saw with the BadUSB malware.
Making such code available to the public seems like a pretty bad idea at first glance but as Caudill told those in attendance at Derbycon, their belief is that all of this should be public and shouldn’t be held back. If you’re going to prove there’s a flaw, you need to release the material so people can defend against it, he added.
In a follow-up interview, Caudill echoed a similar sentiment expressed by University of Pennsylvania computer science processor Matt Blaze. If you recall, Blaze suggested the attack may already be in use by the NSA. Caudill believes that if the only people who can use it are those with significant budgets, manufactures will never do anything about it. Proving to the world that it is practical and anybody can do it puts pressure on manufacturers to fix it, he said.