Image: Mashable composite. Wikimedia Commons
By Stan Schroeder2014-10-03 13:49:36 UTC

BadUSB is a dangerous USB security flaw that allows attackers to turn a simple USB device into a keyboard, which can then be used to type malicious commands into the victim’s computer.

It was first detailed at this year’s Black Hat conference by security researcher Karsten Nohl; now, it has been released to the public for all to (mis)use.

Originally, Nohl decided not to release the BadUSB code publicly, fearing that the exploit could not be easily fixed.

“These problems can’t be patched. We’re exploiting the very way that USB is designed,” he told Wired in July.

But security researchers Adam Caudill and Brandon Wilson, who presented their findings in last week’s DerbyCon conference in Louisville, Kentucky, have managed to hack the USB firmware in a similar way to Nohl and his team at SR Labs — and they’ve released the code to the public via GitHub.

How it works

BadUSB revolves around the fact that many different devices plug into the same USB connectors. By hacking the code of the USB micro-controller of an “innocent” device, like a USB memory stick, you can turn it into something far more capable, such as a keyboard or a network card. Stick the device into a computer and it could execute commands or even a malicious program without the owner knowing.

This is made worse by the fact that malware scanners cannot access the firmware running on USB devices, meaning they cannot fix the problem.

Adam Caudill provided an explanation of the core of the issue in his DerbyCon presentation.

“When a user looks at a thumb drive, what they perceive is nothing more than a storage device. But that’s obviously an oversimplification,” he said there. “It’s effectively a computer — a programmable computer […] It can be programmed to be anything.”

[embedded content]

The danger in it

The fact that BadUSB code is available on GitHub means that anyone with sufficient knowledge can hack a USB device in a similar way.

Caudill and Wilson’s code allows for several types of attacks, including the aforementioned “fake keyboard” trick, as well as disabling a USB device’s data password protection or hide a malicious program inside the USB micro-controller’s firmware.

The researchers claim their intentions are good.

“This was largely inspired by the fact that [SR Labs] didn’t release their material. If you’re going to prove that there’s a flaw, you need to release the material so people can defend against it,” Caudill said at DerbyCon.

Is there a fix?

Caudill and Wilson are hoping USB manufacturers will now start looking into the issue seriously. Meanwhile, they’re working on a much more dangerous type of exploit — one that could inject malware into files as they’re copied from a USB device to a computer and back — but still aren’t sure whether they will release that one to the public.

Unfortunately, developing a fix might prove to be a painfully long process, which probably involves changing the very foundations of the USB standard. For the average user, the best bet for now is to avoid sticking unknown USB devices into your computer.

Have something to add to this story? Share it in the comments.