Unpatchable BadUSB code is now publicly available

Graham Cluley
Graham Cluley
@[email protected]

How sweet would it be to plug and play USB devices without the fear of viruses, malware and other security threats?

It’s everyone’s dream to own 100% foolproof USB devices for their file storage and transfer routine: Fascinating to think about it, but it simply isn’t gonna happen with the raft of current USB-related security threats.

Because even if a USB stick has been completely wiped, and contains no files, it could still pose a threat to your organisation.

I am highlighting an exploit recently spotlighted by two security researchers: Adam Caudill and Brandon Wilson of SR Labs. They reverse-engineered the USB firmware that powers millions of devices, which could enable hackers to inject malicious codes into computers.

Usb 600

What’s interesting and worrying at the same time is that the researchers have released the code on Github, a site accessible to any internet user.

The vulnerability goes by the name “BadUSB”.

Sign up to our free newsletter.
Security news, advice, and tips.

It’s been only two months since I wrote about the initial discovery of the so-called “BadUSB” vulnerability.

Previously, it was demonstrated by Karsten Nohl and Jakob Lell at the Black Hat security conference in Las Vegas, showcasing that the firmware of USB devices made by Taiwanese electronics manufacturer Phison could be injected with undetectable, unfixable malware.

Crucially, however, Nohl did not release the code used for the exploit at the time. But Caudill and Wilson have subsequently made the decision to release fuller details about BadUSB at the recent DerbyCon hacking conference in Louisville, Kentucky.

“The belief we have is that all of this should be public. It shouldn’t be held back. So we’re releasing everything we’ve got,” Caudill said to the audience at DerbyCon. “This was largely inspired by the fact that [SR Labs] didn’t release their material. If you’re going to prove that there’s a flaw, you need to release the material so people can defend against it.”

The vulnerability functions by modifying USB device firmware, hiding malicious code in USB sticks and other devices in a way that is undetectable. Even wiping the contents of a device doesn’t work, and Wired called the vulnerability “practically unpatchable.”

Once a USB device is infected, it will attempt to infect anything it connects to, or any USB stick that comes into it.

The researchers point out that hackers could use a USB microcontroller to impersonate a keyboard on a computer and run data-stealing commands. In this way an attacker would only need a few seconds access to a computer to instruct it to follow a sequence of commands which could lead to data being stolen, security disabled, or malware installed.

Because of the nature of BadUSB, the attack would go undetectable, even if an anti-virus program is installed on the system the device is attached to, and may not leave any traces.

As the vulnerability can’t be easily patched, many USB devices could need major redesigns, and the current ones might never be secure.

Nohl admits “it’s unfixable for the most part,” and full protection could take years, even decades.

It’s also noticeable that Edward Snowden’s revelations revealed that the NSA owns a spying device called ‘Cottonmouth’ that utilizes a USB vulnerability to relay information and monitor computers, an indication of the potential danger of the vulnerability.

Cottonmouth 600

Releasing the BadUSB code on GitHub means that hackers have access to readily available information to carry out exploits, which significantly increases the risk to consumers. However, this release would also help researchers speed up endeavors to come up with defenses.

USB devices manufactured by Taiwanese company Phison have already been labelled as vulnerable. Security researchers have contacted the company, but the manufacturer denied the attack was possible. That said, it would require a complete redesign by Phison and other USB manufacturers to secure devices against the vulnerability.

The researchers stated they are working on another exploit that would inject malware into files invisibly as they are copied from a USB device to a PC. By hiding a USB-infecting function in the malware, it would be possible to quickly spread malware using any USB stick that is connected to a computer and back to any new USB plugged into the infected PC.

Of course, in that scenario, you would hope that traditional anti-virus software running on the computers would be able to detect malware-infected files residing on the infected PC – if not on the USB device itself.

“There’s a tough balance between proving that it’s possible and making it easy for people to actually do it,” Caudill says. “There’s an ethical dilemma there. We want to make sure we’re on the right side of it.”

Personally, I wish that Caudill and Wilson had found a way of raising awareness about this security vulnerability without giving criminals the blueprints required to exploit it. There’s a real danger that hackers could exploit the flaw more quickly because of the information that they have released.

But with the cat now out of the bag, we should all be putting pressure on USB manufacturers to get their act together, or many many folks will be potentially exposed. I also recommend caution when dealing with USB devices; where possible, only use devices that are untouched by others.

This article originally appeared on the Optimal Security blog.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.