A pair of hackers have just released the code for malware that exploits vulnerabilities in USB devices, allowing the program to invisibly, and completely, take control of your computer.
The malware in question is very similar to badUSB, which appeared earlier in the year, according to Gizmodo. Citing the threat that the malware posed to any USB equipped device, researchers Karsten Nohl and Jakob Lell decided to keep the code under wraps. As Wired noted, the malware, once installed on a USB device’s firmware, could completely take over a computer, invisibly rewriting files or even redirecting the machine’s internet traffic.
— Lance Ulanoff (@LanceUlanoff) October 3, 2014
Now, researchers Adam Caudill and Brandon Wilson have essentially copied the badUSB malware, posting the code to GitHub, where all can download it. According to Caudill, who spoke at a hacker conference last week, their motivation was to force USB makers to correct the vulnerability.
“The belief we have is that all of this should be public. It shouldn’t be held back. So we’re releasing everything we’ve got,” he said. “This was largely inspired by the fact that [Nohl and Lell] didn’t release their material. If you’re going to prove that there’s a flaw, you need to release the material so people can defend against it.”
— Gizmodo (@Gizmodo) October 2, 2014
The pair also demonstrated some of the various uses for the malware, including one attack which allows an infected device to gain control of a computer’s keyboard input, as The Verge notes.
Ahead of a talk at the Black Hat conference, Nohl, who is based in Berlin, said that he wouldn’t release the badUSB malware because he considered the USB vulnerability essentially unrepairable. As Wired points out, he argued that in order for USB devices to prevent their firmware from being rewritten, their entire security architecture would need to be redesigned. He warned that it could take as long as a decade to iron out bugs in the USB standard and remove compromised, malware-infected devices from circulation.
“It’s unfixable for the most part,” he said. “But before even starting this arms race, USB sticks have to attempt security.”
The USB standard has been used to compromise computer systems before, as the Inquisitr has previously noted, yet the depth of this issue is far more widespread, affecting nearly every device that utilizes USB, not only drives.
— Olivia Solon (@olivia_solon) October 3, 2014
“People look at these things and see them as nothing more than storage devices,” Caudill noted. “They don’t realize there’s a reprogrammable computer in their hands.”
If users can’t track the history of their device from the factory, experts admit that the only real protection from the malware is avoiding USB devices at every turn.
[Image: Alex Washburn via Wired]