Itâ€™s been just two months since researcher Karsten Nohl demonstrated an attack he called BadUSB to a standing-room-only crowd at the Black Hat security conference in Las Vegas, showing that itâ€™s possible to corrupt any USB device with insidious, undetectable malware. Given the severity of that security problemâ€”and the lack of any easy patchâ€”Nohl has held back on releasing the code he used to pull off the attack. But at least two of Nohlâ€™s fellow researchers arenâ€™t waiting any longer.
In a talk at the Derbycon hacker conference in Louisville, Kentucky last week, researchers Adam Caudill and Brandon Wilson showed that theyâ€™ve reverse engineered the same USB firmware as Nohlâ€™s SR Labs, reproducing some of Nohlâ€™s BadUSB tricks. And unlike Nohl, the hacker pair has also published the code for those attacks on Github, raising the stakes for USB makers to either fix the problem or leave hundreds of millions of users vulnerable.
â€œThe belief we have is that all of this should be public. It shouldnâ€™t be held back. So weâ€™re releasing everything weâ€™ve got,â€ Caudill told the Derbycon audience on Friday. â€œThis was largely inspired by the fact that [SR Labs] didnâ€™t release their material. If youâ€™re going to prove that thereâ€™s a flaw, you need to release the material so people can defend against it.â€
The two independent security researchers, who declined to name their employer, say that publicly releasing the USB attack code will allow penetration testers to use the technique, all the better to prove to their clients that USBs are nearly impossible to secure in their current form. And they also argue that making a working exploit available is the only way to pressure USB makers to change the tiny devicesâ€™ fundamentally broken security scheme.
â€œIf this is going to get fixed, it needs to be more than just a talk at Black Hat,â€ Caudill told WIRED in a followup interview. He argues that the USB trick was likely already available to highly resourced government intelligence agencies like the NSA, who may already be using it in secret. â€œIf the only people who can do this are those with significant budgets, the manufacturers will never do anything about it,â€ he says. â€œYou have to prove to the world that itâ€™s practical, that anyone can do itâ€¦That puts pressure on the manufactures to fix the real issue.â€
Like Nohl, Caudill and Wilson reverse engineered the firmware of USB microcontrollers sold by the Taiwanese firm Phison, one of the worldâ€™s top USB makers. Then they reprogrammed that firmware to perform disturbing attacks: In one case, they showed that the infected USB can impersonate a keyboard to type any keystrokes the attacker chooses on the victimâ€™s machine. Because it affects the firmware of the USBâ€™s microcontroller, that attack program would be stored in the rewritable code that controls the USBâ€™s basic functions, not in its flash memoryâ€”even deleting the entire contents of its storage wouldnâ€™t catch the malware. Other firmware tricks demonstrated by Caudill and Wilson would hide files in that invisible portion of the code, or silently disable a USBâ€™s security feature that password-protects a certain portion of its memory.
â€œPeople look at these things and see them as nothing more than storage devices,â€ says Caudill. â€œThey donâ€™t realize thereâ€™s a reprogrammable computer in their hands.â€
In an earlier interview with WIRED ahead of his Black Hat talk, Berlin-based Nohl had said that he wouldnâ€™t release the exploit code heâ€™d developed because he considered the BadUSB vulnerability practically unpatchable. (He did, however, offer a proof-of-concept for Android devices.) To prevent USB devicesâ€™ firmware from being rewritten, their security architecture would need to be fundamentally redesigned, he argued, so that no code could be changed on the device without the unforgeable signature of the manufacturer. But he warned that even if that code-signing measure were put in place today, it could take 10 years or more to iron out theÂ USB standardâ€™sÂ bugs and pull existing vulnerable devices out of circulation. â€œItâ€™s unfixable for the most part,â€ Nohl said at the time. â€œBut before even starting this arms race, USB sticks have to attempt security.â€
Caudill says that by publishing their code, he and Wilson are hoping to start that security process. But even they hesitate to release every possible attack against USB devices. Theyâ€™re working on another exploit that would invisibly inject malware into files as they are copied from a USB device to a computer. By hiding another USB-infecting function in that malware, Caudill says it would be possible to quickly spread the malicious code from any USB stick thatâ€™s connected to a PC and back to any new USB plugged into the infected computer. That two-way infection trick could potentially enable a USB-carried malware epidemic. Caudill considers that attack so dangerous that even he and Wilson are still debating whether to release it.
â€œThereâ€™s a tough balance between proving that itâ€™s possible and making it easy for people to actually do it,â€ he says. â€œThereâ€™s an ethical dilemma there. We want to make sure weâ€™re on the right side of it.â€