Back in August during this year’s Black Hat Conference, Security Research Labs researchers Karsten Nohl and Jakob Lell warned of a serious flaw in USB devices that they dubbed “BadUSB.” As the duo revealed, the flaw can be abused by hackers to reprogram essentially any USB to wreak havoc as it impersonates other devices.
Now a few months later, a pair of other researchers, Adam Caudill and Brandon Wilson have published the attack code on Github in an attempt to put pressure on USB manufacturers to fix the problem or else leave countless users vulnerable.
During the Derbycon security conference in Louisville, Kentucky, Caudill took the stage to explain to attendees, “The belief we have is that all of this should be public. It shouldn’t be held back. So we’re releasing everything we’ve got. This was largely inspired by the fact that [SR Labs] didn’t release their material. If you’re going to prove that there’s a flaw, you need to release the material so people can defend against it.”
The researchers believe that publicly releasing the USB attack code will enable penetration testers to use the technique, thereby proving to clients that USBs are nearly impossible to secure in their current form.
“Writing code for these devices is far from easy, especially when trying to patch the existing firmware. It’s not something that just anyone can jump into — while we have made it easier for people to apply simple patches and provided some insight to the process, these aren’t the patches that will lead to a firmware based worm or something of that nature — these are the type of patches that will make small changes to existing features, or add simple new features,” Caudill wrote in a recent blog post. “So, to do anything still requires a lot of knowledge and skill — in general, as I said earlier, the kind of people that have what it takes to do this, could do it regardless of our release.”
So, why release the code? According to the duo, this is meant to push manufacturers to treat this issue with the kind of seriousness it deserves and to raise user awareness around the fact that as long as users trust devices, attacks will be possible and successful.
“Device manufactures were quick to dismiss the ‘BadUSB’ threat — on one hand, what was presented at Black Hat was possible via other means, so wasn’t really a new threat — but they showed no indication of trying to address the issues under their control,” Caudill explains.
While it will take years for any changes made by device manufactures to have an impact because of the number of devices in circulation now, Caudill urges that if they keep ignoring the issue, then it will never be improved.
“People look at these things and see them as nothing more than storage devices,” Caudill told Wired. “They don’t realize there’s a reprogrammable computer in their hands.”
Now that the bug Karsten Nohl calls “unpatchable” has been released to the public, USB security is undoubtedly compromised. Hackers using BadUSB will gain a new tool that can dish out serious attacks. What this means is that the only means of addressing the problem is to add an additional layer of security over the USB firmware.
USB drives that users plug into their computer could already result in an attack that can’t be avoided unless the user knows exactly where a USB has been, from the time of its production in a factory to the time it reaches the current user.
The good news about BadUSB is that there is a cure: Atmel CryptoAuthentication. Hardware crypto engines were invented to protect software, firmware and hardware from exactly these types of attacks, among many others. These uber-tiny, ultra secure hardware devices can be easily and cost effectively added to USB sticks (and other peripherals) by manufacturers, who are seeking to protect their customers by ensuring that only the proper and intended code is used. Once installed into the peripherals, CryptoAuthentication devices will block the bad code. Period.
Atmel’s experience matters when finding a solution to fight real-world attacks. Isn’t it time you plug with trust?
In conclusion Caudill asks, “Has this been blown out of proportion?” His answer: “Yes.”