There is a fundamental flaw in the firmware on USB sticks and a pair of hackers has made public the code for really bad malware that takes advantage of that flaw.

In August, at DefCon in Las Vegas, researcher Karsten Nohl demonstrated an attack called BadUSB which proved it is possible to corrupt any USB device with malicious, undetectable malware. Understanding the vast implications of this malware Nohl did not release the code he used in the attack. Unfortunately at DerbyCon last week in Kentucky two other researchers, Adam Caudill and Brandon Wilson, presented a similar exploitation of USB firmware to Nohl’s and in this case Caudill and Wilson published their code, leaving everyone with a USB port at risk. 

“The belief we have is that all of this should be public. It shouldn’t be held back. So we’re releasing everything we’ve got.“ Caudill said at DerbyCon. He went on to say, “This was largely inspired by the fact that [Nohl, et al] didn’t release their material. If you’re going to prove that there’s a flaw, you need to release the material so people can defend against it.”

While that stance may seem noble, many agree that the logic behind it is flawed.  It is one thing to release findings that they’ve replicated Nohl’s earlier work, and provide the code used directly to the manufacturers to fix the problem; it’s something entirely different to release it to the general public and thereby putting it directly in the hands of cyber criminals who you can bet are already working on ways to use it against unsuspecting victims.

Caudill went on to say in an interview with Wired, “You have to prove to the world that it’s practical, that anyone can do it… That puts pressure on the manufactures to fix the real issue.”

Of course that perspective completely ignores the millions of USB sticks already in circulation that can be exploited.  Nohl addressed this concern when stating he would not release his code.  Nohl estimated that it would take 10 years or more to pull existing vulnerable devices out of circulation.

Nohl, Caudill and Wilson all reverse engineered the firmware of the USB microcontrollers, then reprogrammed that firmware in multiple ways. In one example they had the infected USB stick impersonate a keyboard to type keystrokes on the victim’s machine.

“People look at these things and see them as nothing more than storage devices.” Adam Caudill

Deleting everything on a USB stick wouldn’t remove the malware as it’s code is stored in re-writable code that controls the basic functions of the USB.

So how do you keep your computer protected?  The advice has been out for some time, from security experts, to stop accepting USB sticks as gifts or with company information unless it’s from a trusted source, as the risk has been there for something malicious being previously installed.

Use only trusted USB devices on your computer.

I hate to say it, but it’s a little like your baggage at the airport – did you purchase your USB device, has your USB device been with you at all times, has anyone else used your USB device?

[whohit]BadUSB[/whohit]