The malware code for the BadUSB security flaw discovered in July has been published by security researchers. According to researchers, the move will put pressure on device makers to actually fix the flaw before millions of users have their USB devices and peripherals exploited.
The BadUSB flaw was first detected by Karsten Nohl and Jakob Lell and demonstrated at the Black Hat cyber security conference. Nohl demonstrated how BadUSB security flaw could corrupt any USB device with malware and is virtually undetectable. Now two security researchers – Adam Caudill and Brandon Wilson at Derbycon in Kentucky have discovered the same BadUSB flaw and published their proof-of-concept on Github.
The researchers justified their release and stated in a blog post, "Writing code for these devices is far from easy, especially when trying to patch the existing firmware. It’s not something that just anyone can jump into - while we have made it easier for people to apply simple patches and provided some insight to the process, these aren’t the patches that will lead to a firmware based worm or something of that nature - these are the type of patches that will make small changes to existing features, or add simple new features,” Wilson wrote in a blog post Friday. “So, to do anything still requires a lot of knowledge and skill - in general, as I said earlier, the kind of people that have what it takes to do this, could do it regardless of our release.”
Wilson stated that publishing the code will force manufacturer to treat this issue seriously and will help raise awareness among ordinary users.
“Device manufacturers were quick to dismiss the “BadUSB” threat - on one hand, what was presented at Black Hat was possible via other means, so wasn’t really a new threat - but they showed no indication of trying to address the issues under their control,” he added. “While it will take years for any changes made by device manufactures to have an impact because of the number of devices in circulation now - if they keep ignoring the issue, then it will never be improved.”
Source: Adam Caudill