BadUSB, now public domain.

Published: October 6, 2014 6:00 PM /



Revealed at the Black Hat computer security convention by researcher Karsten Nohl on August 7, was the BadUSB exploit. BadUSB is a problematic USB security issue that was recently released to the public. Mr Nohl was concerned about the BadUSB exploit and opted not to reveal it to the public. Later security researchers Adam Caudill and Brandon Wilson have presented their latest discovery.  Upon reverse engineering the exploit, they then presented their findings at the DerbyCon conference in Louisville Kentucky. They explained how they were able to recreate the same exploit hinted at by Karsten back on the August 7 who had this to say. "The problems can't be patched. The problem is that we're exploiting the very way that USB has been designed."

The way that BadUSB works is under the basis that USB devices can impersonate different other types of USB devices, regardless of their intended use. Every USB thumbdrive has a micro controller chip that identifies it to be a USB device. In the case of a USB thumbdrive, that chip sits between the actual computer and the memory chip that holds the data on the thumbdrive. The firmware that runs the micro-controller chip in the middle between the storage and your computer can be updated with an infected firmware update.  That firmware and that specific USB device will change next time you plug it into your pc. Instead of identifying as a storage device it could identify as a keyboard and start running commands of it's own. Effectively impersonating the user. Those commands can then be used to infect the computer using a virtual keyboard. For example by opening a command prompt and issuing commands. Obviously it will then change itself back to a storage device and the user won't notice anything has happened.  This becomes a problem because malware detecting software are currently unable to access the firmware on the flash drives. Due to this aspect, there appears to be no protection or preventative measures against the BadUSB exploit as of yet

The researchers, Adam and Brandon have released the BadUSB code to the public via GitHub. For those who don't know, GitHub is a computer source code hosting service.  It is designed to allow multiple  software developers to work on a project without requiring a common network.  Representatives from Symantec according to have said anti-virus technology can't inspect the drivers running inside a USB device. Here are their recommended precautions. They suggested to only insert trusted USB devices into your computers. On top of that you should not purchase preowned USB devices or borrow any. They could contain harmful software. The last precaution suggested was not to leave your computer or mobile device unattended.

McAfee security company's Chief Consumer Security Evangelist, Gary J Davis had this to say. "The best practical advice McAfee can give consumers regarding the BadUSB attack is to avoid thumb drives that are not from a credible source.  For example a big box retailer or one they have not previously used. Additionally, we would discourage consumers from using promotional thumb drives that are given away at events.  So the threat may remain hidden. Trade show exhibitors long ago gave up handing out pamphlets and folders to show goers. Instead they now favor bowls full of USB sticks pre-loaded with information about their products and services. Many of us simply grab every one of them in sight, knowing that we can wipe the data and reuse them for personal storage. However, what if there's a bowl full of BadUSB drives? Erasing the data will not remove the threat."

It seems the public and security experts are currently up in arms about the threat of this brand new hardware exploit but is it truly as dangerous as they say? One would think you could develop a fix for it in regards to permission controllers through an OS. Regardless of the threat it poses upon the tech world, it's possible we won't know for some time. Given the history of some individuals with these things, it's a little daunting. the thought of it being in the public domain.



Have a tip, or want to point out something we missed? e-mail us at [email protected] or join us on Discord!