Researchers release BadUSB attack code

When, two months ago, researchers from German security consultancy SR Labs demonstrated a new and potentially very deadly class of attacks executed via malware injected in the firmware of USB-connected devices, they didn’t want to share the attack code with the public.

“No effective defenses from USB attacks are known. Malware scanners cannot access the firmware running on USB devices. USB firewalls that block certain device classes do not (yet) exist. And behavioral detection is difficult, since a BadUSB device’s behavior when it changes its persona looks as though a user has simply plugged in a new device,” they researchers noted at the time.

“To make matters worse, cleanup after an incident is hard: Simply reinstalling the operating system – the standard response to otherwise ineradicable malware – does not address BadUSB infections at their root.

They pointed out that this problem can be solved and attacks prevented only if the manufacturers of the controller chips in the devices make it so that firmware can’t be modified by unauthorised parties. Regular users can’t do anything to protect themselves, apart from never using other people’s USB-connected devices, and never loaning theirs to anyone.

SR Labs researchers knew that manufacturers wouldn’t be able to make such a drastic change immediately, and that even if they did, it could take years for all the problems that change would bring to be solved well enough to provide adequate safety to users. So, they didn’t release the attack code.

But Adam Caudill and Brandon Wilson, two independent security researchers, disagree. They believe that this type of attack is likely already in the arsenal of intelligence agencies.

“If the only people who can do this are those with significant budgets, the manufacturers will never do anything about it,” Caudill told Wired. “You have to prove to the world that it’s practical, that anyone can do it-¦That puts pressure on the manufactures to fix the real issue.”

And so they did. Following the same procedure as SR Labs – reverse-engineering the device’s firmware and reprogramming it to contain attack code – they succeeded in replicating the attack.

After presenting their research at the Derbycon hacker conference last week, they released some of the attack code on Github.

“If this is going to get fixed, it needs to be more than just a talk at Black Hat,” Caudill pointed out.