BadUSB : The unpatchable and unfixable USB malware

Exactly two months after researcher Karsten Nohl demonstrated an attack he called BadUSB to a standing-room-only crowd at the Black Hat security conference in Las Vegas.  The BadUSB was later demonstrated again by two researchers, Adam Caudill and Brandon Wilson.  Caudill and Wilson presented the vulnerability at Derbycon 4.0 conference last week in Louisville.

What is BadUSB?

The malware which is dubbed BadUSB,  reprograms embedded firmware to give USB devices new, covert and most powerful capabilities. In a demo at Black Hat security conference in Las Vegas, a USB drive was infected and showed its ability to act as a keyboard that surreptitiously types malicious commands into attached computers.

Another USB was similarly be reprogrammed to act as a network card that causes connected computers to connect to malicious sites impersonating Google, Facebook or other trusted destinations. The demo showed that similar hacks could work against Android phones when attached to targeted computers. The malware is so huge that it can work on almost any USB linked devices like Web cams, keyboards, smart phones etc.

BadUSB on Github

Researchers Wilson and Caudill reversed-engineered USB firmware and reprogrammed it to launch various attacks. They then put the code for BadUSB on Github with a intent of letting all the users know abouts its effects.

“The belief we have is that all of this should be public. It shouldn’t be held back. So we’re releasing everything we’ve got,” Caudill told the Derbycon audience on Friday. “This was largely inspired by the fact that [SR Labs] didn’t release their material. If you’re going to prove that there’s a flaw, you need to release the material so people can defend against it.”

Caudill and Wilson discussed various scenarios where BadUSB can be used.  Prominent among them and most deadliest is the USB device to emulate a keyboard and issue commands on behalf of a logged-in user to exfiltrate data or install malware.

Unpatchable!!!

BadUSB remains unpatchable at the moment.  The reason according to the both the researchers, is that the USB controller chips in peripherals can be reprogrammed to spoof other devices and there’s little or no protection to prevent anyone from doing so.  They also feel that since USBs are mass manufactured these days and it proves that anyone can input the code to insert the malware and take command of any system, perhaps the USB manufacturers will be under pressure to fix it soon.

“If the only people who can do this are those with significant budgets, the manufacturers will never do anything about it,” Caudill told Wired. “You have to prove to the world that it’s practical, that anyone can do it…That puts pressure on the manufactures to fix the real issue.”

The researchers also hope that putting the code on Github would encourage companies and white hat researchers to find a fix for the malware.

Further tests have determined that almost half the USB devices available as of now are affected with this vulnerability, read more about the test results here.