BadUSB Malware Code Released to the World and There is no Fix

When the BadUSB was demonstrated at the Black Hat conference earlier this year the code to take advantage of the security flaw wasn't released. Now it's been reverse engineered and the researchers who figured it out have released their code on the Internet, which means exploits can't be far behind.

BadUSB security flaw gets released on the InternetBadUSB security flaw gets released on the Internet

Adam Caudill and Brandon Wilson said they've been able to reverse engineer what SR Labs accomplished earlier this year and have been able to duplicate some of BadUSB's exploits. SR Labs chose to keep its code private because the organization saw the flaw as essentially un-patchable. To block BadUSB, the USB standard would need some fundamental changes.

BadUSB adds malicious code to the device's firmware controller instead of storing a virus in more traditional locations, like the flash memory on a USB thumb drive. Most any USB device, from keyboards to mice to computers to smartphones, include firmware that can be reprogrammed, and that's exactly what BadUSB exploits.

Compromised USB devices could potentially copy the exploit to other devices they connect with, and considering how often USB thumb drives are shared, it would be easy to spread BadUSB very quickly.

Mr. Caudill and Mr. Wilson said they decided to release their exploit code because they felt it should be public.

"This was largely inspired by the fact that [SR Labs] didn’t release their material," they said, according to Wired. "If you’re going to prove that there’s a flaw, you need to release the material so people can defend against it."

The problem is that there doesn't seem to be any way to protect against BadUSB, so every device that's available today is a potential target. Since BadUSB targets the basic design of USB, device makers will have to start over and find new ways to build their USB interfaces to protect against the flaw.

By releasing the code needed to exploit BadUSB, the two argued, they're pressuring companies to come up with a new USB security system. "You have to prove to the world that it’s practical, that anyone can do it…That puts pressure on the manufactures to fix the real issue," they said.

There aren't any reports of BadUSB exploits in the wild yet, but those will likely come soon. For now, the only protection against BadUSB is to keep all of your USB devices segregated from the rest of the world. Don't share USB drives or memory sticks, don't let anyone connect their USB devices to your computer, and don't borrow anyone's USB-based sync or charging cables.