Code for ‘unpatchable’ BadUSB flaw goes public

Researchers have shared online an attack code that can convert any device connected via a USB stick into a cyber-attack platform.

The USB flaw, BadUSB, was detected by Security Research Labs’ Karsten Nohl and Jakob Lell, earlier this year.

The code has now been public by security researchers Adam Caudill and Brandon Wilson. They hoped the release would force the electronics firms to beef up defences against attack by USB.

Wilson said: "Writing code for these devices is far from easy, especially when trying to patch the existing firmware.

"It’s not something that just anyone can jump into – while we have made it easier for people to apply simple patches and provided some insight to the process, these aren’t the patches that will lead to a firmware based worm or something of that nature – these are the type of patches that will make small changes to existing features, or add simple new features.

"So, to do anything still requires a lot of knowledge and skill – in general, as I said earlier, the kind of people that have what it takes to do this, could do it regardless of our release."

As part of the study, the two researchers successfully reprogrammed the firmware of a Phison USB microcontroller, and enabled it to impersonate a keyboard that types any keystrokes sought by the hacker.

In addition to its capability to remain undetected, another issue with BadUSB is that it is almost impractical to plug the hole.

Wilson added: "Device manufacturers were quick to dismiss the "BadUSB" threat – on one hand, what was presented at Black Hat was possible via other means, so wasn’t really a new threat – but they showed no indication of trying to address the issues under their control.

"While it will take years for any changes made by device manufactures to have an impact because of the number of devices in circulation now – if they keep ignoring the issue, then it will never be improved."

Users are suggested to maintain good security practices including maintaining updated software, not opening any unfamiliar files, and not plugging unrecognized devices.