USB Security Exploit Posted Online
Back in the Summer we reported a critical flaw in tech products which allowed hackers to disguise the device as critical computer components, such as network cards or a keyboard, in order to carry out commands to compromise security and install viruses on the host computer.
The flaw was shown off in July by researchers Karsten Nohl and Jakob Lell at a black hat hacker convention, and widely publicised on the release of their findings. Now it seems someone has managed to find the root of the problem, exposing the ‘BadUSB’ exploit to the general public.
At Derbycon 2014, hacking experts Adam Caudill and Brandon Wilson showed off their findings, namely the firmware behind the exploit. the pair were seeking to undo the damage caused by the exploit by releasing the code behind it onto Github, a well known source for open-source code, their reasoning behind the release being that Nohl and Lell’s SR Labs didn’t release the exploit themselves.
“The belief we have is that all of this should be public. It shouldn’t be held back. So we’re releasing everything we’ve got,” Said Adam Caudill to an anxious audience at Derbycon
“This was largely inspired by the fact that [SR Labs] didn’t release their material. If you’re going to prove that there’s a flaw, you need to release the material so people can defend against it.”
Caudill also explained that once the code for the exploit hits the web and is picked up and used by the average coder as opposed to high level software gurus, people will start taking notice of it and attempt to do something to fix the exploit.
If the only people who can do this are those with significant budgets, the manufacturers will never do anything about it,” he said.
“You have to prove to the world that it’s practical, that anyone can do it…That puts pressure on the manufactures to fix the real issue.”
SEE ALSO: Play Games on 4 Walls With RoomAlive
It’s a well know fact that viruses have been transferred via infected USB devices before, such as Stuxnet, the computer virus which famously disabled nuclear reactors in Iran. Stuxnet travelled across the world from it’s origin point in Israel, infecting a long chain of USB sticks before finally infiltrating the target reactor complex.
The most comforting thing about revelations behind the security issue with USB is that one day solutions will arise to prevent the problem from happening again. Once the big hsoftware companies get their hands on the code, you can bet your life that they’ll come up with a way to stop it from working.
Until then, for those of you who use USB devices daily to store sensitive files, take heed of Adam Caudill’s words at Derbycon:
“People look at these things and see them as nothing more than storage devices,”
“They don’t realize there’s a reprogrammable computer in their hands.”
Food for thought.