[NewsPoster]

Security researchers Adam Caudill and Brandon Wilson have published source code for a theoretically-unpatchable USB firmware bug called "BadUSB." First revealed at at the Black Hat security conference in July, the two researchers who reverse-engineered the original finding say that they published for the public good, and "so people can defend against it." More severe exploits are possible using their method, but Caudill and Wilson are hesitant to release them, fearing more dangerous exploits.

All USB devices have firmware, which dictates how the item communicates with a host computer. The flaw isn't limited to USB mass storage, and can be implemented in nearly any USB peripheral, including input devices. The original researcher, Karsten Nohl, demonstrated the flaw with an Android phone plugged in through USB as a vector of attack.

USB firmware doesn't have any inherent ability to prevent modification for dubious purposes. No manufacturer implements code signing in USB firmware, comparing the checksum of the code with that of the original; nor does the USB specification allow for such a countermeasure. Anti-malware countermeasures don't scan firmware, nor are they likely to in the future. Fixes are possible, with checksum comparison on installation, but both the original researchers as well as the pair who released the source code to the exploit think that a wide-scale fix is a decade away.

USB device firmware is generally 64KB or smaller. While small by today's standard, attackers using half of the space for malicious code could easily write exploits allowing for keystroke logging, DNS redirection, or nearly any other possible vector. Data misappropriated by the installed malware wouldn't be stored on the USB device, but sent to a remote server for storage and utilization -- diligent users could see this traffic and discover a problem, but the vast majority of computer users lack the technical savvy to do so.

Caudill told Wired that "if the only people who can do this are those with significant budgets, the manufacturers will never do anything about it. You have to prove to the world that it's practical, that anyone can do it. That puts pressure on the manufacturers to fix the real issue."

With proper coding, OS X, iOS, or Android devices are exploitable as well, given the nature and ubiquity of USB. There is likely no "universal" version of the exploit, and the Github-hosted code uses popular Phaeton USB firmware, but how "generic" USB device firmware is between manufacturers has yet to be disclosed.

[chimaera]

Exploits likely make a device listen for USB traffic. An infected device could latch all keystrokes, provided the keyboard is on the same bus as the infected device. In theory it could listen for data to/from an external USB HD, but with only 32KB code space available, it probably couldn't snoop for anything specific enough to be useful.

However, if the infected device is on the same bus as a webcam, things could get interesting. Echo all audio and/or video to a network destination.

[robttwo]

What do you think the NSA has been utilizing for the past 10 years?

[mgpalma]

While not a lot of space, redirecting is all you need to do. Let a server on the net do the processing and this could be a real problem. "code could easily write exploits allowing for keystroke logging, DNS redirection, or nearly any other possible vector." As much as some would say this isn't that big a deal, mirroring all input of someones computer to some criminals server seems pretty significant to me.