BadUSB, a critical security flaw detected in July, can be abused by hackers using practically any USB device. This massive security problem is now on the loose as experts have published its code online.
The threat was first revealed in August by Karsten Nohl at the Black Hat cybersecurity conference. Nohl demonstrated how BadUSB can corrupt any USB device with malware that is both deadly and undetectable.
BadUSB can turn a user's keyboard, mouse, storage device, network device, game controller, or any other USB device into a cyber threat. The versatility and broad compatibility of the USB technology is also what made it vulnerable to hack attacks, with a USB device's controller chips being very easily reprogrammable.
Because of the wide-scale security threat that BadUSB presented, along with the absence of a definite solution to fight against such attacks, Nohl decided not to publish the code for BadUSB.
However, security experts Adam Caudill and Brandon Wilson have successfully reverse-engineered the BadUSB hack and announced the feat in a joint talk held at DerbyCon.
Caudill and Wilson published the code for BadUSB on GitHub, where the experts even demonstrated several uses for the hack.
So what can hackers do with BadUSB? They can take over the input of the keyboard of a user, transferring control of the device to the hacker.
"If you're going to prove that there's a flaw, you need to release the material so people can defend against it," Caudill said during the talk at DerbyCon.
Caudill also said that the decision to release the BadUSB code was made in order to place pressure on USB manufacturers to rectify the problem.
"If the only people who can do this are those with significant budgets, the manufacturers will never do anything about it," Caudill said in an interview with Wired. "You have to prove to the world that it's practical; that anyone can do it."
Now that the bug that Nohl describes as "unpatchable" is out in the open, USB security is most certainly compromised. Hackers using BadUSB will gain a new tool that can dish out serious attacks.
The only means of addressing the problem is to add an additional security layer over the USB firmware, which would mean a complete update to the USB standard. This would take years to implement though, exposing the general public to the threat for a long time.
USB drives that users plug into their computer could already result in an attack that can't be avoided unless the user knows exactly where a USB has been, from the time of its production in a factory to the time it reaches the current user. The only true protection that users have against BadUSB is to avoid the usage of USB drives and devices, along with covering USB ports to prevent infected devices from being plugged in.