BadUSB Source Code Published on Github

Back in August of this year, we wrote about a new form of malware called BadUSB, which was capable of infecting billions of devices currently in operation around the globe, everything from mice to keyboard, and even simple flash-based thumb drives.

The flaw was originally discovered by researchers at Security Research Labs in Berlin, which upon its initial report was kept as vague as possible in order to prevent more hackers from exploiting the hole which has remained open to this day.

By using the micro-architecture installed on nearly every USB device you can think of and then some, BadUSB is able to operate an array of possible attacks that range from simplified network traffic sniffers to more advanced, and undetectable keyloggers installed on the keyboard itself.

Keyloggers and the like would almost always need to be installed on the computer they were targeting beforehand, but now that USB hardware can be flashed to carry the same payloads, all it takes is one infected device between two different systems to put entire networks on high alert.

Now two hackers at Derbycon in Kentucky — Adam Caudill and Brandon Wilson — have published the source code for BadUSB on the website Github, and were ready to defend the action by claiming that the only way the security community is going to find a fix for the issue is through increased pressure to do something about it before the problem inevitably spirals out of control.

Writes Caudill:

“I am confident that we (Brandon and I) could build a system that would infect PCs, then infect a significant percentage of thumb drives, and then infect other PCs – but, and this is a big but – what we released doesn’t make that easier in any significant way.

“Your average script kiddy will never be able to do it; there’s only a small number of people that would be able to do the work needed to be able to pull it off – those people could already do it before we released what we did.”

“Nothing, nothing, that we’ve released has suddenly made new attacks possible,” he added.

The problem of course is that while only a small proportion of the ever-increasing hacker community might be able to deploy the crack themselves, that number will shoot up exponentially now that the code behind it has been released into the wild.

Without any sort of widely applicable fix being made available in the near future, the problem will only continue to swell as everyone starts to toss out their USB keyboards in favor of their older, yet apparently more secure, PS/2 counterparts.

For now, the only solution to BadUSB is the same advice you would expect for any exploit. Never download software from a destination you don’t recognize beforehand, never give permissions to installations that try and use portions of your operating system that haven’t been specifically approved beforehand, and of course, never plug a device into your machine unless you know where it’s been first.