Back in August we wrote about a rather scary USB hack that can be used to control, command and spy on pretty much anything that is plugged in through a USB port. The hack is called BadUSB, and a proof-of-concept was showcased at the BlackHat developers’ conference.
The exploit was created by SR Labs researcher Karsten Nohl, who wanted to demonstrate that USB connections (keyboards, mouse, hard drives) can be hacked, and that there isn’t much that manufacturers or security companies can do about it. Nohl decided to keep the code for himself, to prevent it from falling into the wrong hands.
While Nohl held on to it, however, two other researchers Adam Caudill and Brandon Wilson took the decision to unleash it into the wild. Before you think that they have just let loose an epidemic exploit that could bring upon the apocalypse, they did it for altruistic purposes – or so they claim.
“The belief we have is that all of this should be public. It shouldn’t be held back. So we’re releasing everything we’ve got. This was largely inspired by the fact that [SR Labs] didn’t release their material. If you’re going to prove that there’s a flaw, you need to release the material so people can defend against it,” the pair told Wired.
The hacker pair has released the code for the BadUSB exploit onto GitHub, so anybody with a little know-how will be able to use the exploit. But Caudill and Wilson also released it so that security software companies will be able to take the code and better protect users against it. They also hope that it will fast-track USB makers to have a long, hard look at how they can change USB security.
“If this is going to get fixed, it needs to be more than just a talk at Black Hat. If the only people who can do this are those with significant budgets, the manufacturers will never do anything about it. You have to prove to the world that it’s practical, that anyone can do it…That puts pressure on the manufactures to fix the real issue.”
[Source – Wired]