massive security hole — BadUSB — that potentially gave hackers the ability to hijack or subvert billions of USB devices, from keyboards to printers to thumb drives. At the time, due to the severity of the issue, the researchers who discovered the flaw didn’t publish their BadUSB exploit code. Now, however, two other hackers have worked out how to exploit BadUSB — and they’ve published their code on Github for all to see. The pressure is now on device makers to actually fix the flaw before millions of users have their USB devices and peripherals exploited — which is a problem, because there’s really no easy fix for BadUSB.
In short, though, every USB device has a microcontroller — a small chip that acts as an interface between the device (a keyboard, a flash drive) and the host (your PC). This chip often has software (firmware) that can be reprogrammed to do nefarious things, such as logging your keystrokes, infecting your PC with malware, or something much worse. BadUSB is highly dangerous for one key reason: It’s very hard to detect, even for virus scanners.
In short, though, every USB device has a microcontroller — a small chip that acts as an interface between the device (a keyboard, a flash drive) and the host (your PC). This chip often has software (firmware) that can be reprogrammed to do nefarious things, such as logging your keystrokes, infecting your PC with malware, or something much worse. BadUSB is highly dangerous for one key reason: It’s very hard to detect, even for virus scanners.
The guys who originally discovered BadUSB — Karsten Nohl and friends at SR Labs — announced that the bug’s existence in July, and presumably shared more details with device makers and the USB Implementers Forum, but they did not share actual proof-of-concept code for fear that other, slightly-less-benevolent hackers would use this zero-day vulnerability for nefarious purposes. Now, however, two hackers at Derbycon in Kentucky have discovered the same BadUSB flaw — and, more importantly, they’ve published their proof-of-concept on Github. If you know what you’re doing, you can grab the code and start exploiting USB devices straight away. Go wild: The first person to write a self-replicating worm that key logs passwords and other sensitive data stands to make millions — nay, billions — of dollars.
The two security researchers – Adam Caudill and Brandon Wilson — justified their releaseto the Derbycon audience with the following: “The belief we have is that all of this should be public. It shouldn’t be held back. So we’re releasing everything we’ve got. This was largely inspired by the fact that [SR Labs] didn’t release their material. If you’re going to prove that there’s a flaw, you need to release the material so people can defend against it.” Their rationale, while somewhat reckless, isn’t entirely misguided: BadUSB is potentially a huge issue, and someone needs to light a fire under the collective derriere of USB device makers so that they actually try to fix it. As always with vulnerabilities like this, it’s impossible to say how long it’s been used — by black hat hackers, by the NSA — before someone like Kohl, Caudill, or Wilson publicly discloses it.
0 comments :
Post a Comment