To Customer Support To Customer Support

Source code for critical USB firmware exploit posted on GitHub

  • 2 October 2014
  • 1 reply
  • 307 views
Jasper_The_Rasper
Rank
Userlevel 7
Badge +54

Thu October 2, 2014

 

Pair of researchers engineer hack, post code to shame companies into action

Security researchers Adam Caudill and Brandon Wilson have published source code for a theoretically unpatchable USB firmware bug called "BadUSB." First revealed at at the Black Hat security conference in July, the two researchers who reverse engineered the original finding say that they did it for the public good, and "so people can defend against it." Further more severe exploits are possible using this method, but Caudill and Wilson are hesitant to release them, fearing more dangerous exploits.
All USB devices have firmware, which dictates how the item communicates with a host computer. The flaw isn't limited to USB mass storage, and can be implemented in nearly any USB peripheral, including input devices. The original researcher, Karsten Nohl, demonstrated the flaw with an Android phone plugged in through USB as a vector of attack.
Full Article

1 reply

R
Rank
Userlevel 7
By Brian Prince on October 02, 2014 
 
Two researchers have released attack code for the 'BadUSB' issue first revealed at the Black Hat conference earlier this summer.
Researchers Adam Caudill and Brandon Wilson presented on the vulnerability at Derbycon 4.0 conference last week in Louisville. Wilson and Caudill reversed-engineered USB firmware and reprogrammed it to launch various attacks. They then took the extra step of posting the attack code to GitHub.
"The belief we have is that all of this should be public," Wired quoted Caudill as telling the audience at Derbycon last week. "It shouldn’t be held back. So we’re releasing everything we’ve got. This was largely inspired by the fact that [SR Labs] didn’t release their material. If you’re going to prove that there’s a flaw, you need to release the material so people can defend against it."
Among the attack scenarios discussed by Caudill and Wilson are using the USB device to emulate a keyboard and issue commands on behalf of a logged-in user to exfiltrate data or install malware.
 
 
SecurityWeek/ Article/ http://www.securityweek.com/badusb-code-published

Reply


Terms & Conditions

© 2004 - Webroot Inc.

We have recently updated our Privacy Policies. We encourage you to read the full terms here.