In July, researchers Karsten Nohl and Jakob Lell announced that they'd found a critical security flaw they called BadUSB, allowing attackers to smuggle malware on the devices effectively undetected. Even worse, there didn't seem to be a clear fix for the attack. Anyone who plugged in a USB stick was opening themselves up to the attack, and because the bad code was residing in USB firmware, it was hard to protect against it without completely redesigning the system. The only good news was that Nohl and Lell didn't publish the code, so the industry had some time to prepare for a world without USB.
"YOU HAVE TO PROVE TO THE WORLD THAT IT'S PRACTICAL."
As of this week, that's no longer true. In a joint talk at DerbyCon, Adam Caudill and Brandon Wilson announced they had successfully reverse-engineered BadUSB, and they didn't share Nohl and Lell's concerns about publishing the code. The pair has published the code on GitHub, and demonstrated various uses for it, including an attack that takes over a user's keyboard input and turns control over to the attacker. According to Caudill, the motive for the release was to put pressure on manufacturers. "If the only people who can do this are those with significant budgets, the manufacturers will never do anything about it," he told Wired's Andy Greenberg. "You have to prove to the world that it’s practical, that anyone can do it."