Unfixable bug exploits USB devices

A flaw uncovered by security researchers in August could potentially allow exploitation of any USB device has now been made public by the researchers for everyone, The West Side Story reported.

Anyone with even some elementary knowledge about exploiting computers could easily do that by using the exploit code which was available at the GitHub.

The exploit was the creation of SR Labs researcher Adam Caudill and Brandon Wilson, who wanted to demonstrate that USB connections could be easily exploited, and there was little manufacturers could do to protect the users from it.

''The belief we have is that all of this should be public. It shouldn't be held back. So we're releasing everything we've got. This was largely inspired by the fact that [SR Labs] didn't release their material. If you're going to prove that there's a flaw, you need to release the material so people can defend against it,'' they said in an interview.

They had both released the code in the name of BadUSB on Git repository web-based hosting service, GitHub, which the researchers wanted to be public as it would help companies and vendors do the most they could to protect users from these attacks.

Nearly every computer and mobile device has a USB port, and a new exploit detailed by the two researchers showed how fundamentally broken the security model for USB may be, geek.com reported.

Caudill and Wilson had successfully reverse engineered the USB firmware that powers hundreds of millions of devices, which could allow an attacker to inject malicious code into a machine without anyone being aware.

Though another researcher, Karsten Nohl, had revealed the vulnerability he opted not to release his exploit because he feared the vulnerability was unpatchable.

Caudill and Wilson were of the opinion that it was important to disclose the issue, so they duplicated Nohl's work on their own.

They say the technique could already be in the hands of governments and private security firms, so it needed to be made public so the industry could begin working on a solution.

It all worked out to the micro-controller firmware used by the Taiwanese firm Phison, one of the largest manufacturers in the world. The exploit gained control of this code to reprogramme the USB controller and make for secret interface with malware on a USB drive.