Patch for BadUSB unleashed: How to protect yourself from this new cyberweapon
A USB security flaw called BadUSB which could allow hackers to take over a user’s keyboard input and turn controls of the computer over to an attacker has been published online.
BadUSB was first demonstrated in July, but due to security concerns those who discovered it did not publish the code for it. Despite this, Adam Caudill and Brandon Wilson recently announced that they had reverse-engineered the flaw and then published the code on GitHub, with the intention of putting pressure on manufacturers.
“If the only people who can do this are those with significant budgets, the manufacturers will never do anything about it,” said Adam Caudill. “You have to prove to the world that it’s practical, that anyone can do it.”
A patch for BadUSB has been released and posted to GitHub, but many are suggesting the patch is similar to applying a Band-Aid when stitches are needed. Ideally, as time goes on more fixes will be released that will be more effective.
“The patch prevents software (malicious or otherwise) running on your computer from initiating the firmware update process. There are other ways of entering boot mode, such as by shorting pins on the controller, which requires physical access,” said Wilson.
The patch applies to USB drives manufactured by Phison Electronics. It disables boot mode, the mechanism by which firmware updates are made to USB-based devices. For those who are extremely concerned, Wilson and Caudill also recommend applying a bonding epoxy to thumb drives to prevent physical tampering.
It is important to remember that BadUSB is not malware. It cannot be downloaded via email. It is a USB drive that has been altered to do things that USB drives normally would not do. Because BadUSB resides not in the flash memory storage of USB devices, but in the firmware that controls their basic functions, the attack code can remain hidden even after users think they have deleted the contents of the device’s memory.
“The belief we have is that all of this should be public. It shouldn’t be held back. So we’re releasing everything we’ve got,” continued Caudill. “This was largely inspired by the fact that [SR Labs] didn’t release their material. If you’re going to prove that there’s a flaw, you need to release the material so people can defend against it.”
While individuals are certainly susceptible to BadUSB, businesses are at a lot more risk and they are the ones that should be taking full advantage of the patch. In a business it is not unusual for someone to hand out a USB with a file or presentation. Despite this, there are a number of ways that system administrators can avoid BadUSB. For example, they can lock USB port use on Windows 7 or 8 computers, or they can install endpoint software like that offered by Symantec.
Fears over how to avoid BadUSB may even prompt many businesses to more widely adopt cloud computing.
“There’s a tough balance between proving that it’s possible and making it easy for people to actually do it,” said Caudill. “There’s an ethical dilemma there. We want to make sure we’re on the right side of it.”
By Christian de Looper, Tech Times