Skip to main content

‘Unpatchable’ malicious USB hack now available online

Two security researchers have shared code online that could potentially allow hackers to infect USB devices and steal sensitive information.

Adam Caudill and Brandon Wilson confirmed that the threat is currently unfixable and have released the code in the hope that device manufacturers will improve their security.

Read more: USB sticks or the keys to the kingdom? Hackers turn USBs into security threats

The hack was originally discovered by Karsten Nohl, who revealed that almost all USB devices were vulnerable to the malware during his talk at this year's Black Hat conference. Nohl decided against sharing the code as he believed it would be irresponsible given the lack of an easy firmware fix to the problem.

The so-called BadUSB attack, as demonstrated by Nohl and subsequently Caudill and Wilson, allows hackers to manipulate files installed from an infected USB device, and make an infected gadget operate as a faux-keyboard. This allows hackers to control the device and even relay personal information to a remote server.

Caudill and Wilson defended their decision to publish the code through GitHub, which could leave millions of USB users at risk.

"The belief we have is that all of this should be public. It shouldn't be held back. So we're releasing everything we've got," Caudill told the Derbycon audience on Friday. If you're going to prove that there's a flaw, you need to release the material so people can defend against it."

Caudill and Wilson admitted in an interview with WIRED that the line between enabling manufacturers to improve their security and gifting malicious code to potential hackers is a fine one.

Read more: First reversible Type-C USB interface finalised

"There's an ethical dilemma there," Caudill said. "We want to make sure we're on the right side of it."