October 3, 2014

Beware the USB

The BadUSB hack is out, released into the wild by researchers Adam Caudill and Brandon Wilson. This means that malicious types can make trouble for you just by accessing your USB ports. There is no fix for this at the moment, the problem is in the USB firmware and that’s not something that gets patched easily.

Why release something like this, especially when the original BadUSB creator Karsten Nohl chose not to? From Wired:

“The belief we have is that all of this should be public. It shouldn’t be held back. So we’re releasing everything we’ve got,” Caudill told the Derbycon audience on Friday. “This was largely inspired by the fact that [SR Labs] didn’t release their material. If you’re going to prove that there’s a flaw, you need to release the material so people can defend against it.”

The reasoning is that known exploits gets fixed faster, which is true, but with the USB hack it’s not quite a simple as releasing a system update. On the flip-side, knowing that this USB security flaw exists and is widely available will make it possible to take to proper measures to protect sensitive data from malicious people. And yes, that includes government agencies.

Thoughts? Let @tdh know on Twitter, or find me elsewhere. There is also a newsletter.