'BadUSB' Malware Now Out In The Wild, Exploits Not Far Behind
In the summer, we learned of a severe issue that plagues a countless number of USB devices, tying into an exploit later called "BadUSB". Thanks to the efforts of Karsten Nohl, chief scientist at SR Labs, it was exposed that the firmware on many USB devices could easily be reprogrammed; the level of security on them turns out to be minimal, or non-existent. Firmware is effectively the brain of a USB device, so if it can be reprogrammed, it doesn't take much imagination to understand what could happen.
While Nohl has an exploit that demonstrates the issue, he's refused to release it to the public, citing the need to let companies fix the bug in current and future products. On account of the fact that vulnerable devices are out there in the millions, it's easy to understand his reasoning here. Still, Adam Caudill and Brandon Wilson are two researchers that don't agree. They reverse-engineered the bug, and took it upon themselves to release it to the wild. It's now available on Github.
Whether this is irresponsible of them or not, that's for you to decide. But with the exploit now out there in the wild, companies that produce USB devices need to research and understand it, and then make sure their future products don't suffer this vulnerability. But let's be realistic: Some people are going to take this exploit and do bad things with it.
At the moment, it seems this exploit mostly targets Phison-based products, but this issue is definitely not limited to those. With some usable code out in the wild, it's really hard to predict what we're going to see in the near-future. It's just a waiting game at this point.