Security researchers detail 'unpatchable' USB hack
Remember Karsten Nohl? The security researcher who discovered how to infect just about any USB device with scarily savvy malware and delivered a lengthy talk about it at this year's Black Hat conference? At the time he didn't want to share the code for his exploit, but fellow researchers Adam Caudill and Brandon Wilson figured out how to pull off some of the same tricks and they've published their findings on GitHub. Why? To try and force device manufacturers to get their security acts together.
Nohl's reason for withholding his code the first time around was because he thought it was "unpatchable" -- that is, there wouldn't be an easy firmware fix for this potentially huge problem. We do mean huge, too: the so-called BadUSB proof-of-concept allowed Nohl (along with Caudill and Wilson after the fact) to manipulate files installed from an infected USB device, make an infected gadget act as a faux-keyboard that attackers could control, and in some cases relay personal information to a remote server. Some might argue that releasing this sort of information into the wild is irresponsible and dangerous, but Caudill and Wilson hope to get USB vendors thinking seriously about this potential threat by proving that there's nothing potential about it.Source: GitHub
Nohl's reason for withholding his code the first time around was because he thought it was "unpatchable" -- that is, there wouldn't be an easy firmware fix for this potentially huge problem. We do mean huge, too: the so-called BadUSB proof-of-concept allowed Nohl (along with Caudill and Wilson after the fact) to manipulate files installed from an infected USB device, make an infected gadget act as a faux-keyboard that attackers could control, and in some cases relay personal information to a remote server. Some might argue that releasing this sort of information into the wild is irresponsible and dangerous, but Caudill and Wilson hope to get USB vendors thinking seriously about this potential threat by proving that there's nothing potential about it.Source: GitHub
0 comments:
Post a Comment