In July 2014, it was reported the massive security hole, BadUSB which provides the leverage to hackers to hijack millions of USB devices, range from printers to keyboards and thumb drives. At that time, researchers admitted that flaw didn’t publish their BadUSB exploit code, but now two hackers published their code on Github after working on it. Now it’s the responsibility of device makers to fix the flaw before millions of users face the problem with their USB devices and peripherals. BadUSB, is not easy to fix, so that it is really serious problem.
If you will go through the original story of July 2014, than you will know that, every USB device has a microcontroller, which is a small chip and it act as interface between the device and the host. Sometimes this chip has firmware, which can be reprogrammed to do nefarious acts, like; infecting your PC with malware, logging your keystrokes and even more worse. BadUSB is dangerous because of one key reason as; it is very hard to detect even virus scanners are unable to do this.
Karsten Nohl and friends from the SR Labs are the guys, who originally discovered BadUSB and announced the existence of bug’s in July. And after that they share most of the details with device makers and the USB Implementers Forum. But they didn’t share the actual proof-of-concept code as some hackers use zero-day vulnerability for nefarious aim. Now somehow two hackers Derbycon and Kentucky discovered the same BadUSB flaw and more than that, they published their proof-of-concept (codes) on Github. If you know, what you are going to do than you can grab the same codes easily and can start exploiting USB devices. Peoples can lose billions of dollars as with this self-replicating worm that key one can trace logs passwords and other sensitive data or information’s.
Two researchers, Brandon Wilson and Adam Caudill, justified their release on Derbycon audience and stated that “We belief that all of these codes should be public, it past it shouldn’t be held back. We are releasing everything what we have got. It is well known fact that SR Labs didn’t release their output. If you are calming something as a flaw; so you need to prove it by releasing the materials, so that people can take the precaution against it”. BadUSB is a huge issue, and now there is need to light a fire under the collective derriere of USB manufacturers, so that it can be fixed.
Phison USB Microcontroller:
Wilson and Caudill succeeded in reprogramming of firmware of a Phison USB microcontroller and because of that when it’s plugged into a computer (host) and it’s obvious that hackers want all information which keyboards types. This hacked USB microcontroller can be in mouse, thumb drive, printer, Phison is one of the leading makers of USB microcontrollers and it’s important to note that only Phison microcontrollers have firmware reprogrammed by hackers. Other microcontrollers can be vulnerable in a similar way, but no one is planning to publish any vulnerability, yet!!! Now it’s good idea to use PS/2 mouse and keyboard.
When you will analyze the problem of BadUSB, than you will know that it’s very difficult to detect it, and almost impossible to plug the hole. Your PC as a host can ensure that USB device hadn’t any firmware meddled with something which requires the host to check. The global database of firmware cryptographic signatures is not a solution, but future devices could avoid the use of reprogrammable USB microcontrollers and can use the hard-coded ROMs or ASICs, but at some point it’s difficult to use it financially.
It’s recommended to you that keep your software up-to-date and don’t open any files if you don’t recognize the same. Don’t plug any unknown devices into your computer, until or unless you know where they’ve been.