Among other things the firmware tells a computer what kind of a device is being plugged into a USB socket but the two cybersecurity researchers found a way to subvert this and install attack code. At Black Hat, the BBC saw demonstrations using a smartphone and a USB stick that could steal data when plugged into target machines.
Mr Nohl said he and his colleague did not release code in order to give firms making USB-controlling firmware time to work out how to combat the problem.
Now researchers Adam Caudill and Brandon Wilson have done their own work on the USB flaw and produced code that can be used to exploit it. The pair unveiled their work at the DerbyCon hacker conference last week and have made their attack software freely available via code-sharing site Github.
BadUSB attack code has been made public
Posted on Wednesday, October 08 2014 @ 15:01 CEST by Thomas De MaesschalckBBC News writes that security researchers have release attack code that exploits BadUSB, a vulnerability in the USB protocol that allows attackers to hide malware in the firmware of any USB-based device.
So far there has been no solution for BadUSB because the problem is structural and no single vendor is in a position to change that. The researchers write cybercrime groups definitely have the resources to figure out how to exploit the vulnerability on their own so they decided to make the exploit code public to remind USB vendors of its seriousness.
