http://www.theverge.com/2014/10/2/6896095/this-published-hack-could-be-the-beginning-of-the-end-for-usb
By Russell Brandom
The Verge
October 2, 2014
In July, researchers Karsten Nohl and Jakob Lell announced that they'd
found a critical security flaw they called BadUSB, allowing attackers to
smuggle malware on the devices effectively undetected. Even worse, there
didn't seem to be a clear fix for the attack. Anyone who plugged in a USB
stick was opening themselves up to the attack, and because the bad code
was residing in USB firmware, it was hard to protect against it without
completely redesigning the system. The only good news was that Nohl and
Lell didn't publish the code, so the industry had some time to prepare for
a world without USB.
As of this week, that's no longer true. In a joint talk at DerbyCon, Adam
Caudill and Brandon Wilson announced they had successfully
reverse-engineered BadUSB, and they didn't share Nohl and Lell's concerns
about publishing the code. The pair has published the code on GitHub, and
demonstrated various uses for it, including an attack that takes over a
user's keyboard input and turns control over to the attacker. According to
Caudill, the motive for the release was to put pressure on manufacturers.
"If the only people who can do this are those with significant budgets,
the manufacturers will never do anything about it," he told Wired's Andy
Greenberg. "You have to prove to the world that it’s practical, that
anyone can do it."
[...]
--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/
