An unfixable USB bug could lead to unstoppable malware

Once again USB has come up as a major threat to a vast number of users who use USB drives – including USB sticks and keyboards. Security researchers have released a bunch of hacking tools that can be used to convert USB drive into silent malware installer.

This vulnerability has come about to be known as “BadUSB”, whose source code has been published by the researchers on the open source code hosting website Github, demanding manufacturers either to increase protection for USB flash drive firmware and fix the problem or leave hundreds of millions of users vulnerable to the attack.

It all comes down to the microcontroller firmware used by the Taiwanese firm Phison, one of the largest manufacturers in the world. The exploit gains control of this code to reprogram the USB controller and allow it to secretly interface with malware on a USB drive. For example, a flash drive could impersonate a keyboard and enter text on a computer without the user’s knowledge. Because the compromised code is stored in the USB controller’s memory, there is no way for a user to remove it.

Patching this hole would basically require a new security architecture that requires a manufacturer signature to alter the controller’s code, but that’s not the sort of thing that can work on existing devices — you have to replace them. That could mean a decade or more to transition fully to devices that aren’t vulnerable to this exploit. Even Caudill and Wilson, who are confident in their decision to release the details, are not posting all the work they’ve done on the issue. A separate implementation of this exploit the pair are working on would use the USB controller to infect files with malware as they are copied from a USB drive. Things might get quite messy before they get better.