earlier this year for the exposure of the deadly USB vulnerabilities BadUSB, two researchers recently conducted the "reverse engineering", and published the relevant code, harm which could help the BadUSB vulnerability becomes larger.
July, researchers Karsten · (Karsten Nohl); Noel and Lyle giacobbo · (Jakob Lell) has announced the discovery of a "BadUSB" serious vulnerabilities, allows an attacker to not be detected under the condition of USB equipment quietly in malicious software.
worse, there seems to be no clear fix. Any user who has been inserted into the USB storage device is equivalent to opening the door to the attacker, because the bad code has been fixed in the firmware. Noel said: "people can not determine the source of the virus, as if by magic."
fortunately, Noel and Lyle did not publish the relevant code, which makes the whole industry have time to "prepare for a world without USB". But this week, the situation has been completely broken.
DerbyCon hacker conference, Adam · two security researchers; Cordier (Adam Caudill) and Blanton · Wilson (Brandon Wilson) said that their BadUSB has been carried out on the "reverse engineering" (reverse-engineered). They released the relevant code on GitHub, and demonstrated a variety of uses, including attack and control the keyboard input of the target user.
Cordier said that they are the source of the source code is to put pressure on manufacturers. He said: "if you do not prove to the world that this matter can be easily done, then the manufacturers will drag on nothing. So we have to prove that this kind of attack is practical, and anyone can do it."
however, the move and the net effect does not promote USB security. Because hackers can reprogram the USB firmware, but make it more threatening. The only way to fix this vulnerability is to build a new security layer on the firmware, but this requires a comprehensive update of the USB standard, which means that this insecurity will last for years.