Did researchers help hackers in releasing USB drive exploit?

The debate over when security researchers should expose serious vulnerabilities has been rekindled with the recent release of exploit tools for a flaw in USB flash drive firmware.

Researchers Adam Caudill and Brandon Wilson released the tools last week, two months after Berlin-based Security Research Labs (SRLabs) demonstrated an attack on the vulnerability at the Black Hat security conference in Las Vegas.

SRLabs held back on releasing tools or details of its exploit, saying the flaw in firmware on the USB controller was not easily fixed.

However, Caudill and Wilson decided that replicating the attack and releasing their code, which included firmware patches, payloads and documentation, was necessary to force USB manufacturers to fix the flaw.

"Your average script kiddy will never be able to do it (the exploit); there's only a small number of people that would be able to do the work needed to be able to pull it off -- those people could already do it before we released what we did," Caudill said in a blog post. "The threat of this happening is the same as it has always been."

The firmware vulnerability is in controllers designed by Phison Electronics, a Taiwanese company that sells the product to a very large number of USB thumb drive manufacturers.

The SRLabs proof-of-concept attack, dubbed BadUSB, switched the profile of a computer-connected USB drive to a keyboard, so the drive could send keystrokes to download and install malware. The profile also could be changed to emulate a network controller to hijack DNS settings.

Modifying the controller firmware is done from the computer's operating system.

Paul Henry, an instructor with SANS Institute, was uncomfortable with the code release, despite the researchers' claim that device manufacturers showed no interest in fixing the problem.

"Fault whomever you will, the researcher or the vendor, the bottom line is it will be the community at large that will pay the ultimate price when the issue is exploited," Henry said.

Pressuring vendors to release a fix by posting details on an exploit is not new. Many researchers used the tactic against Microsoft when vulnerabilities in its software were found, Henry said

As a result, hackers often launched attacks shortly after the proof-of-concept exploits. "It never seems to end well," Henry said of such disclosures.

Caudill and Wilson, which released their tools at the DerbyCon hacker conference, are hoping to force manufacturers to require signed firmware updates for USB controllers in order to prevent unauthorized modifications.

The other option is to disable the ability to change firmware once a device ships from the factory. However, even if such changes are implemented, USB drives in the market today are likely to remain vulnerable for years, experts say.

Join the CSO newsletter!

Error: Please check your email address.

Tags SANS Technology InstituteapplicationsBlack Hat Conferenceusb drivesoftwareExploits / vulnerabilitiesdata protectionPhison ElectronicsSecurity Research LabsDerbyconsecurityusb security

More about MicrosoftSANS Institute

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts