An Unfixable USB Bug Could Lead To Unstoppable Malware

Nearly every computer and mobile device on the planet has a USB port, and a new exploit detailed by two researchers shows how fundamentally broken the security model for USB may be. Adam Caudill and Brandon Wilson have successfully reverse engineered the USB firmware powering hundreds of millions of devices, which could allow an attacker to inject malicious code into a machine without anyone being the wiser. They’ve also released the code on Github in order to spur action. It might get a little crazy out there in the meantime.

The exploit was first detailed by a different researcher, Karsten Nohl, at the Black Hat security conference. Nohl opted not to release his exploit because he feared the vulnerability was unpatchable. Caudill and Wilson felt it was important to disclose the issue, so they duplicated Nohl’s work on their own. They argue the technique could already be in the hands of governments and private security firms, so it should be made public so the industry can begin working on a fix.

It all comes down to the microcontroller firmware used by the Taiwanese firm Phison, one of the largest manufacturers in the world. The exploit gains control of this code to reprogram the USB controller and allow it to secretly interface with malware on a USB drive. For example, a flash drive could impersonate a keyboard and enter text on a computer without the user’s knowledge. Because the compromised code is stored in the USB controller’s memory, there is no way for a user to remove it.

Patching this hole would basically require a new security architecture that requires a manufacturer signature to alter the controller’s code, but that’s not the sort of thing that can work on existing devices — you have to replace them. That could mean a decade or more to transition fully to devices that aren’t vulnerable to this exploit. Even Caudill and Wilson, who are confident in their decision to release the details, are not posting all the work they’ve done on the issue. A separate implementation of this exploit the pair are working on would use the USB controller to infect files with malware as they are copied from a USB drive. Things might get quite messy before they get better.