How do you get people to take your unpatchable malware program like the serious threat it is? You release it into the wild where anybody can get their hands on it.
That’s the method behind the madness of security researchers Karsten Nohl and Jakob Lell. Their proof-of-concept malicious software indicates a huge hole in a commonly used technology—USB storage—and is now available for download on GitHub.
USB sticks have become so cheap and easy to use that companies often hand them out like calling cards at conferences. Nohl and Lell, however, have found a flaw in USB security that allowed them to do some really scary things. Their malware, named BadUSB, can be installed on a USB stick to take over a PC simply by being plugged into the computer.
The researchers, who work for security consultancy SR Labs, demonstrated BadUSB to a packed crowd at the Black Hat conference in Las Vegas. There will be no quick fix for the vulnerability they’ve found, so the researchers have decided to open source it.
At first glance, it seems like a terrible idea to put malware where anybody can access it. However, this is a pretty standard practice in the online security world. In fact, it’s not even against GitHub’s terms of service since the researchers are upfront about their reasons.
“Security researchers often release a proof of concept to raise awareness of the vulnerability in the security community, and to encourage people to protect themselves,” a GitHub spokesperson told ReadWrite. “A repository that contains a proof of concept but isn’t maliciously or covertly distributing malware would not be in violation of our terms of service.”
Now that the researchers have opened the floodgates, more security experts may be motivated to begin working on a fix soon. And until then, stick to the USB sticks you already trust.
Photo by Ambuj Saxena