Did researchers help hackers in releasing USB drive exploit?

SANS Institute instructor says releasing exploits before there is a fix 'never seems to end well' for software users

The debate over when security researchers should expose serious vulnerabilities has been rekindled with the recent release of exploit tools for a flaw in USB flash drive firmware.

Researchers Adam Caudill and Brandon Wilson released the tools last week, two months after Berlin-based Security Research Labs (SRLabs) demonstrated an attack on the vulnerability at the Black Hat security conference in Las Vegas.

SRLabs held back on releasing tools or details of its exploit, saying the flaw in firmware on the USB controller was not easily fixed.

However, Caudill and Wilson decided that replicating the attack and releasing their code, which included firmware patches, payloads and documentation, was necessary to force USB manufacturers to fix the flaw.

"Your average script kiddy will never be able to do it (the exploit); there’s only a small number of people that would be able to do the work needed to be able to pull it off -- those people could already do it before we released what we did," Caudill said in a blog post. "The threat of this happening is the same as it has always been."

The firmware vulnerability is in controllers designed by Phison Electronics, a Taiwanese company that sells the product to a very large number of USB thumb drive manufacturers.

The SRLabs proof-of-concept attack, dubbed BadUSB, switched the profile of a computer-connected USB drive to a keyboard, so the drive could send keystrokes to download and install malware. The profile also could be changed to emulate a network controller to hijack DNS settings.

Modifying the controller firmware is done from the computer's operating system.

Paul Henry, an instructor with SANS Institute, was uncomfortable with the code release, despite the researchers' claim that device manufacturers showed no interest in fixing the problem.

"Fault whomever you will, the researcher or the vendor, the bottom line is it will be the community at large that will pay the ultimate price when the issue is exploited," Henry said.

Pressuring vendors to release a fix by posting details on an exploit is not new. Many researchers used the tactic against Microsoft when vulnerabilities in its software were found, Henry said

As a result, hackers often launch attacks shortly after the proof-of-concept exploits. "It never seems to end well," Henry said of such disclosures.

In this case, Caudill and Wilson developed a new exploit for a flaw USB manufacturers have known about for years and have not patched, Randy Abrams, research director at NSS Labs, said

"Existing drives cannot effectively be patched, and the criminal element knows about the problem," Abrams said. "Providing patches and demonstrating why they are needed is warranted considering the apathy demonstrated by manufacturers."

Caudill and Wilson, who released their tools at the DerbyCon hacker conference, believe manufacturers should require signed firmware updates for USB controllers in order to prevent unauthorized modifications.

The other option is to disable the ability to change firmware once a device ships from the factory. However, even if such changes are implemented, USB drives in the market today are likely to remain vulnerable for years, experts say

Copyright © 2014 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)