Two security researchers have released code that can manipulate USB controllers and which be used to attack computers totally unnoticeable, also known as Bad USB. The researchers have published the code on the open source code hosting website Github and state they want to underline the danger of the Bad USB hack by releasing its code.
In August, German researchers already revealed their attack method during the BlackHat conference. They announced they would be able to take over Windows and Linux PCs by modifying the firmware of USB controllers. The German researchers didn’t publish their source code because they thought it to be dangerous and too hard to patch.
Read more: Researchers release patch for Bad USB hack
The independent researchers Adam Caudill and Brandon Wilson didn’t agree with the reticence of the German researchers and posted code on GitHub which allows reprogramming the frequently used USB microcontrollers of the Taiwanese company Phison.With a manipulated USB stick the researchers were able to simulate keystrokes, but the Bad USB hack can also be used to e.g. log all user input on the PC.
For security software the Bad USB hack is hard to detect because the hack uses hidden partitions and other tricks.
The two researchers state they’ve released the code of their “Psychson” project to help speeding up the development of possible measures against Bad USB. A previous proposal to create a whitelist of USB devices would consume too much time. The researchers mention they haven’t released the most dangerous feature of their Bad USB hack yet, this features makes it possible for USB sticks to infect other USB devices connected to the same PC.