Security experts have ignored the rule of non-disclosure methods of exploiting vulnerabilities and published in the open access to the exploit hole USB-devices . The worst thing is that this security vulnerability is fundamental and can not be closed by simply updating the software.
The first vulnerability BadUSB experts found a German consulting company Security Research Labs Zero and Carsten Jacob Lel. They did not publicize the exploit as a patch for the vulnerability found there. Its essence lies in the possibility of the attacker to change the firmware of the controller interface USB, which is in every USB-device: USB flash drive, mouse, keyboard, and so on. D.
As noted Cnews, keeping a secret method of exploitation of a vulnerability - a standard practice of information security experts. It allows users to secure, as long as the manufacturers do not release the update. After this exploit is revealed. However, information security professionals kodil Adam and Brandon Wilson decided to ignore this rule and published the exploit after themselves sorted out with weak, without the help of colleagues. Moreover, speaking at a conference DerbyCon, they demonstrated how any novice hacker can use BadUSB and emulate the keyboard, taking over control of the computer itself.
"When someone announces the discovery of vulnerabilities, the one who has the money for research, no manufacturer will not worry about their elimination. When you show that to exploit this vulnerability could almost anyone without too much difficulty, it makes the act" - said Adam kodil edition of Wired. He and his partner hope that now the authors of the USB standard will begin to move.
Finding vulnerability BadUSB, Carsten Zero summer 2014 described it as a "fundamental cause permanent" hole. The fact that, as he explained, it is contained in the very mechanism of the USB and theoretically can not be eliminated as long as the standard-setters will not change completely its approach to security.
According to Zero, one of the options for protection may be the introduction of digital signatures, which do not allow to arbitrarily change the firmware USB-devices. However, the introduction of such a system may take up to 10 years.