A pair of security researchers have published a piece of malware which has been described as "undetectable and unpatchable" and which could render every USB stick in the world a security risk.

In August at the BlackHat hacker conference in Las Vegas, German-based security researchers Karsten Nohl and Jakob Lell revealed BadUSB, an exploit which alters the firmware of a USB stick to allow it to spread malware completely undetected.

While they did show off a proof-of-concept attack against an Android device, the researchers did not publish the code used to carry out the attack, as they worried that because it was almost impossible to patch, it would pose a major security risk for businesses across the globe.

That is not the view of two other security researchers however, and last week Adam Caudill and Brandon Wilson published their version of the exploit on code-sharing website Github - meaning anyone who wants to use the exploit can do so.


Wilson and Caudill managed to reverse engineer the same USB firmware as Nohl and Lell and reproduce some of the same tricks used by BadUSB, including one that would allow attackers to impersonate a keyboard, telling the victim's machine what to type.

As the exploit code resides in the USB's firmware, simply deleting the entire contents of a USB stick would not eradicate the problem.

The pair believe that by publishing the code, it will allow security experts to highlight what a big problem this is, and potentially kickstart a major rethink in USB security.

Speaking at the Derbycon hacker conference, Caudill said: "The belief we have is that all of this should be public. It shouldn't be held back. So we're releasing everything we've got. This was largely inspired by the fact that [Nohl and Lell] didn't release their material. If you're going to prove that there's a flaw, you need to release the material so people can defend against it."

The problem is that to make a significant change in USB security would take up to 10 years according to Nohl, as it would involve a fundamental change to the way a USB stick's firmware was written.

Caudill however believes that by publishing the code and making it available to everyone, will put more pressure on manufacturers to fix the problem.

"If the only people who can do this are those with significant budgets, the manufacturers will never do anything about it. You have to prove to the world that it's practical, that anyone can do it. That puts pressure on the manufactures to fix the real issue," Caudill said in an interview with Wired.