This article is blown out of proportion. The information that Nohl’s research (and thus, this entire article and Wired’s identical article) was based on has all been debunked. Yes, there are some devices that can be infected, but its a very small percent. Most USB devices use (ASIC) Application Specific Integrated Circuits, which basically means they can’t be repurposed to be a different type of controller (eg. use malware to turn USB flashdrive into a NIC and gain network access), and attempts to do so would brick the device, so there goes most of your USB devices right there. On top of that, most USB devices can’t even update their firmware, because firmware is hardcoded into the metal layer of the silicon. But suppose you found a rare device that has re-writable firmware (usb 3.0, and incredibly rare 2.0), AND you have the hardware support to access it, AND you have the understanding to reverse engineer what it does, AND its not an ASIC device? Guess what, its still going to perform hash verification of the firmware after you plug it in to make sure the firmware installed properly, and if you’ve replaced the firmware with malware or set you malware up to piggyback on the install its going to fail hash verification and the device will prompt you for a firmware update that overwrites your bogus code.

All of Nohl’s research used USB devices from one specific company, Phison Electronics, that is basically a special unicorn that adheres to none of the USB norms. Don’t lose sleep over this.

Nohl's research has some serious holes in it. This attack vector, while possible, is incredibly narrow, and any attempt to paint BadUSB as a serious threat is basically FUD. This is a repost of Clandestine Moniker's response to the last BadUSB article wired decided to scare the masses with:
_____________________________________

I make a living designing and selling USB controllers and I can say this article is very sensationalist and it is only telling a half-truth. Yes, some USB devices rely on firmware for fundamental operation and yes, the device firmware of *SOME* USB devices can be field-upgraded or otherwise updated, but to claim that USB itself is fundamentally broken due to this limited attack vector is nonsense.

There are three things that make this attack very specific and difficult to execute:

1) Most USB device controllers are ASIC's, or Application Specific Integrated Circuits. They are usually highly optimized to perform their intended function very well, and they usually do not have extensibility to become other devices. For example, one of my company's products is a USB 3.0 to SATA Bridge, which is used in USB 3.0 external drives. Our USB 3.0 to SATA bridge contains USB endpoints for USB Mass Storage Class and that's it. Even if you re-programmed our device firmware, all it could be is a USB Mass Storage Class device since the USB endpoint number and types are fixed in hardware. We did this to make the chip as lean as possible. It is impossible to program our chip to become a functional networking controller or a keyboard device since we don't support those features on the silicon.

Not All USB Devices can be infected! Even if you managed to infect the device, chances are you'd brick it rather than make it into something malicious. Manufacturers are usually cost sensitive and they find ways to trim costs everywhere they can -- releasing general-purpose controllers for commodity devices is, by definition, wasteful.

2) Device manufacturers are generally very protective of their device firmwares, since the device firmwares usually contain stuff device manufacturers don't want other people to know about such as work-arounds for bugs in the silicon, or proprietary algorithms which may enhance performance or reliability, etc. The source code for most device firmwares are never published, and even if they are, there is very little documentation or active support. Finally, device manufacturers often have at least rudimentary checks in place within their controllers to check if the firmware is "valid" though these checks can vary between cryptographic hashing to simple checksums to length checks.

Getting access to and mucking around with a device's firmware is hard. Many ASICs use customized MCU cores and without published register/programming guides, it is very difficult to reverse-engineer.

3) Assuming that you've found a USB device controller that for some reason can be programmed arbitrarily to support other USB classes and endpoints and assuming again you found the firmware source code or otherwise reverse-engineered the device's firmware, you still need to be able to program the device. The vast majority of USB 2.0 and 1.1 devices have fixed firmwares that cannot be updated. The firmware code is often stored on a metal layer in the silicon itself, and there is no way for it to be changed. If the firmware is stored on an external memory device, you still need to find a method to reprogram it, either using (undocumented) vendor commands or using a dedicated hardware.

Most USB device controllers don't support being reprogrammed at all, even if they run on firmware. Some ASIC's don't have an MCU and instead rely purely on a logical state machine so that entire subclass is immune. Many IC's have a MASK ROM such that the firmware program is stored in some type of unwritable read-only medium and they are totally immune to this attack as well.

1) It is not my profession, its Clandestine Moniker's profession, whose post I am quoting from the last BadUSB article (as mentioned at the top of my post). My profession is as a computer scientist that specializes in malware reverse engineering, computer forensics and cyber intrusion, and I can confirm that Clandestine's points are accurate.

2) Your analogy is off. It is impossible to use the BadUSB vulnerability in 99.9999+% of USB devices. A better analogy would be to say 99.9999% of people are immune to Polio thanks to vaccinations, therefore it is unlikely that Polio would ever be the payload of a terrorists biological attack. Likewise, because so few devices are vulnerable to this exploit it is highly unlikely that a hacker would ever attempt to use it.

3) Should standards require manufacturers to prevent this kind of attack? Possibly. But the nature of vulnerabilities is that they are often unforseen, and its difficult to pass any legislation let alone legislation that tries to speculate about future vulnerabilities and has zero potential profit for the politicians. So requirements that prevent bad design while useful might not be practical to apply.

4) The author's point is that there is a widespread USB vulnerability and now people are writing code to exploit it. But he's wrong: It's not widespread. It's one company whose devices amount to a very small percentage of total devices. The more appropriate thing to do would be to shame the company hard in the headlines so they stop producing vulnerable crap, but, its more profitable for wired to make a sensational we're-all-going-to-die article.