Given the severity of that security problem—and the lack of any easy patch—Nohl has held back on releasing the code he used to pull off the attack. But at least two of Nohl's fellow researchers aren't waiting any longer.
In a talk at the Derbycon hacker conference in Louisville, Kentucky last week, researchers Adam Caudill and Brandon Wilson showed that they've reverse engineered the same USB firmware as Nohl's SR Labs, reproducing some of Nohl's BadUSB tricks. And unlike Nohl, the hacker pair has also published the code for those attacks on Github, raising the stakes for USB makers to either fix the problem or leave hundreds of millions of users vulnerable.
"The belief we have is that all of this should be public. It shouldn't be held back. So we're releasing everything we've got," Caudill told the Derbycon audience on Friday. "This was largely inspired by the fact that [SR Labs] didn't release their material. If you're going to prove that there's a flaw, you need to release the material so people can defend against it."