3 Replies Latest reply: Aug 18, 2014 8:18 AM by SafeBoot RSS

    BadUSB vulnerability




      Does anyone know whether McAfee have commented on the BadUSB vulnerability (BBC News - USB 'critically flawed' after bug discovery, researchers say) in terms of whether DLP Device Control policies can mitigate this risk?
      If, for example, you use DLP to lock down all USB storage devices except recognised company ones (by serial number), could a doctored USB stick be used to circumvent this by pretending to be a keyboard or NIC or other safe device?
        • 1. Re: BadUSB vulnerability

          My take is that a "doctored USB Stick" which purports to be a keyboard, is a keyboard according to the OS - Though BadUSB is topical, it's hardly new - It's been known since the very beginning that USB devices were not really trustworthy, though they are convenient.


          Understanding that any device involved in accepting keystrokes can store them, and any device transmitting data can manipulate it as well, and even though a device claims to have a certain serial number, that does not mean it matches the one printed on the sticker, that's pretty much all there is to BadUSB.


          Also, it's not possible to convert the great number of devices in existence to something else - they simply don't have field updateable firmware. There's no way your "generic USB Stick" is going to start advertising itself as a keyboard.


          What's missing from all the news sensation is the simple fact that a device which claims to be a USB Stick can not also "secretly" be a network device or capture key presses - Unless that is the user installs some special drivers for it.


          And of course, a plug for one of the first USB "trojans" - the good old Rubber Ducky -



          • 2. Re: BadUSB vulnerability

            Any official comment on BadUSB by McAfee?


            BADUSB does a lot more than just altering the serial number...the fact is it allows a USB memory device to mount as a peripheral thereby bypassing DLP.


            Also, it appears to re-write the firmware of things like phones and other USB peripherals allowing people who are just "charging" them up to plug in possibly compromised device into the network.


            http://www.techtimes.com/articles/11979/20140804/badusb-exploit-is-your-usb-devi ce-spying-on-you-or-stealing-your-data.htm


            So, McAfee should issue some sort of release addressing the attempts to rewrite firmware, the plugging in of the compromised devices into computers

            , or the exploits it tries to run.

            • 3. Re: BadUSB vulnerability

              rewriting firmware is covered by application control and vse, Nothing we do short of standing there can stop a user physically plugging something in.


              Exploits running is again covered by app control and VSE.


              BadUSB does not "allow a usb memory device to mount as a peripheral", it reprograms a device to act as a peripheral. Whether the OS lets it mount or not is completely different - DLP, device control etc will block a device from mounting, as will the user simply clicking "no".


              BadUSB is serious, but it's not as amazing as the press make it out to be. Most devices are simply not reprogrammable to start with.


              The best advice is to educate your users about the threat - if they plug a USB memory stick in and their computer says "detecting new keyboard", they should be worried, remove it, and contact your SOC for advice.