usb, fundamental security flaw found!

Using that flaw it is possible to take over a PC, invisibly (not detected by anything)!!!



Newer article about it, discuses that not even behavioral blocker can spot it.



Hmm, thought, would a USB device whitelist be possible? ??? I don’t mean a general whitelist that Comodo maintains but instead whenever you plug in a device using USB, the device is detected but not initialized, then you get an alert asking if you want to allow the device (and also if you want to whitelist it) … Iunno, it would stop malicious third parties from simply plugging in a USB device and taking over the computer, assuming the attacker doesn’t click Allow… hmm… Perhaps password protection…

Another idea, hash of firmware, upon each use of the usb device the firmware is hashed again, if there is a hash mismatch then the device isn’t allowed.

Meh, perhaps those weren’t good ideas after all, without knowing how this malware works more technically, it’s hard to think of a theoretical protection.

Edit: HIPS for USB devices? e.g “HID-compliant keyboard is trying to XYZ - Allow / Deny / Trust” etc… perhaps that wouldn’t work either…

[at]Sanya IV Litvyak

Your first idea can be done by the built-in GPO of windows 7,8.

using the first 2 scenarios of the following Microsoft guide:


Here another link of a guy asking on the Microsoft forums about it:


The problem is the general people don’t have a clue about security,
however usb companies could sign their devices, again this may take years to happen.

There is no effective protection because antivirus products do not have access to the firmware(s) of USB devices.
Behavioral detection won’t be good since a malicious USB can switch to a different device type. Thus, the monitoring mechanism would record only a new USB device.
Moreover, at the moment, there is no firewall solution that could block certain device classes.

There are many possibilities :

  • may infect other USB components. E.g. WebCam, (USB) Keyboard.
  • may replace computer’s BIOS (by emulating a keyboard).
  • etc.

If this ‘threat’ is detected then all USB devices will be considered suspicious/infected. The only “real protection” would be restricting the use of USB devices.

Update regarding the USB flaw…



For Comodo developers, the source code can be found within the link above.

Is it not the case though, that whatever malware code injected via the BADUSB flaw does, if it can’t “phone home” it’s pretty useless? The CIS firewall (if properly configured) can prevent unknown programs from getting out on the network, so would that not prevent loss of personal data etc. (even though you’d still be infected of course)?

Or am I missing something here?

I don’t know exactly how it works but if it can also pretend to be a keyboard and a mouse, would it not, if sophisticated, be able to automatically accept such firewall alerts?

I don’t know either, but if any software can bypass or spoof the CIS firewall then the firewall is useless don’t you think?