66415: Acronis DeviceLock DLP: BadUSB exploit technique: turning devices evil

use Google Translate

Applies to: 

Last update: 20-01-2021

Description

Commonly used USB controller chips, including those in thumb drives, have no protection from reprogramming, making it possible for the BadUSB exploit technique to turn standard USB devices into "evil" threats for corporate IT security.Malware can be injected inside and further operate from the reprogrammed firmware of a compromised USB device. Due to the inability of modern anti-malware solutions to scan and disinfect a USB device's firmware, the malware from the infected USB controller uses basic USB protocol communications to deliver various malware agents from the peripheral to the computer. This makes it possible to launch different types of complex attacks with the ultimate goal of either immediately exfiltrating sensitive data from the computer or infecting it for further malicious actions.

Can devicelock eliminate the threat?

Yes, it can.The proliferation of BadUSB from infected USB devices to a computer protected by DeviceLock Endpoint DLP can be prevented by blocking all USB connections at the USB port level and allowing only company-approved USB devices in the White List. When such a configuration is enforced, the DeviceLock agent blocks all communications over the USB protocol between the computer and any non-white listed USB devices. As a result, DeviceLock fully eliminates the ability of unapproved BadUSB compromised devices to be able to penetrate the protected computer.

Note

With regard to company-authorized whitelisted USB devices, we advise our customers to utilize only those types of USB devices whose controllers cannot be reprogrammed from a regular PC - the method used in the BadUSB exploit.Even in a rare case of having a whitelisted USB device infected by BadUSB evade DeviceLock's USB-level controls and infect the computer, DeviceLock protects the endpoint by performing its key function of preventing data leaks by additionally enforcing content-aware controls over files and other data leaving the computer via local and network channels. Though in this case DeviceLock cannot prevent BadUSB from infecting the computer, it ultimately prevents the malware from leaking sensitive data from the computer.