adventures in usb land
TRANSCRIPT
Adventures in USB land
WhoamiValentinas Bakaitis
@vbakaitis on twitter
Senior security consultant @ Aura Information Security
What is USB?
Spoiler alert, it’s not really a bus.
USB infrastructure• Host• Hubs• Devices
• Interfaces• Endpoints
USB infrastructure• Host – Computer• Hub – Switch• Device – Another tiny computer
• Interfaces – Applications• Endpoints – Ports
• It’s a network!
USB Device Connected
USB Enumeration• Device: I’m connected• Host: What is your device descriptor?• Device: Here is my device descriptor…
• (same for configuration, interface and class descriptors)• Host loads the drivers• Device is ready to use
USB Descriptors
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
Consequences
No Identity
No Confidentiality
No Integrity
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
Attacks against USB
Attack!
Bad USB• Level 1: malicious USB firmware
• Level 2: self replicating malware
• Level 3: self replicating malware in boot sector
• Level 4: self replicating malware in boot sector that flashes your BIOS
Keelog USB Key logger• Sits between the keyboard• Is completely invisible to PC• Stores keys pressed• Transfers keys pressed through
WIFI
• Could be modified to listen for keys from wifi and inject them
Killer USB
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
DEMO!
Using empty space in your deviceWHAT USER SEES WHAT COMPUTER SEES
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
Other attacks
Fuzzing OS/BIOS stack• Low level protocol• Untrusted length• Perfect target for getting to ring 0!• As a device you can tell what OS is running on a computer!
Fuzzing or abusing drivers• Low level code• Written by 3rd party• Automatically loaded by OS• Example: Alcor USB camera
Why does it matter?• USB is very prevalent• The technology is available• And very very cheap!• And most importantly – Web USB
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
What is Web USB“API for securely providing access to Universal Serial Bus devices from web pages”
Tl;dr: Talk raw USB from JavaScript. Similar to currently implemented Webcam/Microphone/Location access from the browser.
Read it yourself: https://wicg.github.io/webusb/
What can we do to avoid USB security issues?
Solutions that don’t work• USB Condom• Hardware abstraction• Keyboard guard software• USB device whitelisting
Solutions that might work?
PKI?
We need a new, non backwards compatible standard.
Or don’t leave your computer USB unlocked
Q&A
References• USB specifications and related docs: www.usb.org• Web USB RFC: https://wicg.github.io/webusb/ Tools for working with USB:• USBView (windows)
https://msdn.microsoft.com/en-us/library/windows/hardware/ff560019(v=vs.85).aspx • Wireshark (needs spec software/hardware), allows to captureUSB traffic: https://
wiki.wireshark.org/CaptureSetup/USB • Most logic analysers (saleae is a cheap one) can decode USB: https://www.saleae.com/ • Facedancer board – lets emulate usb in python: http://int3.cc/products/facedancer21 or build your
own (schematic and PCB layout available at http://goodfet.sourceforge.net/hardware/facedancer21/ )
• Pretty much any arduino board or any popular uC can talk USB. A cheap one is digispark, look on aliexpress, you can buy 10 for $11. or $1.5 each. Libraries for working with USB can be found here: https://github.com/digistump/DigisparkArduinoIntegration
• USB keylogger: www.keelog.com