adventures in usb land
TRANSCRIPT
![Page 1: Adventures in USB land](https://reader036.vdocuments.net/reader036/viewer/2022081604/5884f6571a28abf76f8b7023/html5/thumbnails/1.jpg)
Adventures in USB land
![Page 2: Adventures in USB land](https://reader036.vdocuments.net/reader036/viewer/2022081604/5884f6571a28abf76f8b7023/html5/thumbnails/2.jpg)
WhoamiValentinas Bakaitis
@vbakaitis on twitter
Senior security consultant @ Aura Information Security
![Page 3: Adventures in USB land](https://reader036.vdocuments.net/reader036/viewer/2022081604/5884f6571a28abf76f8b7023/html5/thumbnails/3.jpg)
What is USB?
![Page 4: Adventures in USB land](https://reader036.vdocuments.net/reader036/viewer/2022081604/5884f6571a28abf76f8b7023/html5/thumbnails/4.jpg)
Spoiler alert, it’s not really a bus.
![Page 5: Adventures in USB land](https://reader036.vdocuments.net/reader036/viewer/2022081604/5884f6571a28abf76f8b7023/html5/thumbnails/5.jpg)
USB infrastructure• Host• Hubs• Devices
• Interfaces• Endpoints
![Page 6: Adventures in USB land](https://reader036.vdocuments.net/reader036/viewer/2022081604/5884f6571a28abf76f8b7023/html5/thumbnails/6.jpg)
USB infrastructure• Host – Computer• Hub – Switch• Device – Another tiny computer
• Interfaces – Applications• Endpoints – Ports
• It’s a network!
![Page 7: Adventures in USB land](https://reader036.vdocuments.net/reader036/viewer/2022081604/5884f6571a28abf76f8b7023/html5/thumbnails/7.jpg)
USB Device Connected
![Page 8: Adventures in USB land](https://reader036.vdocuments.net/reader036/viewer/2022081604/5884f6571a28abf76f8b7023/html5/thumbnails/8.jpg)
USB Enumeration• Device: I’m connected• Host: What is your device descriptor?• Device: Here is my device descriptor…
• (same for configuration, interface and class descriptors)• Host loads the drivers• Device is ready to use
![Page 9: Adventures in USB land](https://reader036.vdocuments.net/reader036/viewer/2022081604/5884f6571a28abf76f8b7023/html5/thumbnails/9.jpg)
USB Descriptors
![Page 10: Adventures in USB land](https://reader036.vdocuments.net/reader036/viewer/2022081604/5884f6571a28abf76f8b7023/html5/thumbnails/10.jpg)
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
![Page 11: Adventures in USB land](https://reader036.vdocuments.net/reader036/viewer/2022081604/5884f6571a28abf76f8b7023/html5/thumbnails/11.jpg)
![Page 12: Adventures in USB land](https://reader036.vdocuments.net/reader036/viewer/2022081604/5884f6571a28abf76f8b7023/html5/thumbnails/12.jpg)
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
![Page 13: Adventures in USB land](https://reader036.vdocuments.net/reader036/viewer/2022081604/5884f6571a28abf76f8b7023/html5/thumbnails/13.jpg)
Consequences
No Identity
No Confidentiality
No Integrity
![Page 14: Adventures in USB land](https://reader036.vdocuments.net/reader036/viewer/2022081604/5884f6571a28abf76f8b7023/html5/thumbnails/14.jpg)
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
Attacks against USB
![Page 15: Adventures in USB land](https://reader036.vdocuments.net/reader036/viewer/2022081604/5884f6571a28abf76f8b7023/html5/thumbnails/15.jpg)
Attack!
![Page 16: Adventures in USB land](https://reader036.vdocuments.net/reader036/viewer/2022081604/5884f6571a28abf76f8b7023/html5/thumbnails/16.jpg)
Bad USB• Level 1: malicious USB firmware
• Level 2: self replicating malware
• Level 3: self replicating malware in boot sector
• Level 4: self replicating malware in boot sector that flashes your BIOS
![Page 17: Adventures in USB land](https://reader036.vdocuments.net/reader036/viewer/2022081604/5884f6571a28abf76f8b7023/html5/thumbnails/17.jpg)
Keelog USB Key logger• Sits between the keyboard• Is completely invisible to PC• Stores keys pressed• Transfers keys pressed through
WIFI
• Could be modified to listen for keys from wifi and inject them
![Page 18: Adventures in USB land](https://reader036.vdocuments.net/reader036/viewer/2022081604/5884f6571a28abf76f8b7023/html5/thumbnails/18.jpg)
Killer USB
![Page 19: Adventures in USB land](https://reader036.vdocuments.net/reader036/viewer/2022081604/5884f6571a28abf76f8b7023/html5/thumbnails/19.jpg)
![Page 20: Adventures in USB land](https://reader036.vdocuments.net/reader036/viewer/2022081604/5884f6571a28abf76f8b7023/html5/thumbnails/20.jpg)
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
DEMO!
![Page 21: Adventures in USB land](https://reader036.vdocuments.net/reader036/viewer/2022081604/5884f6571a28abf76f8b7023/html5/thumbnails/21.jpg)
Using empty space in your deviceWHAT USER SEES WHAT COMPUTER SEES
![Page 22: Adventures in USB land](https://reader036.vdocuments.net/reader036/viewer/2022081604/5884f6571a28abf76f8b7023/html5/thumbnails/22.jpg)
![Page 23: Adventures in USB land](https://reader036.vdocuments.net/reader036/viewer/2022081604/5884f6571a28abf76f8b7023/html5/thumbnails/23.jpg)
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
Other attacks
![Page 24: Adventures in USB land](https://reader036.vdocuments.net/reader036/viewer/2022081604/5884f6571a28abf76f8b7023/html5/thumbnails/24.jpg)
Fuzzing OS/BIOS stack• Low level protocol• Untrusted length• Perfect target for getting to ring 0!• As a device you can tell what OS is running on a computer!
![Page 25: Adventures in USB land](https://reader036.vdocuments.net/reader036/viewer/2022081604/5884f6571a28abf76f8b7023/html5/thumbnails/25.jpg)
Fuzzing or abusing drivers• Low level code• Written by 3rd party• Automatically loaded by OS• Example: Alcor USB camera
![Page 26: Adventures in USB land](https://reader036.vdocuments.net/reader036/viewer/2022081604/5884f6571a28abf76f8b7023/html5/thumbnails/26.jpg)
Why does it matter?• USB is very prevalent• The technology is available• And very very cheap!• And most importantly – Web USB
![Page 27: Adventures in USB land](https://reader036.vdocuments.net/reader036/viewer/2022081604/5884f6571a28abf76f8b7023/html5/thumbnails/27.jpg)
AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL
What is Web USB“API for securely providing access to Universal Serial Bus devices from web pages”
Tl;dr: Talk raw USB from JavaScript. Similar to currently implemented Webcam/Microphone/Location access from the browser.
Read it yourself: https://wicg.github.io/webusb/
![Page 28: Adventures in USB land](https://reader036.vdocuments.net/reader036/viewer/2022081604/5884f6571a28abf76f8b7023/html5/thumbnails/28.jpg)
What can we do to avoid USB security issues?
![Page 29: Adventures in USB land](https://reader036.vdocuments.net/reader036/viewer/2022081604/5884f6571a28abf76f8b7023/html5/thumbnails/29.jpg)
Solutions that don’t work• USB Condom• Hardware abstraction• Keyboard guard software• USB device whitelisting
![Page 30: Adventures in USB land](https://reader036.vdocuments.net/reader036/viewer/2022081604/5884f6571a28abf76f8b7023/html5/thumbnails/30.jpg)
Solutions that might work?
![Page 31: Adventures in USB land](https://reader036.vdocuments.net/reader036/viewer/2022081604/5884f6571a28abf76f8b7023/html5/thumbnails/31.jpg)
PKI?
![Page 32: Adventures in USB land](https://reader036.vdocuments.net/reader036/viewer/2022081604/5884f6571a28abf76f8b7023/html5/thumbnails/32.jpg)
We need a new, non backwards compatible standard.
![Page 33: Adventures in USB land](https://reader036.vdocuments.net/reader036/viewer/2022081604/5884f6571a28abf76f8b7023/html5/thumbnails/33.jpg)
Or don’t leave your computer USB unlocked
![Page 34: Adventures in USB land](https://reader036.vdocuments.net/reader036/viewer/2022081604/5884f6571a28abf76f8b7023/html5/thumbnails/34.jpg)
Q&A
![Page 35: Adventures in USB land](https://reader036.vdocuments.net/reader036/viewer/2022081604/5884f6571a28abf76f8b7023/html5/thumbnails/35.jpg)
References• USB specifications and related docs: www.usb.org• Web USB RFC: https://wicg.github.io/webusb/ Tools for working with USB:• USBView (windows)
https://msdn.microsoft.com/en-us/library/windows/hardware/ff560019(v=vs.85).aspx • Wireshark (needs spec software/hardware), allows to captureUSB traffic: https://
wiki.wireshark.org/CaptureSetup/USB • Most logic analysers (saleae is a cheap one) can decode USB: https://www.saleae.com/ • Facedancer board – lets emulate usb in python: http://int3.cc/products/facedancer21 or build your
own (schematic and PCB layout available at http://goodfet.sourceforge.net/hardware/facedancer21/ )
• Pretty much any arduino board or any popular uC can talk USB. A cheap one is digispark, look on aliexpress, you can buy 10 for $11. or $1.5 each. Libraries for working with USB can be found here: https://github.com/digistump/DigisparkArduinoIntegration
• USB keylogger: www.keelog.com