derbycon 2014 - making badusb work for you

Download DerbyCon 2014 - Making BadUSB Work For You

Post on 29-Nov-2014

11.086 views

Category:

Devices & Hardware

4 download

Embed Size (px)

DESCRIPTION

DerbryCon 2014 talk, Making BadUSB Work For You

TRANSCRIPT

  • 1. Making BadUSB Work For You Adam Caudill (@adamcaudill) Brandon Wilson (@brandonlwilson)
  • 2. What is BadUSB? NOT a technical flaw NOT a vulnerability
  • 3. Patriot 8GB Supersonic Xpress
  • 4. Phison 2251-03
  • 5. Reverse Engineering
  • 6. A word of warning...
  • 7. Always starts at boot ROM Attempts to read firmware from NAND If successful, first 32KB loaded to XDATA If not, waits to receive code to RAM and executes it Boot Process
  • 8. Pin Shorting
  • 9. Paging ... Page 0 Page 1 Page 2 Page A Base section 0x0000 0x5000 0xEFFF
  • 10. Firmware Update Process Boot ROM Burner Executable Firmware
  • 11. Pain Points Patching existing firmware o Very touchy o Limited RAM available Writing from-scratch firmware o NAND sucks o Non-standard command sets o Bad block management o Global wear leveling Lots...and lots...of pin shorting
  • 12. Quick Reset Cable
  • 13. New Tools Desktop Flasher Firmware Patcher HID payload injector
  • 14. What We've Done Custom HID firmware Hidden partition patch Password protection bypass patch
  • 15. Custom HID Firmware
  • 16. Hidden Partition Patch Read Request (Get LBA 0x00000073) Patch (Use hidden area?) Section 1 (Public) Section 2 (Hidden)
  • 17. Password Protection Bypass
  • 18. Defense & Detection Composite devices Modified firmware ?
  • 19. Source Code & Tools Drive: bit.ly/badusb4you Code: github.com/adamcaudill/Psychson Burner & Stock Firmware: usbdev.ru/files/phison/
  • 20. Special Thanks Security Research Labs Karsten Nohl Sascha Kriler Jakob Lell
  • 21. Special Thanks Richard Harman (@xabean) ShmooCon 2014 Controlling USB Flash Drive Controllers bit.ly/1xaNkbP
  • 22. Thanks github.com/adamcaudill/Psychson Adam Caudill (@adamcaudill) Brandon Wilson (@brandonlwilson)