SlideShare une entreprise Scribd logo
1  sur  45
Télécharger pour lire hors ligne
Fear & Loathing on your Desk
BadUSB, and what you should do about it
Robert Fisk
Outline
1. Why USB = Universal Serial Badness
2. Current defenses
3. Hardware defense gadget
– Demo, Preemptive FAQs
So who is this guy?
● Electronic engineer in Auckland, NZ
● PhD in IC design – analog, mixed-signal, low power
● Informal tech support for group of targeted users
● Bored last year, BadUSB looked like an interesting project
1-Slide USB introduction
Host PC
Device
Configuration 1
Endpoint 0
Endpoint 1
Endpoint ...
Interface 0
Endpoint 1
Endpoint ...
Interface 1
USB Device
● Endpoint 0
● Configuration 1
– Interface 0
● Endpoint 1
● Endpoint 2...
– Interface 1
● Endpoint ...
USB descriptors
Bus 007 Device 003: ID 046d:c00c Logitech, Inc. Optical Wheel Mouse
Device Descriptor:
blength 18
bdescriptorType 1
bcdUSB 1.10
bDeviceClass 0 (Defined at Interface level)
bDeviceSubClass 0
bDeviceProtocol 0
bMaxPacketSize0 8
...blah blah...
Untrusted length!!
[you@yourbox ~]$ lsusb -v
Universal Serial Badness #1
Type 1: Stack Attacks
● Untrusted input to host stack
● Host driver or device driver of attacker's choice
● 200 device drivers in Linux 3.13 kernel source
Host PC User space
USB host driver
USB class
driver
USB device
driver
USB device
driver
POW!POW!
Universal Serial Badness #1
Stack Attack example:
● Inadvertent Win7 attack from crappy mouse
● Bluescreen in HIDCLASS.SYS
Universal Serial Badness #1
News Flash:
Cisco Nexus 5000 Series USB Driver Denial of Service Vulnerability
A vulnerability in the USB driver for Cisco Nexus 5000 Series Switches
could allow an unauthenticated, local attacker to cause a denial of
service (DoS) condition due to a kernel crash.
The vulnerability is due to insufficient handling of USB input parameters.
Cisco has not released software updates that address this vulnerability.
There are no workarounds that mitigate this vulnerability.
“
Universal Serial Badness #2
Type 2: Hidden Functionality Attacks
● No exploit required
● USB-compliant commands
User space
USB host driver
USB class
driver
USB device
driver
USB device
driver
POW!POW!Host PC
Universal Serial Badness #2
Hidden Functionality example:
Netragard's Hacker Interface Device
Usage: Plug mouse into computer, get pwned.
Mouse
Hub
+
HID USB Keystroke Dongle (Teensy)
USB flash drive
+
+
Universal Serial Badness #3
Type 3: Intended Functionality Attacks
● No exploit required
● The thing you want is bad!
User space
USB host driver
USB class
driver
USB device
driver
USB device
driver
POW!POW!
Host PC
Universal Serial Badness #3
Intended Functionality example:
SR Labs 'hidden
rootkit' flash drive
● Host profiling
● Activate payload only
when enumerated by
BIOS
Universal Serial Badness
● Type 1: Stack attacks
● Type 2: Hidden functionality
● Type 3: Intended functionality
100%
standards
compliant
Problem?
How easily can a device turn Bad?
● Most USB chips use 8051 8-bit embedded CPU (from 1980!!!)
● Firmware updates with proprietary tools
srlabs.de
“Up to half of USB chips are BadUSB-vulnerable”
(but you can't tell which half!)
You have no idea what code you are running on your system!
Current defense #1
● For mice on desktop PCs only
● Not all USB mice support PS/2 protocol :(
Reduce your attack surface with advanced PS/2 technology!
NOT VERY USEFUL
NOT VERY USEFUL
Current defense #2
● Only protects against type 2 keyboard attacks
● Windows only
G Data Keyboard GuardNOT VERY USEFUL
NOT VERY USEFUL
Current defense #3
Reduce your attack surface with virtualisation
(the wrong way)
● Software passthrough of USB devices
● Type 2 hypervisors: Virtualbox, etc
● Software passthrough increases your
attack surface!
USB device
USB host
Host OS
Hypervisor
Guest OS
BAM!BAM!
BAM!BAM!
BAM!BAM!
NOT VERY USEFUL
NOT VERY USEFUL
Current defense #3
Reduce your attack surface with virtualisation
(the right way)
● Hardware passthrough of USB host
controller
● Type 1 hypervisors: Qubes/Xen, etc
● Requires VT-d (Intel) or IOMMU (AMD)
● All USB devices attched to a host
controller move together
USB device
USB host
Host OS
Hypervisor
Guest OS
USB host
BAM!BAM!
USEFUL?
USEFUL?
Virtualisation scorecard
● Type 1: Stack attacks – Isolated
● Type 2: Hidden functionality – Isolated
● Type 3: Intended functionality – Isolated
How does hardware virtualisation help us?
Sanitise data leaving the USB VM!
● No protection at boot time
● Host OS inputs are unprotected:
USB kbd/mouse & other devices on the same host controller
For everything else, there's...
● Concept: reduce attack surface through isolation
● Terminate the USB bus outside vulnerable PC
Windows, Mac, Linux: Uhhh...........
USB host
driver
USB device
driver
USB device
USB device
emulator
USB device
driver
BAM!BAM!
Simplest imaginable protocol
BAM!BAM!
Sanity
checks
Host PC
Hardware defense – concept
● Many device drivers
● Slow bootup
● More expensive
Start the project with off-the-shelf hardware
● Limited drivers
● Instant bootup
● Cheap(er)
Embedded Linux: Embedded bare-metal:
Thing 1 Thing 2
USB
device
Simple interface Host
port
Device
port
Upstream
(device)
Downstream
(host)
Host PC
Prototype hardware
Olimex
STM32-H405
Olimex
STM32-H407
Host
port
● STM32F405 / 407 ARM-core microcontrollers
● ST provides USB middleware with various drivers
● FS (12Mbps) with upgrade path to HS (480Mbps)
15 EUR
30 EUR
Device
port
Introducing the USG v0.9
Turning BadUSB good since 2015
Device
port
Host
portSPI data
interface
Let's talk firmware!
main.c
Dev board
Peripheral library
(hardware drivers)
USB host library &
device drivers
Linker script.ld Processor family
headers.h
OpenOCD Olimex JTAG
☼
Board.cfg
GNU
ARM Eclipse
Eclipse CDT
☼ ☼
Startup file.SMath/DSP
libraries
newlib-nano
gdb
☼
☼
gcc-
arm-none-eabi
Firmware current status
● Mass Storage support only
– SCSI transparent command set
– 512B blocks
– 2TB max capacity
– Single LUN
● ~700kB/s transfer speed
● 2x 30kB binary images
Hardware isolation scorecard #1
● Type 1: Stack attacks – Isolated
● Type 2: Hidden functionality
● Type 3: Intended functionality
How does this dongle help us?
Hidden functionality defense
● Disable hubs
– Embedded host stack supports single device only :)
● Disable multi-interface devices
– Limit host to one active class driver
● Lock in requested device class on first enumeration
– Device class change requires firmware reset
Stop Type 2 attacks with firmware features:
Intended functionality defense
● Mass Storage
– Hardware AES keyed from device serial number
– Bad firmware cannot maliciously alter blocks
– Only partial protection
● HID
– Rate-limit input actions
– Only partial protection
– Bonus points: buffer keystrokes > user profiling
Type 3 attacks difficult to block!
None of this is currently implemented!
Hardware isolation scorecard #2
● Type 1: Stack attacks – Isolated
● Type 2: Hidden functionality – Firmware blocked
● Type 3: Intended functionality – Partial protection (eventually!)
Firmware features give more protection
● Some type 3 attacks cannot be hardware sanitised.
Proceed with caution!
USG v1.0 beta
v0.9 v1.0 betaPCB Layout (KiCad)
World's shortest demo
● This slide
● Also, all the other ones!
Preemptive FAQ #1
Q: Can I use my USB hub with the USG?
A: No!
– No embedded host support (downstream)
– Upstream cannot emulate a network of devices
– Also, necessary to block type 2 attacks
Preemptive FAQ #1b
Q: Wait, that means I need a USG for every one of my USB
devices??!!!!!
A: Yeah, sorry about that ;)
Also, this implies hubs cannot be sanitised.
Hubs are untrusted devices too!
Preemptive FAQ #2
Q: Can the USG protect the firmware on my device from
malicious hosts?
A: Yes. The isolation barrier is symmetric.
Preemptive FAQ #3
Q: Will the USG support [my obscure device]?
A: Probably not.
– Requires device driver and device emulator
– Requires some assurance that the data is safe (type 3 attacks)
– Requires sufficient interest (or pull requests!)
Planned:
– HID keyboard, mouse
– CDC, serial
– For everything else, there's Qubes ( )Or other type 1 hypervisor with hardware-
assisted virtualisation of USB host controllers
Preemptive FAQ #4
Q: Does it have a red flashing light to tell me when a USB is Bad?
A: No
– False negatives from host profiling
– False positives from crap devices or internal bugs
– Fault LEDs are deliberately orange
– Always use your USG!
Preemptive FAQ #5
Q: This thing works at USB1 speed? What is this, 1998 or something?
A:
12Mbps
● Wide embedded hardware support
● 2 layer PCB, easy layout
● Soldering level: advanced (0.5mm pitch LQFP)
● Prototype cost: $150
480Mbps
● Limited embedded hardware support
● 4 layer PCB, controlled impedance routing
● Soldering level: mortals need not apply (0.5mm pitch QFN)
● Prototype cost: $300
5Gbps
● No embedded hardware support
● 8 layer PCB, RF grade layout where every mm counts
● Soldering level: impossible (BGA)
● Prototype cost: $1000
Preemptive FAQ #6
Q: So do I need a USG?
A: Windows, Mac, Linux:
Yes, but you are probably still vulnerable! (type 3 attacks)
Type 1 hypervisor with hardware-assisted virtualisation of
USB host controllers:
Yes, for your HIDs and anything connected at boot-time
Embedded devices, eg Cisco switches :)
Yes! (and pray the firmware image is signed)
Preemptive FAQ #7
Q: When can I buy one?
A: Sometime in 2016
– Firmware: add HID class support
– Hardware: 1+ board revisions
DFM is boring and expensive
– Build your own USG v0.9 anytime you want!
Testers wanted
Bonus FAQ
Q: Hardware guys can't code for shit. Why should I trust you?
A1: That's a reasonable question!
A2: Go check the code yourself...
github.com/robertfisk/usg
robert_fisk@fastmail.fm
PGP: 2255 761A FE59 4D18 6511
EE43 DEB9 5AC0 15AD AEBA
The good stuff
Firmware, Hardware, Wiki:

Contenu connexe

Tendances

Http response splitting
Http response splittingHttp response splitting
Http response splittingSharath Unni
 
Zero-Day Vulnerability and Heuristic Analysis
Zero-Day Vulnerability and Heuristic AnalysisZero-Day Vulnerability and Heuristic Analysis
Zero-Day Vulnerability and Heuristic AnalysisAhmed Banafa
 
Firmware Extraction & Fuzzing - Jatan Raval
Firmware Extraction & Fuzzing - Jatan RavalFirmware Extraction & Fuzzing - Jatan Raval
Firmware Extraction & Fuzzing - Jatan RavalNSConclave
 
Information Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsInformation Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsMarius FAILLOT DEVARRE
 
computer forensics
computer forensicscomputer forensics
computer forensicsshivi123456
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte
 
Digital investigation
Digital investigationDigital investigation
Digital investigationunnilala11
 
IDS, IPS, IDPS
IDS, IPS, IDPSIDS, IPS, IDPS
IDS, IPS, IDPSMinhaz A V
 
Basic command to configure mikrotik
Basic command to configure mikrotikBasic command to configure mikrotik
Basic command to configure mikrotikTola LENG
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacksDefconRussia
 
Security awareness-checklist 2019
Security awareness-checklist 2019Security awareness-checklist 2019
Security awareness-checklist 2019Mustafa Kuğu
 
Countering Innovative Sandbox Evasion Techniques Used by Malware
Countering Innovative Sandbox Evasion Techniques Used by MalwareCountering Innovative Sandbox Evasion Techniques Used by Malware
Countering Innovative Sandbox Evasion Techniques Used by MalwareTyler Borosavage
 
PhNOG Report APRICOT 2023
PhNOG Report APRICOT 2023PhNOG Report APRICOT 2023
PhNOG Report APRICOT 2023APNIC
 
introduction to cyber security
introduction to cyber securityintroduction to cyber security
introduction to cyber securitySlamet Ar Rokhim
 
Cyber Security Update: How to Train Your Employees to Prevent Data Breaches
Cyber Security Update: How to Train Your Employees to Prevent Data BreachesCyber Security Update: How to Train Your Employees to Prevent Data Breaches
Cyber Security Update: How to Train Your Employees to Prevent Data BreachesParsons Behle & Latimer
 

Tendances (20)

Http response splitting
Http response splittingHttp response splitting
Http response splitting
 
Anonymizers
AnonymizersAnonymizers
Anonymizers
 
Zero-Day Vulnerability and Heuristic Analysis
Zero-Day Vulnerability and Heuristic AnalysisZero-Day Vulnerability and Heuristic Analysis
Zero-Day Vulnerability and Heuristic Analysis
 
Firmware Extraction & Fuzzing - Jatan Raval
Firmware Extraction & Fuzzing - Jatan RavalFirmware Extraction & Fuzzing - Jatan Raval
Firmware Extraction & Fuzzing - Jatan Raval
 
Internet Security
Internet SecurityInternet Security
Internet Security
 
Basic malware analysis
Basic malware analysis Basic malware analysis
Basic malware analysis
 
Information Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & MetricsInformation Security Governance: Concepts, Security Management & Metrics
Information Security Governance: Concepts, Security Management & Metrics
 
computer forensics
computer forensicscomputer forensics
computer forensics
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
 
Digital investigation
Digital investigationDigital investigation
Digital investigation
 
IDS, IPS, IDPS
IDS, IPS, IDPSIDS, IPS, IDPS
IDS, IPS, IDPS
 
Cyber security training
Cyber security trainingCyber security training
Cyber security training
 
Basic command to configure mikrotik
Basic command to configure mikrotikBasic command to configure mikrotik
Basic command to configure mikrotik
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacks
 
Security awareness-checklist 2019
Security awareness-checklist 2019Security awareness-checklist 2019
Security awareness-checklist 2019
 
Countering Innovative Sandbox Evasion Techniques Used by Malware
Countering Innovative Sandbox Evasion Techniques Used by MalwareCountering Innovative Sandbox Evasion Techniques Used by Malware
Countering Innovative Sandbox Evasion Techniques Used by Malware
 
PhNOG Report APRICOT 2023
PhNOG Report APRICOT 2023PhNOG Report APRICOT 2023
PhNOG Report APRICOT 2023
 
introduction to cyber security
introduction to cyber securityintroduction to cyber security
introduction to cyber security
 
Cyber Security Update: How to Train Your Employees to Prevent Data Breaches
Cyber Security Update: How to Train Your Employees to Prevent Data BreachesCyber Security Update: How to Train Your Employees to Prevent Data Breaches
Cyber Security Update: How to Train Your Employees to Prevent Data Breaches
 
Mikrotik firewall filter
Mikrotik firewall filterMikrotik firewall filter
Mikrotik firewall filter
 

En vedette

Raspberry Pi Zero
Raspberry Pi ZeroRaspberry Pi Zero
Raspberry Pi ZeroBaoshi Zhu
 
Introduction to c#
Introduction to c#Introduction to c#
Introduction to c#singhadarsh
 
BadUSB — On accessories that turn evil by Karsten Nohl
BadUSB — On accessories that turn evil by Karsten NohlBadUSB — On accessories that turn evil by Karsten Nohl
BadUSB — On accessories that turn evil by Karsten NohlPriyanka Aash
 
DerbyCon 2014 - Making BadUSB Work For You
DerbyCon 2014 - Making BadUSB Work For YouDerbyCon 2014 - Making BadUSB Work For You
DerbyCon 2014 - Making BadUSB Work For YouAdam Caudill
 
Raspberry PiのUSB OTGを試す
Raspberry PiのUSB OTGを試すRaspberry PiのUSB OTGを試す
Raspberry PiのUSB OTGを試すKenichiro MATOHARA
 
SanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
SanDisk SecureAccess Encryption - Forensic Processing & USB FlashingSanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
SanDisk SecureAccess Encryption - Forensic Processing & USB FlashingBrent Muir
 
Controlling USB Flash Drive Controllers: Expose of Hidden Features
Controlling USB Flash Drive Controllers: Expose of Hidden FeaturesControlling USB Flash Drive Controllers: Expose of Hidden Features
Controlling USB Flash Drive Controllers: Expose of Hidden Featuresxabean
 
Penetration Testing Execution Phases
Penetration Testing Execution Phases Penetration Testing Execution Phases
Penetration Testing Execution Phases Nasir Bhutta
 
Visual studio 2015 and .net core 5 – get ready to rumble
Visual studio 2015 and .net core 5  – get ready to rumbleVisual studio 2015 and .net core 5  – get ready to rumble
Visual studio 2015 and .net core 5 – get ready to rumbleTadeusz Balcer
 
Pascal Programming Session 1
Pascal Programming Session 1Pascal Programming Session 1
Pascal Programming Session 1Ashesh R
 

En vedette (13)

Raspberry Pi Zero
Raspberry Pi ZeroRaspberry Pi Zero
Raspberry Pi Zero
 
BAD USB 2.0
BAD USB 2.0BAD USB 2.0
BAD USB 2.0
 
Introduction to c#
Introduction to c#Introduction to c#
Introduction to c#
 
BadUSB — On accessories that turn evil by Karsten Nohl
BadUSB — On accessories that turn evil by Karsten NohlBadUSB — On accessories that turn evil by Karsten Nohl
BadUSB — On accessories that turn evil by Karsten Nohl
 
DerbyCon 2014 - Making BadUSB Work For You
DerbyCon 2014 - Making BadUSB Work For YouDerbyCon 2014 - Making BadUSB Work For You
DerbyCon 2014 - Making BadUSB Work For You
 
Raspberry PiのUSB OTGを試す
Raspberry PiのUSB OTGを試すRaspberry PiのUSB OTGを試す
Raspberry PiのUSB OTGを試す
 
SanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
SanDisk SecureAccess Encryption - Forensic Processing & USB FlashingSanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
SanDisk SecureAccess Encryption - Forensic Processing & USB Flashing
 
Introduction to c#
Introduction to c#Introduction to c#
Introduction to c#
 
Controlling USB Flash Drive Controllers: Expose of Hidden Features
Controlling USB Flash Drive Controllers: Expose of Hidden FeaturesControlling USB Flash Drive Controllers: Expose of Hidden Features
Controlling USB Flash Drive Controllers: Expose of Hidden Features
 
Penetration Testing Execution Phases
Penetration Testing Execution Phases Penetration Testing Execution Phases
Penetration Testing Execution Phases
 
Visual studio 2015 and .net core 5 – get ready to rumble
Visual studio 2015 and .net core 5  – get ready to rumbleVisual studio 2015 and .net core 5  – get ready to rumble
Visual studio 2015 and .net core 5 – get ready to rumble
 
Pascal Programming Session 1
Pascal Programming Session 1Pascal Programming Session 1
Pascal Programming Session 1
 
Pascal programming language
Pascal programming languagePascal programming language
Pascal programming language
 

Similaire à BadUSB, and what you should do about it

Building Trojan Hardware at Home
Building Trojan Hardware at HomeBuilding Trojan Hardware at Home
Building Trojan Hardware at HomeE Hacking
 
2.2. Introduction to Arduino
2.2. Introduction to Arduino2.2. Introduction to Arduino
2.2. Introduction to Arduinodefconmoscow
 
BlackHat 2009 - Hacking Zigbee Chips (slides)
BlackHat 2009 - Hacking Zigbee Chips (slides)BlackHat 2009 - Hacking Zigbee Chips (slides)
BlackHat 2009 - Hacking Zigbee Chips (slides)Michael Smith
 
USB: Undermining Security Barriers
USB: Undermining Security BarriersUSB: Undermining Security Barriers
USB: Undermining Security BarriersNCC Group
 
Embedded Linux Systems Basics
Embedded Linux Systems BasicsEmbedded Linux Systems Basics
Embedded Linux Systems BasicsMax Henery
 
Now is the time to create your own (m)Ruby computer
Now is the time to create your own (m)Ruby computerNow is the time to create your own (m)Ruby computer
Now is the time to create your own (m)Ruby computerkishima7
 
Mickey threats inside your platform final
Mickey  threats inside your platform finalMickey  threats inside your platform final
Mickey threats inside your platform finalPacSecJP
 
computer archtecture lab, computer hardware , problem and solutons in computer
computer archtecture lab, computer hardware , problem and solutons in computercomputer archtecture lab, computer hardware , problem and solutons in computer
computer archtecture lab, computer hardware , problem and solutons in computerGS Kosta
 
Hacking and Forensics on the Go - 44CON 2012
Hacking and Forensics on the Go - 44CON 2012Hacking and Forensics on the Go - 44CON 2012
Hacking and Forensics on the Go - 44CON 201244CON
 
Mickey, threats inside your platform final
Mickey,  threats inside your platform finalMickey,  threats inside your platform final
Mickey, threats inside your platform finalPacSecJP
 
Embedded application development
Embedded application developmentEmbedded application development
Embedded application developmentAakash Raj
 
LinuxAlt 2013: Writing a driver for unknown USB device
LinuxAlt 2013: Writing a driver for unknown USB deviceLinuxAlt 2013: Writing a driver for unknown USB device
LinuxAlt 2013: Writing a driver for unknown USB deviceLubomir Rintel
 
2018 all lens bag of tricks v1.2
2018 all lens bag of tricks v1.22018 all lens bag of tricks v1.2
2018 all lens bag of tricks v1.2Len Noe
 
The Deck by Phil Polstra GrrCON2012
The Deck by Phil Polstra GrrCON2012The Deck by Phil Polstra GrrCON2012
The Deck by Phil Polstra GrrCON2012Philip Polstra
 

Similaire à BadUSB, and what you should do about it (20)

Hardware hacking
Hardware hackingHardware hacking
Hardware hacking
 
Building Trojan Hardware at Home
Building Trojan Hardware at HomeBuilding Trojan Hardware at Home
Building Trojan Hardware at Home
 
Let's begin io t with $10
Let's begin io t with $10Let's begin io t with $10
Let's begin io t with $10
 
2.2. Introduction to Arduino
2.2. Introduction to Arduino2.2. Introduction to Arduino
2.2. Introduction to Arduino
 
BlackHat 2009 - Hacking Zigbee Chips (slides)
BlackHat 2009 - Hacking Zigbee Chips (slides)BlackHat 2009 - Hacking Zigbee Chips (slides)
BlackHat 2009 - Hacking Zigbee Chips (slides)
 
USB: Undermining Security Barriers
USB: Undermining Security BarriersUSB: Undermining Security Barriers
USB: Undermining Security Barriers
 
How to Hack Edison
How to Hack EdisonHow to Hack Edison
How to Hack Edison
 
Embedded Linux Systems Basics
Embedded Linux Systems BasicsEmbedded Linux Systems Basics
Embedded Linux Systems Basics
 
Now is the time to create your own (m)Ruby computer
Now is the time to create your own (m)Ruby computerNow is the time to create your own (m)Ruby computer
Now is the time to create your own (m)Ruby computer
 
Mickey threats inside your platform final
Mickey  threats inside your platform finalMickey  threats inside your platform final
Mickey threats inside your platform final
 
Arduino
ArduinoArduino
Arduino
 
computer archtecture lab, computer hardware , problem and solutons in computer
computer archtecture lab, computer hardware , problem and solutons in computercomputer archtecture lab, computer hardware , problem and solutons in computer
computer archtecture lab, computer hardware , problem and solutons in computer
 
Juice Jacking 101
Juice Jacking 101Juice Jacking 101
Juice Jacking 101
 
Polstra 44con2012
Polstra 44con2012Polstra 44con2012
Polstra 44con2012
 
Hacking and Forensics on the Go - 44CON 2012
Hacking and Forensics on the Go - 44CON 2012Hacking and Forensics on the Go - 44CON 2012
Hacking and Forensics on the Go - 44CON 2012
 
Mickey, threats inside your platform final
Mickey,  threats inside your platform finalMickey,  threats inside your platform final
Mickey, threats inside your platform final
 
Embedded application development
Embedded application developmentEmbedded application development
Embedded application development
 
LinuxAlt 2013: Writing a driver for unknown USB device
LinuxAlt 2013: Writing a driver for unknown USB deviceLinuxAlt 2013: Writing a driver for unknown USB device
LinuxAlt 2013: Writing a driver for unknown USB device
 
2018 all lens bag of tricks v1.2
2018 all lens bag of tricks v1.22018 all lens bag of tricks v1.2
2018 all lens bag of tricks v1.2
 
The Deck by Phil Polstra GrrCON2012
The Deck by Phil Polstra GrrCON2012The Deck by Phil Polstra GrrCON2012
The Deck by Phil Polstra GrrCON2012
 

BadUSB, and what you should do about it

  • 1. Fear & Loathing on your Desk BadUSB, and what you should do about it Robert Fisk
  • 2. Outline 1. Why USB = Universal Serial Badness 2. Current defenses 3. Hardware defense gadget – Demo, Preemptive FAQs
  • 3. So who is this guy? ● Electronic engineer in Auckland, NZ ● PhD in IC design – analog, mixed-signal, low power ● Informal tech support for group of targeted users ● Bored last year, BadUSB looked like an interesting project
  • 4. 1-Slide USB introduction Host PC Device Configuration 1 Endpoint 0 Endpoint 1 Endpoint ... Interface 0 Endpoint 1 Endpoint ... Interface 1 USB Device ● Endpoint 0 ● Configuration 1 – Interface 0 ● Endpoint 1 ● Endpoint 2... – Interface 1 ● Endpoint ...
  • 5. USB descriptors Bus 007 Device 003: ID 046d:c00c Logitech, Inc. Optical Wheel Mouse Device Descriptor: blength 18 bdescriptorType 1 bcdUSB 1.10 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 ...blah blah... Untrusted length!! [you@yourbox ~]$ lsusb -v
  • 6. Universal Serial Badness #1 Type 1: Stack Attacks ● Untrusted input to host stack ● Host driver or device driver of attacker's choice ● 200 device drivers in Linux 3.13 kernel source Host PC User space USB host driver USB class driver USB device driver USB device driver POW!POW!
  • 7. Universal Serial Badness #1 Stack Attack example: ● Inadvertent Win7 attack from crappy mouse ● Bluescreen in HIDCLASS.SYS
  • 8. Universal Serial Badness #1 News Flash: Cisco Nexus 5000 Series USB Driver Denial of Service Vulnerability A vulnerability in the USB driver for Cisco Nexus 5000 Series Switches could allow an unauthenticated, local attacker to cause a denial of service (DoS) condition due to a kernel crash. The vulnerability is due to insufficient handling of USB input parameters. Cisco has not released software updates that address this vulnerability. There are no workarounds that mitigate this vulnerability. “
  • 9. Universal Serial Badness #2 Type 2: Hidden Functionality Attacks ● No exploit required ● USB-compliant commands User space USB host driver USB class driver USB device driver USB device driver POW!POW!Host PC
  • 10. Universal Serial Badness #2 Hidden Functionality example: Netragard's Hacker Interface Device Usage: Plug mouse into computer, get pwned. Mouse Hub + HID USB Keystroke Dongle (Teensy) USB flash drive + +
  • 11. Universal Serial Badness #3 Type 3: Intended Functionality Attacks ● No exploit required ● The thing you want is bad! User space USB host driver USB class driver USB device driver USB device driver POW!POW! Host PC
  • 12. Universal Serial Badness #3 Intended Functionality example: SR Labs 'hidden rootkit' flash drive ● Host profiling ● Activate payload only when enumerated by BIOS
  • 13. Universal Serial Badness ● Type 1: Stack attacks ● Type 2: Hidden functionality ● Type 3: Intended functionality 100% standards compliant Problem?
  • 14. How easily can a device turn Bad? ● Most USB chips use 8051 8-bit embedded CPU (from 1980!!!) ● Firmware updates with proprietary tools srlabs.de “Up to half of USB chips are BadUSB-vulnerable” (but you can't tell which half!) You have no idea what code you are running on your system!
  • 15. Current defense #1 ● For mice on desktop PCs only ● Not all USB mice support PS/2 protocol :( Reduce your attack surface with advanced PS/2 technology! NOT VERY USEFUL NOT VERY USEFUL
  • 16. Current defense #2 ● Only protects against type 2 keyboard attacks ● Windows only G Data Keyboard GuardNOT VERY USEFUL NOT VERY USEFUL
  • 17. Current defense #3 Reduce your attack surface with virtualisation (the wrong way) ● Software passthrough of USB devices ● Type 2 hypervisors: Virtualbox, etc ● Software passthrough increases your attack surface! USB device USB host Host OS Hypervisor Guest OS BAM!BAM! BAM!BAM! BAM!BAM! NOT VERY USEFUL NOT VERY USEFUL
  • 18. Current defense #3 Reduce your attack surface with virtualisation (the right way) ● Hardware passthrough of USB host controller ● Type 1 hypervisors: Qubes/Xen, etc ● Requires VT-d (Intel) or IOMMU (AMD) ● All USB devices attched to a host controller move together USB device USB host Host OS Hypervisor Guest OS USB host BAM!BAM! USEFUL? USEFUL?
  • 19. Virtualisation scorecard ● Type 1: Stack attacks – Isolated ● Type 2: Hidden functionality – Isolated ● Type 3: Intended functionality – Isolated How does hardware virtualisation help us? Sanitise data leaving the USB VM! ● No protection at boot time ● Host OS inputs are unprotected: USB kbd/mouse & other devices on the same host controller
  • 20. For everything else, there's... ● Concept: reduce attack surface through isolation ● Terminate the USB bus outside vulnerable PC Windows, Mac, Linux: Uhhh........... USB host driver USB device driver USB device USB device emulator USB device driver BAM!BAM! Simplest imaginable protocol BAM!BAM! Sanity checks Host PC
  • 21. Hardware defense – concept ● Many device drivers ● Slow bootup ● More expensive Start the project with off-the-shelf hardware ● Limited drivers ● Instant bootup ● Cheap(er) Embedded Linux: Embedded bare-metal: Thing 1 Thing 2 USB device Simple interface Host port Device port Upstream (device) Downstream (host) Host PC
  • 22. Prototype hardware Olimex STM32-H405 Olimex STM32-H407 Host port ● STM32F405 / 407 ARM-core microcontrollers ● ST provides USB middleware with various drivers ● FS (12Mbps) with upgrade path to HS (480Mbps) 15 EUR 30 EUR Device port
  • 23. Introducing the USG v0.9 Turning BadUSB good since 2015 Device port Host portSPI data interface
  • 24. Let's talk firmware! main.c Dev board Peripheral library (hardware drivers) USB host library & device drivers Linker script.ld Processor family headers.h OpenOCD Olimex JTAG ☼ Board.cfg GNU ARM Eclipse Eclipse CDT ☼ ☼ Startup file.SMath/DSP libraries newlib-nano gdb ☼ ☼ gcc- arm-none-eabi
  • 25. Firmware current status ● Mass Storage support only – SCSI transparent command set – 512B blocks – 2TB max capacity – Single LUN ● ~700kB/s transfer speed ● 2x 30kB binary images
  • 26. Hardware isolation scorecard #1 ● Type 1: Stack attacks – Isolated ● Type 2: Hidden functionality ● Type 3: Intended functionality How does this dongle help us?
  • 27. Hidden functionality defense ● Disable hubs – Embedded host stack supports single device only :) ● Disable multi-interface devices – Limit host to one active class driver ● Lock in requested device class on first enumeration – Device class change requires firmware reset Stop Type 2 attacks with firmware features:
  • 28. Intended functionality defense ● Mass Storage – Hardware AES keyed from device serial number – Bad firmware cannot maliciously alter blocks – Only partial protection ● HID – Rate-limit input actions – Only partial protection – Bonus points: buffer keystrokes > user profiling Type 3 attacks difficult to block! None of this is currently implemented!
  • 29. Hardware isolation scorecard #2 ● Type 1: Stack attacks – Isolated ● Type 2: Hidden functionality – Firmware blocked ● Type 3: Intended functionality – Partial protection (eventually!) Firmware features give more protection ● Some type 3 attacks cannot be hardware sanitised. Proceed with caution!
  • 30. USG v1.0 beta v0.9 v1.0 betaPCB Layout (KiCad)
  • 31. World's shortest demo ● This slide ● Also, all the other ones!
  • 32. Preemptive FAQ #1 Q: Can I use my USB hub with the USG? A: No! – No embedded host support (downstream) – Upstream cannot emulate a network of devices – Also, necessary to block type 2 attacks
  • 33. Preemptive FAQ #1b Q: Wait, that means I need a USG for every one of my USB devices??!!!!! A: Yeah, sorry about that ;) Also, this implies hubs cannot be sanitised. Hubs are untrusted devices too!
  • 34. Preemptive FAQ #2 Q: Can the USG protect the firmware on my device from malicious hosts? A: Yes. The isolation barrier is symmetric.
  • 35. Preemptive FAQ #3 Q: Will the USG support [my obscure device]? A: Probably not. – Requires device driver and device emulator – Requires some assurance that the data is safe (type 3 attacks) – Requires sufficient interest (or pull requests!) Planned: – HID keyboard, mouse – CDC, serial – For everything else, there's Qubes ( )Or other type 1 hypervisor with hardware- assisted virtualisation of USB host controllers
  • 36. Preemptive FAQ #4 Q: Does it have a red flashing light to tell me when a USB is Bad? A: No – False negatives from host profiling – False positives from crap devices or internal bugs – Fault LEDs are deliberately orange – Always use your USG!
  • 37. Preemptive FAQ #5 Q: This thing works at USB1 speed? What is this, 1998 or something? A:
  • 38. 12Mbps ● Wide embedded hardware support ● 2 layer PCB, easy layout ● Soldering level: advanced (0.5mm pitch LQFP) ● Prototype cost: $150
  • 39. 480Mbps ● Limited embedded hardware support ● 4 layer PCB, controlled impedance routing ● Soldering level: mortals need not apply (0.5mm pitch QFN) ● Prototype cost: $300
  • 40. 5Gbps ● No embedded hardware support ● 8 layer PCB, RF grade layout where every mm counts ● Soldering level: impossible (BGA) ● Prototype cost: $1000
  • 41. Preemptive FAQ #6 Q: So do I need a USG? A: Windows, Mac, Linux: Yes, but you are probably still vulnerable! (type 3 attacks) Type 1 hypervisor with hardware-assisted virtualisation of USB host controllers: Yes, for your HIDs and anything connected at boot-time Embedded devices, eg Cisco switches :) Yes! (and pray the firmware image is signed)
  • 42. Preemptive FAQ #7 Q: When can I buy one? A: Sometime in 2016 – Firmware: add HID class support – Hardware: 1+ board revisions DFM is boring and expensive – Build your own USG v0.9 anytime you want!
  • 44. Bonus FAQ Q: Hardware guys can't code for shit. Why should I trust you? A1: That's a reasonable question! A2: Go check the code yourself...
  • 45. github.com/robertfisk/usg robert_fisk@fastmail.fm PGP: 2255 761A FE59 4D18 6511 EE43 DEB9 5AC0 15AD AEBA The good stuff Firmware, Hardware, Wiki: