Adventures in USB land

WhoamiValentinas Bakaitis

@vbakaitis on twitter

Senior security consultant @ Aura Information Security

What is USB?

Spoiler alert, it’s not really a bus.

USB infrastructure• Host• Hubs• Devices

• Interfaces• Endpoints

USB infrastructure• Host – Computer• Hub – Switch• Device – Another tiny computer

• Interfaces – Applications• Endpoints – Ports

• It’s a network!

USB Device Connected

USB Enumeration• Device: I’m connected• Host: What is your device descriptor?• Device: Here is my device descriptor…

• (same for configuration, interface and class descriptors)• Host loads the drivers• Device is ready to use

USB Descriptors

AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL

AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL

Consequences

No Identity

No Confidentiality

No Integrity

AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL

Attacks against USB

Attack!

Bad USB• Level 1: malicious USB firmware

• Level 2: self replicating malware

• Level 3: self replicating malware in boot sector

• Level 4: self replicating malware in boot sector that flashes your BIOS

Keelog USB Key logger• Sits between the keyboard• Is completely invisible to PC• Stores keys pressed• Transfers keys pressed through

WIFI

• Could be modified to listen for keys from wifi and inject them

Killer USB

AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL

DEMO!

Using empty space in your deviceWHAT USER SEES WHAT COMPUTER SEES

AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL

Other attacks

Fuzzing OS/BIOS stack• Low level protocol• Untrusted length• Perfect target for getting to ring 0!• As a device you can tell what OS is running on a computer!

Fuzzing or abusing drivers• Low level code• Written by 3rd party• Automatically loaded by OS• Example: Alcor USB camera

Why does it matter?• USB is very prevalent• The technology is available• And very very cheap!• And most importantly – Web USB

AURA INFORMATION SECURITY © / PRIVATE AND CONFIDENTIAL

What is Web USB“API for securely providing access to Universal Serial Bus devices from web pages”

Tl;dr: Talk raw USB from JavaScript. Similar to currently implemented Webcam/Microphone/Location access from the browser.

Read it yourself: https://wicg.github.io/webusb/

What can we do to avoid USB security issues?

Solutions that don’t work• USB Condom• Hardware abstraction• Keyboard guard software• USB device whitelisting

Solutions that might work?

PKI?

We need a new, non backwards compatible standard.

Or don’t leave your computer USB unlocked

Q&A

References• USB specifications and related docs: www.usb.org• Web USB RFC: https://wicg.github.io/webusb/ Tools for working with USB:• USBView (windows)

https://msdn.microsoft.com/en-us/library/windows/hardware/ff560019(v=vs.85).aspx • Wireshark (needs spec software/hardware), allows to captureUSB traffic: https://

wiki.wireshark.org/CaptureSetup/USB • Most logic analysers (saleae is a cheap one) can decode USB: https://www.saleae.com/ • Facedancer board – lets emulate usb in python: http://int3.cc/products/facedancer21 or build your

own (schematic and PCB layout available at http://goodfet.sourceforge.net/hardware/facedancer21/ )

• Pretty much any arduino board or any popular uC can talk USB. A cheap one is digispark, look on aliexpress, you can buy 10 for $11. or $1.5 each. Libraries for working with USB can be found here: https://github.com/digistump/DigisparkArduinoIntegration

• USB keylogger: www.keelog.com