Professional Documents
Culture Documents
Agenda
USB
background
Reprogramming
peripherals
BadUSB
aLack
scenarios
BadUSB
exposure
Defenses
and
next
steps
Connectors + hubs
Host
Root
hub
Iden&er
Examples
USB
thumb
drive
Interface class
8 Mass Storage
a. 1
Audio
b. 14
Video
End points
0
Control
1
Data
transfers
0
Control
1
Video
transfers
6
Audio
transfers
7
Video
interrupts
AA627090820000000702
0258A350
Webcam
USB
plug-and-play
Register
Power-on
+
Firmware
init
Set
address
Send
descriptor
Set
conguraPon
Load driver
Normal
operaPon
OpPonal:
deregister
Register
again
Load
another
driver
A
device
indicates
its
capabiliPes
through
a
descriptor
A
device
can
have
several
descriptors
if
it
supports
mulPple
device
classes;
like
webcam
+
microphone
Device
can
deregister
and
register
again
as
a
dierent
device
8051
CPU
Bootloader
Flash
Controller
rmware
Mass storage
Agenda
USB
background
Reprogramming
peripherals
BadUSB
aLack
scenarios
BadUSB
exposure
Defenses
and
next
steps
Reverse-engineer rmware
Patch rmware
Webcams,
keyboards
Probably
many
more
Agenda
USB
background
Reprogramming
peripherals
BadUSB
aKack
scenarios
BadUSB
exposure
Defenses
and
next
steps
10
Challenge
Linux
malware
runs
with
limited
user
privileges,
but
needs
root
privileges
to
infect
further
sPcks
Approach
Steal
sudo
password
in
screensaver
Restart
screensaver
(or
policykit)
with
password
stealer
added
via
an
LD_PRELOAD
library
11
12
All
DNS
queries
go
to
aLackers
DNS
server
AKack steps
Result
13
Proof-of-concept
released
at:
srlabs.de/badusb
14
1. VM
tenant
reprograms
USB
device
(e.g.,
using
SCSI
commands)
Malicious
VM
2. USB
peripherals
spawns
a
second
device
that
gets
connected
to
the
VM
host
Host
3. USB
device
spoofs
key
strokes,
changes
DNS,
15
Fingerprint
OS/BIOS.
Patched
USB
sPck
rmware
can
disPnguish
Win,
Mac,
Linux,
and
the
BIOS
based
on
their
USB
behavior
USB
content,
for
example
Linux
install
image
Secret
Linux
image
16
17
Hide
data
on
s&ck
or
HDD
Emulate
keyboard
Spoof
network
card
Rewrite
data
in-ight
Update
PC
BIOS
Spoof display
USB
boot-
sector
virus
18
Agenda
USB
background
Reprogramming
peripherals
BadUSB
aLack
scenarios
BadUSB
exposure
Defenses
and
next
steps
19
BoKom-up analysis
20
Probably vulnerable
Hub
Charger
Storage
Peripheral
BoKom-up
analysis
1
4
2
8
3
5
Input
Webcam
SD adapter
SATA adapter
3
21
22
Trend
2
Chips
become
more
versa&le,
and
thereby
more
vulnerable
Trend
3
Most
controllers
that
can
be
programmed
are
vulnerable
Agenda
USB
background
Reprogramming
peripherals
BadUSB
aLack
scenarios
BadUSB
exposure
Defenses
and
next
steps
24
Limita&on
Scan
peripheral
rmware
for
malware
Disable
rmware
updates
in
hardware
25
vs.
BadUSB
malware
becomes
more
realis&c
Sample
exploit
code
for
Phison
USB
3
controllers
was
released
by
Adam
Caudill
and
Brandon
Wilson
at
Derbycon
in
September
Only
miPgaPon
26
Idea
2
Repurpose
cheap
controller
chips
Use
the
reprogrammable
chips
for
other
applicaPons
than
USB
storage
The
owswitch
/
phison
project,
for
example,
aims
for
a
low-cost
USB
3
interface
for
FPGAs
27
Take
aways
USB
peripherals
provide
for
a
versaPle
infec&on
path
Once
infected
through
USB
or
otherwise
malware
can
use
peripherals
as
a
hiding
place,
hindering
system
clean-up
As
long
as
USB
controllers
are
re-
programmable,
USB
peripherals
should
not
be
shared
with
others
QuesPons?
usb@srlabs.de
28
Others
26%
Alcor
7%
Source: goo.gl/NtN0cf
Renesas
6%
Genesys
5%
ASMedia
5%
ST-E
4%
FTDI
4%
Phison
5%
29