0SB foi All!!

1
?ou should be looklng aL uS8.
?es, you.
Intiouuction
Who We Are
!esse Mlchael
Mlckey ShkaLov
WhaL We uo
8reak Lhlngs
Cry abouL Lhe currenL level of securlLy research focused on uS8
ulSCLAlML8: 1he vlews and oplnlons expressed ln Lhls
presenLaLlon are Lhose of Lhe auLhors and noL Lhelr employer.
Puipose of this talk
Puipose of this talk
We wanL Lo demonsLraLe Lo aLLendees how easy lL ls Lo geL
sLarLed aL performlng Lhelr own uS8 securlLy research and
help Lhem undersLand why Lhey should underLake Lhls
challenge.
Why caie about 0SB.
We belleve LhaL even Lhough uS8 ls a pervaslve Lechnology ln
modern compuLlng plaLforms, currenL securlLy research has
sLlll only scraLched lLs surface.
uS8 has some lnLeresLlng capablllLles and ls currenLly belng
used ln a wlde array of lesser-known usage models LhaL can
resulL ln securlLy problems.
0SB Basics
uS8 verslons
1.0, 1.1, 2.0, 3.0, 3.1
Speeds
Low Speed, lull Speed, Plgh Speed, Super
Speed Cen1 and Cen2
uevlce classes
Plu, Mass SLorage, lmage, vldeo, Audlo,
CommunlcaLlons, vendor ueflned
Þhyslcal connecLlons
1.x/2.0 sLandard
vcc (3v), uaLa+, uaLa-, Cround
1.x/2.0 mlnl/mlcro
Added uS8 C1C lu Þln
3.0+
Added SS1x+, SS1x-, SS8x+, SS8x-
uetting staiteu
hLLp://www.usb.org/developers/docs/
AL over 600 pages, Lhe uS8 speclflcaLlon can be a llLLle lnLlmldaLlng...
uetting staiteu
ln mosL uS8 devlces, Lhe physlcal, llnk, and proLocol layers are handled ln
hardware...
uetting staiteu
1hese areas are Lhe easlesL place Lo geL sLarLed and flnd vulnerablllLles so we'll
focus here and on some blgger plcLure vlews of how uS8 devlces are used ln
modern plaLforms.
Bo I neeu to touch it.
MosL people Lhlnk abouL uS8 llke Lhls...
Bo I neeu to touch it.
...buL almosL all modern lapLops have lnLernal uS8 devlces.
Whlch ofLen conLaln Lhelr own processors wlLh flrmware
and are separaLe from Lhe hosL CÞu and operaLlng sysLem.
WhaL could go wrong?
Theie's fiimwaie in my 0SB.
Lven ºslmple" uS8 devlces can have lnLeresLlng complexlLy
As an example, here's a sync cable for an older phone...
Theie's fiimwaie in my 0SB.
1haL conLalns a uS8 Lo
uA81 brldge chlp LhaL
looks llke Lhls lnLernally...
8032 processor
10k 8ooL 8CM
16k 8AM
2k S8AM
Loads flrmware from l
2
C
Theie's fiimwaie in my 0SB.
And Lhe daLasheeL descrlbes how Lo run your own code ln lL...
ArblLrary code execuLlon lnslde your phone sync cable? 8eally?
Theie's fiimwaie in my 0SB.
And Lhe daLasheeL descrlbes how Lo run your own code ln lL...
ArblLrary code execuLlon lnslde your phone sync cable? 8eally?
Theie's fiimwaie in my 0SB.
1he daLasheeL also descrlbes how Lo read and wrlLe Lo Lhe l
2
C
LLÞ8CM lL execuLes code from.
Bevice Fiimwaie 0pgiaue
hLLp://www.usb.org/developers/devclass_docs/ulu_1.1.pdf
1here's acLually a speclflcaLlon for how Lo creaLe uS8 devlces
wlLh upgradable flrmware.
lL doesn'L menLlon securlLy aL all. And mosL devlces LhaL
lmplemenL Lhls capablllLy don'L boLher Lo do any valldaLlon of
Lhe flrmware lmage oLher Lhan baslc checksums whlch are easy
Lo bypass.
ulu and slmllar cusLom devlce upgrade meLhods are a good
way Lo easlly geL arblLrary code execuLlon wlLhln a uS8 devlce.
WhaL can we do wlLh LhaL?
Attack Suifaces
So lnsLead of looklng aL lL llke Lhls...
Attack Suifaces
1here's acLually a loL more golng on...
Attack Suifaces
All of Lhls ls probably happenlng lnslde your lapLop rlghL now.
Attack Suifaces
Some uS8 devlces even have radlo lnLerfaces...
Attack Suifaces
lf you can geL arblLrary code execuLlon wlLhln Lhe uS8 devlce...
Attack Suifaces
lL can be used Lo aLLack componenLs wlLhln Lhe hosL.
Attack Suifaces
Lven wlLh aLLacks orlglnaLlng from Lhe hosL, Lhese can cross
prlvllege boundarles
Bebug Capability
Allows low-level debug over uS8
now requlred Lo galn Wlndows Logo cerLlflcaLlon
ºlf Lhe xPCl conLroller ln Lhe Su1 has any user-
accesslble porLs, Lhe conLroller musL have debug
capablllLy."
Neuia Agnostic 0SB
hLLp://www.usb.org/developers/devclass_docs/Medla_AgnosLlc_uS8_v1.0.zlp
Neuia Agnostic 0SB
Tools!
Total Phase Beagle Suuu
hLLp://www.LoLalphase.com/proLocols/usb/
SupporLs uS8 3.0 SuperSpeed, buL very expenslve. Can only be used for
observaLlon and noL ln[ecLlon.
Total Phase Beagle 48u
hLLp://www.LoLalphase.com/proLocols/usb/
Less expenslve Lhan 8eagle 3000, buL only supporLs uS8 2.0. Can only be
used for observaLlon and noL ln[ecLlon.
ITIC 148uA 0SB 2.u Piotocol
Analyzei
hLLp://www.lnLernaLlonalLesLlnsLrumenLs.com/producLs/97-1480a-usb-20-
proLocol-analyzer.aspx
PW less expenslve Lhan 8eagle 480, buL some SW modules sold separaLely.
Can only be used for observaLlon and noL ln[ecLlon.
Faceuancei
hLLp://goodfeL.sourceforge.neL/
Cpen source, cheap and easy Lo bulld, allows arblLrary emulaLlon of uS8
endpolnLs, buL can be very slow
Baisho
hLLps://glLhub.com/mossmann/dalsho
Cpen source, lnLended Lo supporL full uS8 3.0 SuperSpeed monlLorlng and
ln[ecLlon, buL sLlll ln developmenL
0SBPioxy
hLLps://glLhub.com/domlnlcgs/uS8Þroxy
Cpen source pro[ecL Lo creaLe a uS8 2.0 MlLM devlce uslng Lhe 8eagle8one 8lack,
sLlll ln early sLages, buL can already do some cool sLuff
libusb
hLLp://www.llbusb.org/
Cood way Lo geL sLarLed wlLh wrlLlng Lools Lo access uS8
devlces
Peach Publisheis
uaLa Þubllsher
ConflguraLlon Þubllsher
1hls uses llbusbuoLneL whlch hasn'L been malnLalned ln a
whlle, so lL has lLs bugs, buL has been useful for flndlng lssues.
Avallable on Lhe uLlCCn Cu.
SubmlLLed Lo Þeach upsLream
Phison PS2SuS fiamewoik
hLLps://blLbuckeL.org/flowswlLch/phlson/
Þhlson ÞS2303 ls a uS8 3.0 nAnu conLroller used ln many
flash drlves
8031-compaLlble core
236kl8 ram
uS8, nAnu, and uMA conLrollers
SLores flrmware ln nAnu
Coal of Lhe pro[ecL ls Lo use ÞS2303-based flash drlves as a
cheap uS83.0 developmenL plaLform
Kautilya toolkit
hLLps://glLhub.com/samraLashok/kauLllya
CollecLlon of 40+ uS8 Plu payloads for peneLraLlon LesLlng
uump Þrocess Memory
uump Wlndows vaulL CredenLlals
uownload and LxecuLe
ConnecL Lo PoLspoL and LxecuLe code
Code LxecuLlon uslng Þowershell
Code LxecuLlon uslng unS 1x1 querles
Add an admln user
Add a user and Lnable 8uÞ
Add a user and Lnable Þowershell 8emoLlng
. and more
ueslgned Lo be used wlLh Ardulno devlces llke Lhe 1eensy, buL easlly
adapLable Lo oLher devlces llke Lhe Þhlson chlpseL
Bemos!
Summaiy
uS8 ls a pervaslve Lechnology ln modern compuLlng devlces.
noL [usL exLernal porLs whlch requlre physlcal access Lo aLLack
uevlces connecLed over uS8 run upgradable flrmware
uebug capablllLy requlred for Wlndows cerLlflcaLlon
lnLeresLlng aLLack scenarlos wlLh lnLernal devlces
uS8 provldes a rlch seL of capablllLles and ls belng used ln a
varleLy of conflguraLlons LhaL could resulL ln securlLy
vulnerablllLles and lL's easler Lhan people Lhlnk Lo geL sLarLed
looklng aL Lhls sLuff.
Questions.
[esse aL lonelyrhlnoceros.com
lapllnker aL gmall.com