Professional Documents
Culture Documents
SRLabs BadUSB BlackHat v1 PDF
SRLabs BadUSB BlackHat v1 PDF
Agenda
USB
background
Reprogramming
peripherals
USB
aLack
scenarios
Defenses
and
next
steps
8051
CPU
Bootloader
Flash
Controller
rmware
Mass storage
Connectors + hubs
Host
Root
hub
Iden&er
Examples
USB
thumb
drive
Interface class
8 Mass Storage
a. 1
Audio
b. 14
Video
End points
0
Control
1
Data
transfers
0
Control
1
Video
transfers
6
Audio
transfers
7
Video
interrupts
Serial number
AA627090820000000702 0258A350
Webcam
USB
plug-and-play
Register
Power-on
+
Firmware
init
Set
address
Send
descriptor
Set
congura[on
Load driver
Normal
opera[on
Op[onal:
deregister
Register
again
Load
another
driver
A
device
indicates
its
capabili[es
through
a
descriptor
A
device
can
have
several
descriptors
if
it
supports
mul[ple
device
classes;
like
webcam
+
microphone
Device
can
deregister
and
register
again
as
a
dierent
device
Agenda
USB
background
Reprogramming
peripherals
USB
aLack
scenarios
Defenses
and
next
steps
update process
2. Sni
update
communica[on
using
Wireshark
3. Replay
custom
SCSI
commands
used
for
updates
4. (Reset
bricked
devices
through
short-circui[ng
Flash
pins)
Reverse-engineer rmware
Patch rmware
Agenda
USB
background
Reprogramming
peripherals
USB
aLack
scenarios
Defenses
and
next
steps
10
11
12
All
DNS
queries
go
to
aLackers
DNS
server
ALack steps
Result
13
1. VM
tenant
reprograms
USB
device
(e.g.,
using
SCSI
commands)
2. USB
peripherals
spawns
a
second
device
that
gets
connected
to
the
VM
host
VM
Host
3. USB
device
spoofs
key
strokes,
changes
DNS,
14
15
Proof-of-concept
released
at:
srlabs.de/badusb
16
Fingerprint
OS/BIOS.
Patched/
USB
s[ck
rmware
can
dis[nguish
Win,
Mac,
Linux,
and
the
BIOS
based
on
their
USB
behavior
USB
content,
for
example
Linux
install
image
Secret
Linux
image
17
Hide
data
on
s&ck
or
HDD
Emulate
keyboard
Spoof
network
card
Rewrite
data
in-ight
Update
PC
BIOS
Spoof display
USB
boot-
sector
virus
18
Agenda
USB
background
Reprogramming
peripherals
USB
aLack
scenarios
Defenses
and
next
steps
19
Limita&on
Scan
peripheral
rmware
for
malware
Disable
rmware
updates
in
hardware
20
Idea
2
Repurpose
cheap
controller
chips
Use
the
reprogrammable
chips
for
other
applica[ons
than
USB
storage
The
owswitch
/
phison
project,
for
example,
aims
for
a
low-cost
USB
3
interface
for
FPGAs
21
Take
aways
USB
peripherals
provide
for
a
versa[le
infec&on
path
Once
infected
through
USB
or
otherwise
malware
can
use
peripherals
as
a
hiding
place,
hindering
system
clean-up
As
long
as
USB
controllers
are
re-
programmable,
USB
peripherals
should
not
be
shared
with
others
Ques[ons?
usb@srlabs.de
22