badusb, and what you should do about it
TRANSCRIPT
![Page 1: BadUSB, and what you should do about it](https://reader031.vdocuments.mx/reader031/viewer/2022013109/58a348991a28ab62248b6011/html5/thumbnails/1.jpg)
Fear & Loathing on your Desk
BadUSB, and what you should do about it
Robert Fisk
![Page 2: BadUSB, and what you should do about it](https://reader031.vdocuments.mx/reader031/viewer/2022013109/58a348991a28ab62248b6011/html5/thumbnails/2.jpg)
Outline
1. Why USB = Universal Serial Badness
2. Current defenses
3. Hardware defense gadget
– Demo, Preemptive FAQs
![Page 3: BadUSB, and what you should do about it](https://reader031.vdocuments.mx/reader031/viewer/2022013109/58a348991a28ab62248b6011/html5/thumbnails/3.jpg)
So who is this guy?
● Electronic engineer in Auckland, NZ● PhD in IC design – analog, mixed-signal, low power● Informal tech support for group of targeted users● Bored last year, BadUSB looked like an interesting project
![Page 4: BadUSB, and what you should do about it](https://reader031.vdocuments.mx/reader031/viewer/2022013109/58a348991a28ab62248b6011/html5/thumbnails/4.jpg)
1-Slide USB introduction
Host PC
Device
Configuration 1
Endpoint 0
Endpoint 1Endpoint ...
Interface 0
Endpoint 1Endpoint ...
Interface 1
USB Device● Endpoint 0
● Configuration 1– Interface 0
● Endpoint 1● Endpoint 2...
– Interface 1● Endpoint ...
![Page 5: BadUSB, and what you should do about it](https://reader031.vdocuments.mx/reader031/viewer/2022013109/58a348991a28ab62248b6011/html5/thumbnails/5.jpg)
USB descriptors
Bus 007 Device 003: ID 046d:c00c Logitech, Inc. Optical Wheel MouseDevice Descriptor: blength 18 bdescriptorType 1 bcdUSB 1.10 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 ...blah blah...
Untrusted length!!
[you@yourbox ~]$ lsusb -v
![Page 6: BadUSB, and what you should do about it](https://reader031.vdocuments.mx/reader031/viewer/2022013109/58a348991a28ab62248b6011/html5/thumbnails/6.jpg)
Universal Serial Badness #1
Type 1: Stack Attacks
● Untrusted input to host stack● Host driver or device driver of attacker's choice● 200 device drivers in Linux 3.13 kernel source
Host PC User space
USB host driver
USB class driver
USB device driver
USB device driver
POW!POW!
![Page 7: BadUSB, and what you should do about it](https://reader031.vdocuments.mx/reader031/viewer/2022013109/58a348991a28ab62248b6011/html5/thumbnails/7.jpg)
Universal Serial Badness #1
Stack Attack example:● Inadvertent Win7 attack from crappy mouse● Bluescreen in HIDCLASS.SYS
![Page 8: BadUSB, and what you should do about it](https://reader031.vdocuments.mx/reader031/viewer/2022013109/58a348991a28ab62248b6011/html5/thumbnails/8.jpg)
Universal Serial Badness #1
News Flash:Cisco Nexus 5000 Series USB Driver Denial of Service Vulnerability
A vulnerability in the USB driver for Cisco Nexus 5000 Series Switches could allow an unauthenticated, local attacker to cause a denial of service (DoS) condition due to a kernel crash.The vulnerability is due to insufficient handling of USB input parameters.
Cisco has not released software updates that address this vulnerability. There are no workarounds that mitigate this vulnerability.
“”
![Page 9: BadUSB, and what you should do about it](https://reader031.vdocuments.mx/reader031/viewer/2022013109/58a348991a28ab62248b6011/html5/thumbnails/9.jpg)
Universal Serial Badness #2
Type 2: Hidden Functionality Attacks● No exploit required● USB-compliant commands
User space
USB host driver
USB class driver
USB device driver
USB device driver
POW!POW!Host PC
![Page 10: BadUSB, and what you should do about it](https://reader031.vdocuments.mx/reader031/viewer/2022013109/58a348991a28ab62248b6011/html5/thumbnails/10.jpg)
Universal Serial Badness #2
Hidden Functionality example:Netragard's Hacker Interface DeviceUsage: Plug mouse into computer, get pwned.
Mouse
Hub
+HID USB Keystroke Dongle (Teensy)
USB flash drive
+
+
![Page 11: BadUSB, and what you should do about it](https://reader031.vdocuments.mx/reader031/viewer/2022013109/58a348991a28ab62248b6011/html5/thumbnails/11.jpg)
Universal Serial Badness #3
Type 3: Intended Functionality Attacks● No exploit required● The thing you want is bad!
User space
USB host driver
USB class driver
USB device driver
USB device driver
POW!POW!Host PC
![Page 12: BadUSB, and what you should do about it](https://reader031.vdocuments.mx/reader031/viewer/2022013109/58a348991a28ab62248b6011/html5/thumbnails/12.jpg)
Universal Serial Badness #3
Intended Functionality example:
SR Labs 'hidden rootkit' flash drive
● Host profiling● Activate payload only
when enumerated by BIOS
![Page 13: BadUSB, and what you should do about it](https://reader031.vdocuments.mx/reader031/viewer/2022013109/58a348991a28ab62248b6011/html5/thumbnails/13.jpg)
Universal Serial Badness
● Type 1: Stack attacks● Type 2: Hidden functionality● Type 3: Intended functionality
100% standards compliant
Problem?
![Page 14: BadUSB, and what you should do about it](https://reader031.vdocuments.mx/reader031/viewer/2022013109/58a348991a28ab62248b6011/html5/thumbnails/14.jpg)
How easily can a device turn Bad?
● Most USB chips use 8051 8-bit embedded CPU (from 1980!!!)● Firmware updates with proprietary tools
srlabs.de
“Up to half of USB chips are BadUSB-vulnerable”
(but you can't tell which half!)
You have no idea what code you are running on your system!
![Page 15: BadUSB, and what you should do about it](https://reader031.vdocuments.mx/reader031/viewer/2022013109/58a348991a28ab62248b6011/html5/thumbnails/15.jpg)
Current defense #1
● For mice on desktop PCs only● Not all USB mice support PS/2 protocol :(
Reduce your attack surface with advanced PS/2 technology!
NOT VERY USEFUL
NOT VERY USEFUL
![Page 16: BadUSB, and what you should do about it](https://reader031.vdocuments.mx/reader031/viewer/2022013109/58a348991a28ab62248b6011/html5/thumbnails/16.jpg)
Current defense #2
● Only protects against type 2 keyboard attacks● Windows only
G Data Keyboard GuardNOT VERY USEFUL
NOT VERY USEFUL
![Page 17: BadUSB, and what you should do about it](https://reader031.vdocuments.mx/reader031/viewer/2022013109/58a348991a28ab62248b6011/html5/thumbnails/17.jpg)
Current defense #3
Reduce your attack surface with virtualisation(the wrong way)
● Software passthrough of USB devices● Type 2 hypervisors: Virtualbox, etc ● Software passthrough increases your
attack surface!
USB device
USB host
Host OS
Hypervisor
Guest OS
BAM!BAM!
BAM!BAM!
BAM!BAM!
NOT VERY USEFUL
NOT VERY USEFUL
![Page 18: BadUSB, and what you should do about it](https://reader031.vdocuments.mx/reader031/viewer/2022013109/58a348991a28ab62248b6011/html5/thumbnails/18.jpg)
Current defense #3
Reduce your attack surface with virtualisation(the right way)
● Hardware passthrough of USB host controller
● Type 1 hypervisors: Qubes/Xen, etc● Requires VT-d (Intel) or IOMMU (AMD)● All USB devices attched to a host
controller move together
USB device
USB host
Host OS
Hypervisor
Guest OS
USB host
BAM!BAM!USEFUL?
USEFUL?
![Page 19: BadUSB, and what you should do about it](https://reader031.vdocuments.mx/reader031/viewer/2022013109/58a348991a28ab62248b6011/html5/thumbnails/19.jpg)
Virtualisation scorecard
● Type 1: Stack attacks – Isolated● Type 2: Hidden functionality – Isolated● Type 3: Intended functionality – Isolated
How does hardware virtualisation help us?
Sanitise data leaving the USB VM!
● No protection at boot time● Host OS inputs are unprotected:
USB kbd/mouse & other devices on the same host controller
![Page 20: BadUSB, and what you should do about it](https://reader031.vdocuments.mx/reader031/viewer/2022013109/58a348991a28ab62248b6011/html5/thumbnails/20.jpg)
For everything else, there's...
● Concept: reduce attack surface through isolation● Terminate the USB bus outside vulnerable PC
Windows, Mac, Linux: Uhhh...........
USB hostdriver
USB device driver
USB device
USB device emulator
USB devicedriver
BAM!BAM!
Simplest imaginable protocolBAM!BAM!
Sanity checks
Host PC
![Page 21: BadUSB, and what you should do about it](https://reader031.vdocuments.mx/reader031/viewer/2022013109/58a348991a28ab62248b6011/html5/thumbnails/21.jpg)
Hardware defense – concept
● Many device drivers● Slow bootup● More expensive
Start the project with off-the-shelf hardware
● Limited drivers● Instant bootup● Cheap(er)
Embedded Linux: Embedded bare-metal:
Thing 1 Thing 2USB
device
Simple interface Host port
Device port
Upstream(device)
Downstream(host)
Host PC
![Page 22: BadUSB, and what you should do about it](https://reader031.vdocuments.mx/reader031/viewer/2022013109/58a348991a28ab62248b6011/html5/thumbnails/22.jpg)
Prototype hardware
OlimexSTM32-H405
OlimexSTM32-H407
Host port
● STM32F405 / 407 ARM-core microcontrollers● ST provides USB middleware with various drivers● FS (12Mbps) with upgrade path to HS (480Mbps)
15 EUR30 EUR
Device port
![Page 23: BadUSB, and what you should do about it](https://reader031.vdocuments.mx/reader031/viewer/2022013109/58a348991a28ab62248b6011/html5/thumbnails/23.jpg)
Introducing the USG v0.9
Turning BadUSB good since 2015
Device port
Host portSPI data
interface
![Page 24: BadUSB, and what you should do about it](https://reader031.vdocuments.mx/reader031/viewer/2022013109/58a348991a28ab62248b6011/html5/thumbnails/24.jpg)
Let's talk firmware!
main.c
Dev board
Peripheral library (hardware drivers)
USB host library & device drivers
Linker script.ld Processor family headers.h
OpenOCD Olimex JTAG
☼Board.cfg
GNUARM Eclipse
Eclipse CDT
☼ ☼
Startup file.SMath/DSP libraries
newlib-nano
gdb
☼
☼
gcc-arm-none-eabi
![Page 25: BadUSB, and what you should do about it](https://reader031.vdocuments.mx/reader031/viewer/2022013109/58a348991a28ab62248b6011/html5/thumbnails/25.jpg)
Firmware current status
● Mass Storage support only– SCSI transparent command set– 512B blocks– 2TB max capacity– Single LUN
● ~700kB/s transfer speed● 2x 30kB binary images
![Page 26: BadUSB, and what you should do about it](https://reader031.vdocuments.mx/reader031/viewer/2022013109/58a348991a28ab62248b6011/html5/thumbnails/26.jpg)
Hardware isolation scorecard #1
● Type 1: Stack attacks – Isolated● Type 2: Hidden functionality● Type 3: Intended functionality
How does this dongle help us?
![Page 27: BadUSB, and what you should do about it](https://reader031.vdocuments.mx/reader031/viewer/2022013109/58a348991a28ab62248b6011/html5/thumbnails/27.jpg)
Hidden functionality defense
● Disable hubs– Embedded host stack supports single device only :)
● Disable multi-interface devices– Limit host to one active class driver
● Lock in requested device class on first enumeration– Device class change requires firmware reset
Stop Type 2 attacks with firmware features:
![Page 28: BadUSB, and what you should do about it](https://reader031.vdocuments.mx/reader031/viewer/2022013109/58a348991a28ab62248b6011/html5/thumbnails/28.jpg)
Intended functionality defense
● Mass Storage– Hardware AES keyed from device serial number– Bad firmware cannot maliciously alter blocks– Only partial protection
● HID– Rate-limit input actions– Only partial protection
– Bonus points: buffer keystrokes > user profiling
Type 3 attacks difficult to block!
None of this is currently implemented!
![Page 29: BadUSB, and what you should do about it](https://reader031.vdocuments.mx/reader031/viewer/2022013109/58a348991a28ab62248b6011/html5/thumbnails/29.jpg)
Hardware isolation scorecard #2
● Type 1: Stack attacks – Isolated● Type 2: Hidden functionality – Firmware blocked● Type 3: Intended functionality – Partial protection (eventually!)
Firmware features give more protection
● Some type 3 attacks cannot be hardware sanitised. Proceed with caution!
![Page 30: BadUSB, and what you should do about it](https://reader031.vdocuments.mx/reader031/viewer/2022013109/58a348991a28ab62248b6011/html5/thumbnails/30.jpg)
USG v1.0 beta
v0.9 v1.0 betaPCB Layout (KiCad)
![Page 31: BadUSB, and what you should do about it](https://reader031.vdocuments.mx/reader031/viewer/2022013109/58a348991a28ab62248b6011/html5/thumbnails/31.jpg)
World's shortest demo
● This slide● Also, all the other ones!
![Page 32: BadUSB, and what you should do about it](https://reader031.vdocuments.mx/reader031/viewer/2022013109/58a348991a28ab62248b6011/html5/thumbnails/32.jpg)
Preemptive FAQ #1
Q: Can I use my USB hub with the USG?
A: No!– No embedded host support (downstream)– Upstream cannot emulate a network of devices– Also, necessary to block type 2 attacks
![Page 33: BadUSB, and what you should do about it](https://reader031.vdocuments.mx/reader031/viewer/2022013109/58a348991a28ab62248b6011/html5/thumbnails/33.jpg)
Preemptive FAQ #1b
Q: Wait, that means I need a USG for every one of my USB devices??!!!!!
A: Yeah, sorry about that ;)
Also, this implies hubs cannot be sanitised.Hubs are untrusted devices too!
![Page 34: BadUSB, and what you should do about it](https://reader031.vdocuments.mx/reader031/viewer/2022013109/58a348991a28ab62248b6011/html5/thumbnails/34.jpg)
Preemptive FAQ #2
Q: Can the USG protect the firmware on my device from malicious hosts?
A: Yes. The isolation barrier is symmetric.
![Page 35: BadUSB, and what you should do about it](https://reader031.vdocuments.mx/reader031/viewer/2022013109/58a348991a28ab62248b6011/html5/thumbnails/35.jpg)
Preemptive FAQ #3
Q: Will the USG support [my obscure device]?
A: Probably not.– Requires device driver and device emulator– Requires some assurance that the data is safe (type 3 attacks)– Requires sufficient interest (or pull requests!)
Planned: – HID keyboard, mouse– CDC, serial– For everything else, there's Qubes ( )Or other type 1 hypervisor with hardware-
assisted virtualisation of USB host controllers
![Page 36: BadUSB, and what you should do about it](https://reader031.vdocuments.mx/reader031/viewer/2022013109/58a348991a28ab62248b6011/html5/thumbnails/36.jpg)
Preemptive FAQ #4
Q: Does it have a red flashing light to tell me when a USB is Bad?
A: No– False negatives from host profiling– False positives from crap devices or internal bugs– Fault LEDs are deliberately orange– Always use your USG!
![Page 37: BadUSB, and what you should do about it](https://reader031.vdocuments.mx/reader031/viewer/2022013109/58a348991a28ab62248b6011/html5/thumbnails/37.jpg)
Preemptive FAQ #5
Q: This thing works at USB1 speed? What is this, 1998 or something?
A:
![Page 38: BadUSB, and what you should do about it](https://reader031.vdocuments.mx/reader031/viewer/2022013109/58a348991a28ab62248b6011/html5/thumbnails/38.jpg)
12Mbps
● Wide embedded hardware support● 2 layer PCB, easy layout● Soldering level: advanced (0.5mm pitch LQFP)● Prototype cost: $150
![Page 39: BadUSB, and what you should do about it](https://reader031.vdocuments.mx/reader031/viewer/2022013109/58a348991a28ab62248b6011/html5/thumbnails/39.jpg)
480Mbps● Limited embedded hardware support● 4 layer PCB, controlled impedance routing● Soldering level: mortals need not apply (0.5mm pitch QFN)● Prototype cost: $300
![Page 40: BadUSB, and what you should do about it](https://reader031.vdocuments.mx/reader031/viewer/2022013109/58a348991a28ab62248b6011/html5/thumbnails/40.jpg)
5Gbps
● No embedded hardware support● 8 layer PCB, RF grade layout where every mm counts● Soldering level: impossible (BGA)● Prototype cost: $1000
![Page 41: BadUSB, and what you should do about it](https://reader031.vdocuments.mx/reader031/viewer/2022013109/58a348991a28ab62248b6011/html5/thumbnails/41.jpg)
Preemptive FAQ #6
Q: So do I need a USG?
A: Windows, Mac, Linux:Yes, but you are probably still vulnerable! (type 3 attacks)
Type 1 hypervisor with hardware-assisted virtualisation of USB host controllers:
Yes, for your HIDs and anything connected at boot-time
Embedded devices, eg Cisco switches :)Yes! (and pray the firmware image is signed)
![Page 42: BadUSB, and what you should do about it](https://reader031.vdocuments.mx/reader031/viewer/2022013109/58a348991a28ab62248b6011/html5/thumbnails/42.jpg)
Preemptive FAQ #7
Q: When can I buy one?
A: Sometime in 2016
– Firmware: add HID class support– Hardware: 1+ board revisions
DFM is boring and expensive
– Build your own USG v0.9 anytime you want!
![Page 43: BadUSB, and what you should do about it](https://reader031.vdocuments.mx/reader031/viewer/2022013109/58a348991a28ab62248b6011/html5/thumbnails/43.jpg)
Testers wanted
![Page 44: BadUSB, and what you should do about it](https://reader031.vdocuments.mx/reader031/viewer/2022013109/58a348991a28ab62248b6011/html5/thumbnails/44.jpg)
Bonus FAQ
Q: Hardware guys can't code for shit. Why should I trust you?
A1: That's a reasonable question!
A2: Go check the code yourself...
![Page 45: BadUSB, and what you should do about it](https://reader031.vdocuments.mx/reader031/viewer/2022013109/58a348991a28ab62248b6011/html5/thumbnails/45.jpg)
github.com/robertfisk/usg
PGP: 2255 761A FE59 4D18 6511EE43 DEB9 5AC0 15AD AEBA
The good stuff
Firmware, Hardware, Wiki: