SRLabs-BadUSB-BlackHat-v1.pdf - BadUSB On accessories that...

This preview shows page 1 out of 22 pages.

Unformatted text preview: BadUSB — On accessories that turn evil Karsten Nohl <[email protected]> Sascha Krißler <[email protected]> Jakob Lell <[email protected]> SRLabs Template v12 Demo 1 – USB s&ck takes over Windows machine 2 Agenda §  USB background §  Reprogramming peripherals §  USB aLack scenarios §  Defenses and next steps 3 USB devices include a micro-­‐controller, hidden from the user USB controller 8051 CPU Bootloader Flash Controller firmware Mass storage The only part visible to the user 4 USB devices are iden[fied USB devices Connectors + hubs Host Root hub Iden&fier Examples USB thumb drive Interface class 8 – Mass Storage a.  1 – Audio b.  14 – Video End points 0 – Control 1 – Data transfers 0 – Control 1 – Video transfers 6 – Audio transfers 7 – Video interrupts Serial number AA627090820000000702 0258A350 Webcam 5 USB devices are ini[alized in several steps USB device Devices can have several iden&&es USB plug-­‐and-­‐play Register Power-­‐on + Firmware init Set address Send descriptor Set configura[on Load driver Normal opera[on Op[onal: deregister Register again … Load another driver §  A device indicates its capabili[es through a descriptor §  A device can have several descriptors if it supports mul[ple device classes; like webcam + microphone §  Device can deregister and register again as a different device 6 Agenda §  USB background §  Reprogramming peripherals §  USB aLack scenarios §  Defenses and next steps 7 Reversing and patching USB firmware took less than 2 months A Document firmware B 1.  Find leaked firmware and flash tool on the net 1.  Load into disassembler (complica[on: MMU-­‐like memory banking) update process 2.  Sniff update communica[on using Wireshark 3.  Replay custom SCSI commands used for updates 4.  (Reset bricked devices through short-­‐circui[ng Flash pins) Reverse-­‐engineer firmware C Patch firmware 1.  Add hooks to firmware to add/change func[onality 2.  Custom linker script compiles 2.  Apply heuris[cs C and assembly code and injects it into unused areas of –  Count matches between original firmware func[on start and call instruc[ons for different Other possible targets memory loca[ons We focused on USB s[cks, –  Find known USB bit but the same approach fields such as descriptors should work for: 3.  Apply standard solware §  External HDDs reversing to find hooking points §  Webcams, keyboards §  Probably many more … 8 Agenda §  USB background §  Reprogramming peripherals §  USB aLack scenarios §  Defenses and next steps 9 Demo 2 – Windows infects USB s&ck which then takes over Linux machine 10 Keyboard emula[on is enough for infec[on and privilege escala[on (w/o need for solware vulnerability) Challenge – Linux malware runs with limited user privileges, but needs root privileges to infect further s[cks Approach – Steal sudo password in screensaver Restart screensaver (or policykit) with password stealer added via an LD_PRELOAD library §  User enters password to unlock screen §  Malware intercepts password and gains root privileges using sudo Privilege escala[on module will be submiLed to Metasploit 11 Demo 3 – USB thumb drive changes DNS sePngs in Windows 12 Network traffic can be diverted by “DHCP on USB” DNS assignment in DHCP over spoofed USB-­‐Ethernet adapter All DNS queries go to aLacker’s DNS server ALack steps Result 1.  USB s[ck spoofs Ethernet adapter 3.  Internet traffic is s[ll routed through the normal Wi-­‐Fi connec[on 4.  However, DNS queries are sent to the USB-­‐supplied server, enabling redirec[on aLacks 2.  Replies to DHCP query with DNS server on the Internet, but without default gateway 13 Bonus: Virtual Machine break-­‐out 1.  VM tenant reprograms USB device (e.g., using SCSI commands) 2.  USB peripherals spawns a second device that gets connected to the VM host VM Host 3.  USB device spoofs key strokes, changes DNS, … 14 Demo 4 – Android diverts data traffic from Windows machine 15 “Can I charge my phone on your laptop?” – Android phones are the simplest USB aLack plaworm DHCP overrides default gateway over USB-­‐Ethernet Computer sends all Internet traffic through phone Prepara&on – Android comes with an Ethernet-­‐ over-­‐USB emula[on needing liLle configura[on ALack – Phone supplies default route over USB, effec[vely intercep[ng all Internet traffic Proof-­‐of-­‐concept released at: srlabs.de/badusb Hacked by the second factor? Using keyboard emula[on, a virus-­‐infected smartphone could hack into the USB-­‐ connected computer. This compromises the “second factor” security model of online banking. 16 Boot-­‐sector virus, USB style Fingerprint OS/BIOS. Patched/ USB s[ck firmware can dis[nguish Win, Mac, Linux, and the BIOS based on their USB behavior Hide rootkit from OS/AV. When an OS accesses the s[ck, only the USB content is shown USB content, for example Linux install image Infect machine when boo&ng. When the BIOS accesses the s[ck, a secret Linux is shown, boo[ng a root kit, infec[ng the machine, and then boo[ng from the USB content Secret Linux image 17 Family of possible USB aLacks is large More aLack ideas Effect ALacks shown Hide data on s&ck or HDD Emulate keyboard Spoof network card §  External storage can choose to hide files instead of dele[ng them Rewrite data in-­‐flight §  Viruses can be added to files added to storage §  First access by virus scanner sees original file, later access sees virus Update PC BIOS §  Emulate a keyboard during boot and install a new BIOS from a file in a secret storage area on a USB s[ck Spoof display §  Emulate a USB display to access security informa[on such as Captchas and randomly arranged PIN pads “USB boot-­‐ sector” virus 18 Agenda §  USB background §  Reprogramming peripherals §  USB aLack scenarios §  Defenses and next steps 19 No effec[ve defenses from USB aLacks exist Protec&on idea Limita&on Whitelist USB devices §  USB devices do not always have a unique serial number §  OS’s don’t (yet) have whitelist mechanisms Block cri&cal device classes, block USB completely §  Obvious usability impact §  Very basic device classes can be used for abuse; not much is lel of USB when these are blocked Scan peripheral firmware for malware §  The firmware of a USB device can typically only be read back with the help of that firmware (if at all): A malicious firmware can spoof a legi[mate one Use code signing for firmware updates §  Implementa[on errors may s[ll allow installing unauthorized firmware upgrades §  Secure cryptography is hard to implement on small microcontrollers §  Billions of exis[ng devices stay vulnerable Disable firmware updates in hardware §  Simple and effec&ve 20 USB peripherals can also be re-­‐programmed for construc[ve purposes Idea 1 – Speed up database queries §  Data can be parsed on the s[ck before (or instead of) sending it back to the host §  Our original mo[va[on was to speed up of A5/1 rainbow table lookups Idea 2 – Repurpose cheap controller chips §  Use the reprogrammable chips for other applica[ons than USB storage §  The flowswitch / phison project, for example, aims for a low-­‐cost USB 3 interface for FPGAs 21 Take aways §  USB peripherals provide for a versa[le infec&on path §  Once infected – through USB or otherwise – malware can use peripherals as a hiding place, hindering system clean-­‐up §  As long as USB controllers are re-­‐ programmable, USB peripherals should not be shared with others Ques[ons? [email protected] 22 ...
View Full Document

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture