Fear & Loathing on your Desk BadUSB, and what you should do about it Robert Fisk
Fear & Loathing on your Desk
BadUSB, and what you should do about it
Robert Fisk
Outline
1. Why USB = Universal Serial Badness
2. Current defenses
3. Hardware defense gadget
– Demo, Preemptive FAQs
So who is this guy?
● Electronic engineer in Auckland, NZ● PhD in IC design – analog, mixed-signal, low power● Informal tech support for group of targeted users● Bored last year, BadUSB looked like an interesting project
1-Slide USB introduction
Host PC
Device
Configuration 1
Endpoint 0
Endpoint 1Endpoint ...
Interface 0
Endpoint 1Endpoint ...
Interface 1
USB Device● Endpoint 0
● Configuration 1– Interface 0
● Endpoint 1● Endpoint 2...
– Interface 1● Endpoint ...
USB descriptors
Bus 007 Device 003: ID 046d:c00c Logitech, Inc. Optical Wheel MouseDevice Descriptor: blength 18 bdescriptorType 1 bcdUSB 1.10 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 ...blah blah...
Untrusted length!!
[you@yourbox ~]$ lsusb -v
Universal Serial Badness #1
Type 1: Stack Attacks
● Untrusted input to host stack● Host driver or device driver of attacker's choice● 200 device drivers in Linux 3.13 kernel source
Host PC User space
USB host driver
USB class driver
USB device driver
USB device driver
POW!POW!
Universal Serial Badness #1
Stack Attack example:● Inadvertent Win7 attack from crappy mouse● Bluescreen in HIDCLASS.SYS
Universal Serial Badness #1
News Flash:Cisco Nexus 5000 Series USB Driver Denial of Service Vulnerability
A vulnerability in the USB driver for Cisco Nexus 5000 Series Switches could allow an unauthenticated, local attacker to cause a denial of service (DoS) condition due to a kernel crash.The vulnerability is due to insufficient handling of USB input parameters.
Cisco has not released software updates that address this vulnerability. There are no workarounds that mitigate this vulnerability.
“”
Universal Serial Badness #2
Type 2: Hidden Functionality Attacks● No exploit required● USB-compliant commands
User space
USB host driver
USB class driver
USB device driver
USB device driver
POW!POW!Host PC
Universal Serial Badness #2
Hidden Functionality example:Netragard's Hacker Interface DeviceUsage: Plug mouse into computer, get pwned.
Mouse
Hub
+HID USB Keystroke Dongle (Teensy)
USB flash drive
+
+
Universal Serial Badness #3
Type 3: Intended Functionality Attacks● No exploit required● The thing you want is bad!
User space
USB host driver
USB class driver
USB device driver
USB device driver
POW!POW!Host PC
Universal Serial Badness #3
Intended Functionality example:
SR Labs 'hidden rootkit' flash drive
● Host profiling● Activate payload only
when enumerated by BIOS
Universal Serial Badness
● Type 1: Stack attacks● Type 2: Hidden functionality● Type 3: Intended functionality
100% standards compliant
Problem?
How easily can a device turn Bad?
● Most USB chips use 8051 8-bit embedded CPU (from 1980!!!)● Firmware updates with proprietary tools
srlabs.de
“Up to half of USB chips are BadUSB-vulnerable”
(but you can't tell which half!)
You have no idea what code you are running on your system!
Current defense #1
● For mice on desktop PCs only● Not all USB mice support PS/2 protocol :(
Reduce your attack surface with advanced PS/2 technology!
NOT VERY USEFUL
NOT VERY USEFUL
Current defense #2
● Only protects against type 2 keyboard attacks● Windows only
G Data Keyboard GuardNOT VERY USEFUL
NOT VERY USEFUL
Current defense #3
Reduce your attack surface with virtualisation(the wrong way)
● Software passthrough of USB devices● Type 2 hypervisors: Virtualbox, etc ● Software passthrough increases your
attack surface!
USB device
USB host
Host OS
Hypervisor
Guest OS
BAM!BAM!
BAM!BAM!
BAM!BAM!
NOT VERY USEFUL
NOT VERY USEFUL
Current defense #3
Reduce your attack surface with virtualisation(the right way)
● Hardware passthrough of USB host controller
● Type 1 hypervisors: Qubes/Xen, etc● Requires VT-d (Intel) or IOMMU (AMD)● All USB devices attched to a host
controller move together
USB device
USB host
Host OS
Hypervisor
Guest OS
USB host
BAM!BAM!USEFUL?
USEFUL?
Virtualisation scorecard
● Type 1: Stack attacks – Isolated● Type 2: Hidden functionality – Isolated● Type 3: Intended functionality – Isolated
How does hardware virtualisation help us?
Sanitise data leaving the USB VM!
● No protection at boot time● Host OS inputs are unprotected:
USB kbd/mouse & other devices on the same host controller
For everything else, there's...
● Concept: reduce attack surface through isolation● Terminate the USB bus outside vulnerable PC
Windows, Mac, Linux: Uhhh...........
USB hostdriver
USB device driver
USB device
USB device emulator
USB devicedriver
BAM!BAM!
Simplest imaginable protocolBAM!BAM!
Sanity checks
Host PC
Hardware defense – concept
● Many device drivers● Slow bootup● More expensive
Start the project with off-the-shelf hardware
● Limited drivers● Instant bootup● Cheap(er)
Embedded Linux: Embedded bare-metal:
Thing 1 Thing 2USB
device
Simple interface Host port
Device port
Upstream(device)
Downstream(host)
Host PC
Prototype hardware
OlimexSTM32-H405
OlimexSTM32-H407
Host port
● STM32F405 / 407 ARM-core microcontrollers● ST provides USB middleware with various drivers● FS (12Mbps) with upgrade path to HS (480Mbps)
15 EUR30 EUR
Device port
Introducing the USG v0.9
Turning BadUSB good since 2015
Device port
Host portSPI data
interface
Let's talk firmware!
main.c
Dev board
Peripheral library (hardware drivers)
USB host library & device drivers
Linker script.ld Processor family headers.h
OpenOCD Olimex JTAG
☼Board.cfg
GNUARM Eclipse
Eclipse CDT
☼ ☼
Startup file.SMath/DSP libraries
newlib-nano
gdb
☼
☼
gcc-arm-none-eabi
Firmware current status
● Mass Storage support only– SCSI transparent command set– 512B blocks– 2TB max capacity– Single LUN
● ~700kB/s transfer speed● 2x 30kB binary images
Hardware isolation scorecard #1
● Type 1: Stack attacks – Isolated● Type 2: Hidden functionality● Type 3: Intended functionality
How does this dongle help us?
Hidden functionality defense
● Disable hubs– Embedded host stack supports single device only :)
● Disable multi-interface devices– Limit host to one active class driver
● Lock in requested device class on first enumeration– Device class change requires firmware reset
Stop Type 2 attacks with firmware features:
Intended functionality defense
● Mass Storage– Hardware AES keyed from device serial number– Bad firmware cannot maliciously alter blocks– Only partial protection
● HID– Rate-limit input actions– Only partial protection
– Bonus points: buffer keystrokes > user profiling
Type 3 attacks difficult to block!
None of this is currently implemented!
Hardware isolation scorecard #2
● Type 1: Stack attacks – Isolated● Type 2: Hidden functionality – Firmware blocked● Type 3: Intended functionality – Partial protection (eventually!)
Firmware features give more protection
● Some type 3 attacks cannot be hardware sanitised. Proceed with caution!
USG v1.0 beta
v0.9 v1.0 betaPCB Layout (KiCad)
World's shortest demo
● This slide● Also, all the other ones!
Preemptive FAQ #1
Q: Can I use my USB hub with the USG?
A: No!– No embedded host support (downstream)– Upstream cannot emulate a network of devices– Also, necessary to block type 2 attacks
Preemptive FAQ #1b
Q: Wait, that means I need a USG for every one of my USB devices??!!!!!
A: Yeah, sorry about that ;)
Also, this implies hubs cannot be sanitised.Hubs are untrusted devices too!
Preemptive FAQ #2
Q: Can the USG protect the firmware on my device from malicious hosts?
A: Yes. The isolation barrier is symmetric.
Preemptive FAQ #3
Q: Will the USG support [my obscure device]?
A: Probably not.– Requires device driver and device emulator– Requires some assurance that the data is safe (type 3 attacks)– Requires sufficient interest (or pull requests!)
Planned: – HID keyboard, mouse– CDC, serial– For everything else, there's Qubes ( )Or other type 1 hypervisor with hardware-
assisted virtualisation of USB host controllers
Preemptive FAQ #4
Q: Does it have a red flashing light to tell me when a USB is Bad?
A: No– False negatives from host profiling– False positives from crap devices or internal bugs– Fault LEDs are deliberately orange– Always use your USG!
Preemptive FAQ #5
Q: This thing works at USB1 speed? What is this, 1998 or something?
A:
12Mbps
● Wide embedded hardware support● 2 layer PCB, easy layout● Soldering level: advanced (0.5mm pitch LQFP)● Prototype cost: $150
480Mbps● Limited embedded hardware support● 4 layer PCB, controlled impedance routing● Soldering level: mortals need not apply (0.5mm pitch QFN)● Prototype cost: $300
5Gbps
● No embedded hardware support● 8 layer PCB, RF grade layout where every mm counts● Soldering level: impossible (BGA)● Prototype cost: $1000
Preemptive FAQ #6
Q: So do I need a USG?
A: Windows, Mac, Linux:Yes, but you are probably still vulnerable! (type 3 attacks)
Type 1 hypervisor with hardware-assisted virtualisation of USB host controllers:
Yes, for your HIDs and anything connected at boot-time
Embedded devices, eg Cisco switches :)Yes! (and pray the firmware image is signed)
Preemptive FAQ #7
Q: When can I buy one?
A: Sometime in 2016
– Firmware: add HID class support– Hardware: 1+ board revisions
DFM is boring and expensive
– Build your own USG v0.9 anytime you want!
Testers wanted
Bonus FAQ
Q: Hardware guys can't code for shit. Why should I trust you?
A1: That's a reasonable question!
A2: Go check the code yourself...
github.com/robertfisk/usg
PGP: 2255 761A FE59 4D18 6511EE43 DEB9 5AC0 15AD AEBA
The good stuff
Firmware, Hardware, Wiki: