(Submitted on 11 Oct 2018)
Industrial Control Systems (ICS) are sensible targets for high profile attackers and advanced persistent threats, which are known to exploit USB thumb drives as an effective spreading vector. In ICSes, thumb drives are widely used to transfer files among disconnected systems and represent a serious security risks, since, they may be promiscuously used in both critical and regular systems. The threats come both from malware hidden in files stored in the thumb drives and from BadUSB attacks . BadUSB leverages the modification of firmware of USB devices in order to mimic the behaviour of a keyboard and send malicious commands to the host. We present a solution that allows a promiscuous use of USB thumbs drives while protecting critical machines from malware, that spread by regular file infection or by firmware infection. The main component of the architecture we propose is an hardware, called USBCaptchaIn, intended to be in the middle between a critical machine and all USB devices. We do not require users to change the way they use thumb drives. To avoid human-errors, we do not require users to take any decision. The proposed approach is highly compatible with already deployed products of a ICS environment and proactively blocks malware before they reach their targets. We describe our solution, provide a thorough analysis of the security of our approach in the ICS context, and report the informal feedback of some experts regarding our first prototypes.
[…]USB Hardware, Counterfeit USB Devices, and Firmware Mayhem[…]
WooKey: USB Devices Strike Back
Date : 13 juin 2018 à 17:15 — 30 min.
The USB bus has been a growing subject of research in recent years. In particular, securing the USB stack (and hence the USB hosts and devices) started to draw interest from the academic community since major exploitable flaws have been revealed by the BadUSB threat. The work presented in this paper takes place in the design initiatives that have emerged to thwart such attacks. While some proposals have focused on the host side by enhancing the Operating System’s USB sub-module robustness, or by adding a proxy between the host and the device, we have chosen to focus our efforts on the device side.
USB Reverse Engineering: A Universal Guide
by: Ben James
May 25, 2018
[Glenn ‘devalias’ Grant] is a self-proclaimed regular rabbit hole diver and is conscious that, between forays into specific topics, short-term knowledge and state of mind can be lost. This time, whilst exploring reverse engineering USB devices, [Glenn] captured the best resources, information and tools – for his future self as well as others. His guide is impressively comprehensive, and covers all the necessary areas in hardware and software.[…]
Conclusion: Never trust USB devices (and not only storage devices…)
The below articles point to related tools, besides the Hak5 Rubber Ducky.
“MalDuino is an arduino-powered USB device which has keyboard injection capabilities. Once plugged in, MalDuino acts as a keyboard, typing commands at superhuman speeds. What’s the point? You could gain a reverse shell, change the desktop wallpaper, anything is possible. For penetration testers, hobbyists and pranksters the MalDuino will serve you well!”
As reported by Toms Hardware and other news sources, a new company in Hong Kong is selling a USB-frying unit called “USB Killer 2.0”, and a “USB Killer Test Shield”.
“Temporarily Out of Stock.”
Dan goodin has an article on Ars about some BadUSB-like malware:
Meet USBee, the malware that uses USB drives to covertly jump airgaps
In 2013, a document leaked by former National Security Agency contractor Edward Snowden illustrated how a specially modified USB device allowed spies to surreptitiously siphon data out of targeted computers, even when they were physically severed from the Internet or other networks. Now, researchers have developed software that goes a step further by turning unmodified USB devices into covert transmitters that can funnel large amounts of information out of similarly “air-gapped” PCs. The USBee—so named because it behaves like a bee that flies through the air taking bits from one place to another—is in many respects a significant improvement over the NSA-developed USB exfiltrator known as CottonMouth. That tool had to be outfitted with a hardware implant in advance and then required someone to smuggle it into the facility housing the locked-down computer being targeted. USBee, by contrast, turns USB devices already inside the targeted facility into a transmitter with no hardware modification required at all. “We introduce a software-only method for short-range data exfiltration using electromagnetic emissions from a USB dongle,” researchers from Israel’s Ben-Gurion University wrote in a research paper published Monday. “Unlike other methods, our method doesn’t require any [radio frequency] transmitting hardware since it uses the USB’s internal data bus.”
“USB xHCI may Execute a Stale Transfer Request Block”
BadUSB 2.0 USB MITM POC: The advanced uses and capabilities of rogue USB hardware implants for use in cyber espionage activities is still very much an unknown quantity in the industry. Security professionals are in considerable need of tools capable of exploring the threat landscape, and generating awareness in this area. BadUSB2, is a tool capable of compromising USB fixed-line communications through an active man-in-the-middle attack. It is able to achieve the same results as hardware keyloggers, keyboard emulation, and BadUSB hardware implants. Furthermore, BadUSB2 introduces new techniques to defeat keyboard-based one-time-password systems, automatically replay user credentials, as well as acquiring an interactive command shell over USB. […] So how is this any different from existing USB hardware implants like the Rubber Ducky, or keyloggers. Firstly, the devices I’ve seen can only achieve one or two attack classes such as eavesdropping or message fabrication. BadUSB2 can eavesdrop, replay, modify, fabricate, exfiltrate data and BadUSB in one device. Furthermore, when combining these attack classes really interesting attack scenarios begin to surface. Secondly, keyboard emulation devices register as an additional USB device making them easy to detect and block, i.e. why do I now have two keyboards attached!? Yes, such devices can be easily detected and blocked. The same can be said of BadUSB, it often needs to register as a secondary USB device to perform a malicious task. BadUSB2 is an INLINE hardware implant giving it the stealth of a hardware keylogger but far more capabilities as mentioned above. Finally, (law of 3’s), just cos. […] This project builds on the USB-MITM architecture introduced by Rijnard van Tonder and Herman Engelbrecht in their paper titled, “Lowering the USB Fuzzing Barrier by Transparent Two-Way Emulation”. A special thanks to Rijnard for such a brilliant idea. […]
The USB-IF has developed a cryptographic-based authentication protocol to help protect from bad USB Type-C cables!
IBM Research has new research on USB attacks and an “UScramBle” implementation for Linux:
USB Eavesdropping Attacks
Attacks that leverage USB as an attack vector are gaining popularity. While attention has so far focused on attacks that either exploit the host’s USB stack or its unrestricted device privileges, it is not necessary to compromise the host to mount an attack over USB. This paper describes and implements a USB sniffing attack. In this attack a USB device passively eavesdrops on all communications from the host to other devices, without being situated on the physical path between the host and the victim device. To prevent this attack, we present UScramBle, a lightweight encryption solution which can be transparently used, with no setup or intervention from the user. Our prototype implementation of UScramBle for the Linux kernel […]
Most news sites are reporting about bad security in Western Digital hard drives. As presented at Hardware.io the other week, and from the Full Disclosure mailing list from a few days ago, excerpt below:
Authors: Gunnar Alendal, Christian Kison, modg
Vendor notification: The vendor has been informed of the research.
Patches: The authors are not aware of any fixes.
Research on Western Digital wide-spread self-encrypting hard drive series “My Passport” / “My Book”. Devices researched utilizes mandatory HW AES encryption. Multiple vulnerabilities, including:
* Multiple authentication backdoors, bypassing password authentication
* AES factory key recovery attacks, exposing user data on all affected devices, regardless of user password
* Exposure of HW PRNGs used in cryptographic contexts
* Unauthorized patching of FW, facilitating badUSB/evil-maid attacks
Architectures researched (USB Bridge Vendor – Chip model – Architecture):
JMicron – JMS538S – Intel 8051
Symwave – SW6316 – Motorola M68k
PLX – OXUF943SE – ARM7
Initio – INIC-1607E – Intel 8051
Initio – INIC-3608 – ARC 600
JMicron – JMS569 – Intel 8051
Recently My_Ouzo posted a detailed tutorial on WonderHowTo’s Null-Byte, on how to make your own BadUSB. Excerpt from introduction:
Recently a guy asked how to make your own “Bad USB” and I promised to make a how-to on this topic soon. In addition it would be nice to have something related on our wonderhowto world. So here it is! Most common USB flash drives are exploitable due to the “Bad USB vulnerability”. This allows us hackers to reprogram the microcontroller of them to act as a “Human Interface Device” (HID) / keyboard and perform custom keystrokes on our target machine. This scenario is often called “HID Payload Attack”, since you have to hand over your script to the Bad USB for the execution ( more on that later ). Even though almost every USB flash drive is exploitable, only a way to reprogram “Phison” microcontrollers has been released yet. In this tutorial we are going to determine the microcontroller of your usb flash drive, compile the source code published in github for the tools we need and move over to building a custom firmware with an embedded HID payload and turning our harmless usb flash drive into a malicious keyboard designed to help us accomplishing the compromise of our victim machine.