UDeck: USB Deck

Yesterday code was released for a USB pentest project, as presented at DEF CON 23 a few weeks ago by Dr. Phil Polstra, Professor of Bloomsburg University, at his talk: “One Device to Pwn Them All“.

The code uses Deck Linux, a pentest distro for the BeagleBone Black, and adds new scripts for USB pentesting.

Abstract: This talk will present a device that can be used as a dropbox, remote hacking drone, hacking command console, USB writeblocker, USB Mass Storage device impersonator, or scripted USB HID device. The device is based on the BeagleBone Black, can be battery operated for several days, and is easily constructed for under $100. The dropbox, remote hacking drone, and hacking command console functionality were presented at DEF CON 21. This talk will emphasize the new USB-based attack functionality. Topics will include injecting payloads by emulating an optionally write-protected USB mass storage device, rapidly executing commands on a target using the BeagleBone Black operating as a scripted USB HID device, USB mass storage device impersonation, and other attacks that can be performed with brief physical access to the target. Some familiarity with Linux and USB devices would be helpful, but not required. All hardware and software to be discussed is 100% open source.

Bio: Phil was born at an early age. He cleaned out his savings at age 8 in order to buy a TI99-4A computer for the sum of $450. Two years later he learned 6502 assembly and has been hacking computers and electronics ever since. Dr. Phil currently works as a professor at Bloomsburg University of Pennsylvania. His research focus over the last few years has been on the use of microcontrollers and small embedded computers for forensics and pentesting. Phil has developed a custom pentesting Linux distro and related hardware to allow an inexpensive army of remote pentesting drones to be built using the BeagleBone Black computer boards. This work is described in detail in Phil’s book “Hacking and Penetration Testing With Low Power Devices” (Syngress, 2015). Prior to entering academia, Phil held several high level positions at well-known US companies. He holds a couple of the usual certs one might expect for someone in his position. When not working, he likes to spend time with his family, fly, hack electronics, and has been known to build airplanes.

The UDeck or USB Deck is an addon to Deck Linux. Deck Linux is a pentesting Linux which was created for the BeagleBoard and BeagleBone family of devices and also for similar devices. Scripts include:
* mount-usb.sh: Exports a USB drive attached to the BBB as read-only to a PC which the BBB is plugged in to.
* mount-usb-rw.sh: Makes a drive previously exported with mount-usb.sh writeable.
* impersonator.sh: This will cycle through the VID/PID combinations in vidpid-list until it is killed. This allows you to bypass endpoint security software that filters based on VID/PID. If you know the appropriate VID/PID that should work you can easily modify this script to go directly to the appropriate VID/PID.
* create-hid.sh: This creates a scriptable USB HID keyboard device on the BBB. You could then send HID reports directly to this new device or you can use udeckHid.py to make this easy.
* udeckHid.py: This is defines a set of Python classes that make scripting a HID keyboard much easier. There is also an example Linux script in this file.
* attackWindows.py: This is an example of how the scriptable HID keyboard can be used under Windows.



CHIPSEC on DEF CON Conference CD

Apparently CHIPSEC is on the DEF CON 23 CD:

The DEF CON home page has a link to download the Conference CD. I’ve not done a diff yet, but it appears to still be version 1.21. If it has anything newer than 1.21, it is newer than their Github public release, and should be checked out immediately! There is a new S3bootscript security test in the works…

As much as I trust the DEF CON Goons, I might not run any binaries from this CD, and would diff the sources against the public CHIPSEC github release before running it. 🙂


Conference CD, Direct Download:
https://media.defcon.org/DEF CON Conference CD DVD/DEF CON 23 Original Hacking Conference DVD.rar”

Conference CD, Directory of Files:


In DEF CON is happening shortly, or maybe it’s cancelled, I’m not sure. 🙂 Two talks immediately jump out:

ThunderStrike 2: Sith Strike

Trammel Hudson Vice President, Two Sigma Investments
Xeno Kovah Co-founder, LegbaCore, LLC
Corey Kallenberg Co-Founder, LegbaCore, LLC

The number of vulnerabilities in firmware disclosed as affecting Wintel PC vendors has been rising over the past few years. Although several attacks have been presented against Mac firmware, unlike their PC counterparts, all of them required physical presence to perform. Interestingly, when contacted with the details of previously disclosed PC firmware attacks, Apple systematically declared themselves not vulnerable. This talk will provide conclusive evidence that Mac’s are in fact vulnerable to many of the software only firmware attacks that also affect PC systems. In addition, to emphasize the consequences of successful exploitation of these attack vectors, we will demonstrate the power of the dark side by showing what Mac firmware malware is capable of.


Attacking Hypervisors Using Firmware and Hardware

Yuriy Bulygin Advanced Threat Research, Intel Security
Mikhail Gorobets Advanced Threat Research, Intel Security
Alexander Matrosov Advanced Threat Research, Intel Security
Oleksandr Bazhaniuk Advanced Threat Research, Intel Security
Andrew Furtak Security Researcher

In this presentation, we explore the attack surface of modern hypervisors from the perspective of vulnerabilities in system firmware such as BIOS and in hardware emulation. We will demonstrate a number of new attacks on hypervisors based on system firmware vulnerabilities with impacts ranging from VMM DoS to hypervisor privilege escalation to SMM privilege escalation from within the virtual machines. We will also show how a firmware rootkit based on these vulnerabilities could expose secrets within virtual machines and explain how firmware issues can be used for analysis of hypervisor-protected content such as VMCS structures, EPT tables, host physical addresses (HPA) map, IOMMU page tables etc. To enable further hypervisor security testing, we will also be releasing new modules in the open source CHIPSEC framework to test issues in hypervisors when virtualizing hardware.

And that’s just the ‘tip of the iceberg, for talks… Teddy Reed (author of UEFI Firmware Parser) has a talk. Joe FitzPatrick (of SecuringHardware.com) has a talk. There’s a talk on hardware side-channel attacks, one on BadUSB-like security, one on hardware trust, on medical device security, and a few other firmware-related talks, around 31 hits to ‘firmware’ in the schedule! Amongst the Workshops, there are some fun ones, including: ARM for pentesters, and Embedded System Design. In the Villages, the Hardware Hacking Village and the IoT Village sound interesting.

More Information: