USB Crosstalk Leakage Attacks on USB Hubs

USB Snooping Made Easy: Crosstalk Leakage Attacks on USB Hubs
Yang Su, Damith Ranasinghe, Daniel Genkin, Yuval Yarom

The Universal Serial Bus (USB) is the most prominent interface for connecting peripheral devices to computers. USB-connected input devices, such as keyboards, card-swipers and fingerprint readers, often send sensitive information to the computer. As such information is only sent along the communication path from the device to the computer, it was hitherto thought to be protected from potentially compromised devices outside this path. We have tested over 50 different computers and external hubs and found that over 90% of them suffer from a crosstalk leakage effect that allows malicious peripheral devices located off the communication path to capture and observe sensitive USB traffic. We also show that in many cases this crosstalk leakage can be observed on the USB power lines, thus defeating a common USB isolation countermeasure of using a charge-only USB cable which physically disconnects the USB data lines. Demonstrating the attack’s low costs and ease of concealment, we modify a novelty USB lamp to implement an off-path attack which captures and exfiltrates USB traffic when connected to a vulnerable internal or a external USB hub.



Brutal Kangaroo and Emotional Simian




Umap2: USB host security assessment tool

Umap2 is the second revision of NCC Group’s python based USB host security assessment tool. This revision will have all the features that were supported in the first revision:

* umap2emulate – USB device emulation
* umap2scan – USB host scanning for device support
* umap2detect – USB host OS detection (no implemented yet)
* umap2fuzz – USB host fuzzing

In this revision there will be some additional features:

* USB host fuzzing uses kitty as fuzzing engine
* Umap2 not only contains executable scripts, but is also installed as a package and may be used as a library

Umap2 is developed by NCC Group and Cisco SAS team.[…]







Building a USB analyzer with USB armory


Armory Sandbox – Building a USB analyzer with USB armory
June 14, 2017
By Pedro Vilaca
Some time ago a friend received a mysterious USB pen with a note talking about some kind of heavily persistent malware. He had that USB pen stored untouched and of course my curiosity took over. Since one should never plug in unknown USB devices into a computer (well, any USB device we purchase is unknown but that is another story) and I didn’t want to “burn” a computer just to take a look at the contents I decided to use my USB armory to build an air gap sandbox that would be harder to infect and for malware to escape from it.[…]



USB attack to Mazda cars: Bad Valet attack

“Bad Valet is the new Evil Maid” –Joanna Rutkowska


“A PoC that the USB port is an attack surface for a Mazda car’s infotainment system and how Mazda hacks are made.”




Vape Pens: source of USB attacks

If you have a vaping device, make sure it supports Verified/Secure/Trusted/etc Boot. 🙂

[…]Take this as the weirdest example yet that you should never plug random devices into your USB ports. […] While FourOctets has no ill-intent, it is easy to imagine someone less scrupulous loading a computer with something not quite as funny. Like, say, a keylogger. Or ransomware.[…]


A related presentation, as suggested from a poster in the above twitter thread:

Holy smokes, how to vape yourself to root
Ross Bevington
Abstract: We all know that smoking is bad for your health, but what about you or your organisations security? I’ll show you that an eCig isn’t just a glorified smoke machine but a low power, battery operated, exploitation platform. I’ll show you how easy it is to decrypt the firmware, write your own functionality and use this to pwn some systems. Turning your eCig into everything from a keyboard to a USB stick. On the way we’ll do a bit of reverse engineering, write a bit of code and show how you can do most of this on a shoe string budget. Looking for ways to defend against attacks like this? I have some options. Consider this talk if you want another reason to ban smoking at your organisation.