FirmUSB: Vetting USB Device Firmware using Domain Informed Symbolic Execution
Grant Hernandez, Farhaan Fowze, Dave (Jing) Tian, Tuba Yavuz, Kevin R. B. Butler
(Submitted on 30 Aug 2017)
The USB protocol has become ubiquitous, supporting devices from high-powered computing devices to small embedded devices and control systems. USB’s greatest feature, its openness and expandability, is also its weakness, and attacks such as BadUSB exploit the unconstrained functionality afforded to these devices as a vector for compromise. Fundamentally, it is virtually impossible to know whether a USB device is benign or malicious. This work introduces FirmUSB, a USB-specific firmware analysis framework that uses domain knowledge of the USB protocol to examine firmware images and determine the activity that they can produce. Embedded USB devices use microcontrollers that have not been well studied by the binary analysis community, and our work demonstrates how lifters into popular intermediate representations for analysis can be built, as well as the challenges of doing so. We develop targeting algorithms and use domain knowledge to speed up these processes by a factor of 7 compared to unconstrained fully symbolic execution. We also successfully find malicious activity in embedded 8051 firmwares without the use of source code. Finally, we provide insights into the challenges of symbolic analysis on embedded architectures and provide guidance on improving tools to better handle this important class of devices.
One new feature that is news to me:
USB Guard, a feature that allows for greater control over how plug-and-play devices can be used by specific users to help limit both data leaks and data injection.
4 Ways to Prevent Leaks via USB Devices
by Phil Goldstein
1. Network and Behavioral Monitoring Can Track Employees
2. Change BIOS Settings
3. Use Software and Rewrite Code to Block USB Devices
4. The Epoxy Route for Blocking USB Drives
USB Snooping Made Easy: Crosstalk Leakage Attacks on USB Hubs
Yang Su, Damith Ranasinghe, Daniel Genkin, Yuval Yarom
The Universal Serial Bus (USB) is the most prominent interface for connecting peripheral devices to computers. USB-connected input devices, such as keyboards, card-swipers and fingerprint readers, often send sensitive information to the computer. As such information is only sent along the communication path from the device to the computer, it was hitherto thought to be protected from potentially compromised devices outside this path. We have tested over 50 different computers and external hubs and found that over 90% of them suffer from a crosstalk leakage effect that allows malicious peripheral devices located off the communication path to capture and observe sensitive USB traffic. We also show that in many cases this crosstalk leakage can be observed on the USB power lines, thus defeating a common USB isolation countermeasure of using a charge-only USB cable which physically disconnects the USB data lines. Demonstrating the attack’s low costs and ease of concealment, we modify a novelty USB lamp to implement an off-path attack which captures and exfiltrates USB traffic when connected to a vulnerable internal or a external USB hub.
Umap2 is the second revision of NCC Group’s python based USB host security assessment tool. This revision will have all the features that were supported in the first revision:
* umap2emulate – USB device emulation
* umap2scan – USB host scanning for device support
* umap2detect – USB host OS detection (no implemented yet)
* umap2fuzz – USB host fuzzing
In this revision there will be some additional features:
* USB host fuzzing uses kitty as fuzzing engine
* Umap2 not only contains executable scripts, but is also installed as a package and may be used as a library
Umap2 is developed by NCC Group and Cisco SAS team.[…]