USG: firewall for USB ports

March 12, 2017 ~ hucktech ~ Leave a comment

New 'USG' Firewalls Protect USB Drives From Malicious Attacks : https://t.co/tKqcPUHgP6 ,Technical Details : https://t.co/rVFWwnNUvM pic.twitter.com/80ts6ljJ9c

— Binni Shah (@binitamshah) March 12, 2017

The USG is Good, not Bad

The USG is a firewall for your USB ports, protecting your computer from BadUSB. It connects between your computer and your untrusted USB device, isolating the badness and keeping your computer safe. This is the firmware branch for the pre-assembled USG v1.0. If you want to build your own USG out of development boards, clone the v0.9 branch instead. USG v1.0 hardware now available. You can now order your own USG hardware by contacting the developer. Pricing is NZ$80 each (approx US$60) plus shipping to your country of choice. It will ship fully tested and pre-loaded with the latest firmware.[…]

https://github.com/robertfisk/USG

https://github.com/robertfisk/USG/wiki

https://github.com/robertfisk/USG/wiki/Hardware-(DIY-v0.9)

Intel debugging interface vulnerable to USB attacks

January 17, 2017 ~ hucktech ~ Leave a comment

Intel debugger interface open to hacking via USBhttps://t.co/2st54apjbm

— Maxim Goryachy (@h0t_max) January 17, 2017

New Intel processors contain a debugging interface accessible via USB 3.0 ports that can be used to obtain full control over a system and perform attacks that are undetectable by current security tools. A talk on the mechanisms needed for such attacks and ways to protect against them was given by Positive Technologies experts Maxim Goryachy and Mark Ermolov at the 33rd Chaos Communication Congress (33C3) in Hamburg, Germany. […]

http://blog.ptsecurity.com/2017/01/intel-debugger-interface-open-to.html

Some background on these interfaces:

http://blog.asset-intertech.com/test_data_out/2016/07/the-three-types-of-jtag-access-on-intel-based-designs.html

Micah Scott: slurping firmware over USB

October 5, 2016 ~ hucktech ~ Leave a comment

Glitching USB Firmware for Fun

https://twitter.com/scanlime/status/782784934222016512

https://twitter.com/nicowaisman/status/783681295893291008

Qubes 3.2 released

October 3, 2016 ~ hucktech ~ Leave a comment

http://blog.invisiblethings.org/2016/09/29/qubes-32.html

Excerpting information about the new 3.2 “USB passthrough” feature from the announcement blog post:

[…] In Qubes 3.2, we’re also introducing USB passthrough, which allows one to assign individual USB devices, such as cameras, Bitcoin hardware wallets, and various FTDI devices, to AppVMs. This means that it’s now possible to use Skype and other video conferencing software on Qubes! Qubes has supported the sandboxing of USB devices since the very beginning (2010), but the catch has always been that all the USB devices connected to the same USB controller had to be assigned to the same VM. This limitation was due to the underlying hardware architecture (specifically, PCIe and VT-d technologies). We can now get around this limitation by using software backends. The price we pay for this, however, is increased attack surface on the backend, which is important in the event that several USB devices of different security contexts are connected to a single controller. Sadly, on laptops this is almost always the case. Another potential security problem is that USB virtualization does not prevent a potentially malicious USB device from attacking the VM to which it is connected. These problems are not inherent to Qubes OS. In fact, they pose an even greater threat to traditional, monolithic operating systems. In the case of Qubes, it has at least been possible to isolate all USB devices from the user’s AppVMs. The new USB passthrough feature gives the user more fine-grained control over the management of USB devices while still maintaining this isolation. Nonetheless, it’s very important for users to realize that there are no “automagical” solutions to malicious USB problems. Users should plan their compartmentalization with this in mind. We should also mention that Qubes has long supported the secure virtualization of a certain class of USB devices, specifically mass storage devices (such as flash drives and external hard drives) and, more recently, USB mice. Please note that it is always preferable to use these special, security-optimized protocols when available rather than generic USB passthrough. […]

SPYRUS secure USB drives in some Microsoft Surface devices

September 12, 2016 ~ hucktech ~ Leave a comment

Recently SPYRUS, Inc. announced the integration of their NIST 140-2 Level 3 secure USB 3.0 drive family with Microsoft Surface Pro devices.

“SPYRUS is currently the only manufacturer of hardware encrypted Windows To Go products that have successfully integrated support with the Microsoft Surface Pro family of tablets. The unique feature set, to include provisioning support to boot the Windows To Go in UEFI Secure Boot mode, in conjunction with FIPS 140-2 Level 3 certification sets a new standard for security features and performance,” said Tom Dickens, SPYRUS COO. “Use cases for these smart drives also dovetail perfectly with the rapidly emerging requirements for collaboration, secure data storage, secure mobile computing, and secure devices with auditable cybersecurity.”

http://www.spyrus.com/windows-to-go-live-drives and http://www.spyrus.com/encrypting-usb-storage/
http://www.spyrus.com/spyrus-announces-integration-of-windows-to-go-and-p-3x-product-lines-with-microsoft-surface-pro-3-and-4/

USB Killer 2.0

September 10, 2016 ~ hucktech ~ Leave a comment

As reported by Toms Hardware and other news sources, a new company in Hong Kong is selling a USB-frying unit called “USB Killer 2.0”, and a “USB Killer Test Shield”.

http://www.tomshardware.com/news/usb-killer-2.0-power-surge-attack,32669.html
https://www.usbkill.com/usb-killer/8-usb-killer.html
https://www.usbkill.com/blog/usb-kill-behind-the-scenes-b40.html

“Temporarily Out of Stock.”

USBee

September 5, 2016 ~ hucktech ~ Leave a comment

Malware that uses USB drives to covertly jump airgaps https://t.co/r1iWGIK4SY

— Hacker News Bot (@newsycombinator) August 30, 2016

Dan goodin has an article on Ars about some BadUSB-like malware:

Meet USBee, the malware that uses USB drives to covertly jump airgaps

In 2013, a document leaked by former National Security Agency contractor Edward Snowden illustrated how a specially modified USB device allowed spies to surreptitiously siphon data out of targeted computers, even when they were physically severed from the Internet or other networks. Now, researchers have developed software that goes a step further by turning unmodified USB devices into covert transmitters that can funnel large amounts of information out of similarly “air-gapped” PCs. The USBee—so named because it behaves like a bee that flies through the air taking bits from one place to another—is in many respects a significant improvement over the NSA-developed USB exfiltrator known as CottonMouth. That tool had to be outfitted with a hardware implant in advance and then required someone to smuggle it into the facility housing the locked-down computer being targeted. USBee, by contrast, turns USB devices already inside the targeted facility into a transmitter with no hardware modification required at all. “We introduce a software-only method for short-range data exfiltration using electromagnetic emissions from a USB dongle,” researchers from Israel’s Ben-Gurion University wrote in a research paper published Monday. “Unlike other methods, our method doesn’t require any [radio frequency] transmitting hardware since it uses the USB’s internal data bus.”
[…]

Click to access USBee.pdf

http://arstechnica.com/security/2016/08/meet-usbee-the-malware-that-uses-usb-drives-to-covertly-jump-airgaps/

FaceWhisperer

September 4, 2016 ~ hucktech ~ Leave a comment

https://twitter.com/scanlime/status/771553651961630720

“FaceWhisperer: USB host add-on for the ChipWhisperer side-channel analysis tool.

FaceWhisperer is a hardware add-on for the ChipWhisperer side-channel analysis tool, for working with devices that primarily communicate over USB. The goal is to create a USB host controller scripted with an experiment, all running totally synchronous with the target. This should give predictable timing each time the experiment is run from a target reset. The (untested) goal is to use standard USB requests as a data exfiltration method while glitching the device code that fulfills these requests. […]”

https://github.com/scanlime/facewhisperer

The SMM Rootkit Revisited: Fun with USB (from ARES’15)

August 30, 2016 ~ hucktech ~ Leave a comment

The SMM Rootkit Revisited: Fun with USB (paper published at ARES 2014): https://t.co/lWIJ2mdXT8

— Yuriy Bulygin (@c7zero) August 30, 2016

Wish I had known about this when trying to make a CSW 2015 POC of the same. Better link: https://t.co/pL7212lxuR https://t.co/rzLZR0fIYg

— Xeno Kovah (@XenoKovah) August 30, 2016

http://ieeexplore.ieee.org/document/6980293/?reload=true&arnumber=6980293

System Management Mode (SMM) in x86 has enabled a new class of malware with incredible power to control physical hardware that is virtually impossible to detect by the host operating system. Previous SMM root kits have only scratched the surface by modifying kernel data structures and trapping on I/O registers to implement PS/2 key loggers. In this paper, we present new SMM-based malware that hijacks Universal Serial Bus (USB) host controllers to intercept USB events. This enables SMM root kits to control USB devices directly without ever permitting the OS kernel to receive USB-related hardware interrupts. Using this approach, we created a proof-of-concept USB key logger that is also more difficult to detect than prior SMM-based key loggers that are triggered on OS actions like port I/O. We also propose additional extensions to this technique and methods to prevent and mitigate such attacks.

BadUSB-ish concern with Intel USB xHCI

August 8, 2016 ~ hucktech ~ Leave a comment

#BadUSB alike in mobile Intel CPUs (Bay Trail, Core 4/5/6th gen)? https://t.co/p0Cus4xTPA pic.twitter.com/LkNVsgF57P

— Solar Designer (@solardiz) August 8, 2016

“USB xHCI may Execute a Stale Transfer Request Block”

https://www.google.com/search?q=%22USB+xHCI+may+Execute+a+Stale+Transfer+Request+Block%22

BadUSB 2.0

June 23, 2016 ~ hucktech ~ Leave a comment

BadUSB 2.0 with new techniques to defeat keyboard-based one-time-password systems https://t.co/iKkgDEVCVO

— Denis Makrushin (@makrushind) June 21, 2016

BadUSB 2.0 USB MITM POC: The advanced uses and capabilities of rogue USB hardware implants for use in cyber espionage activities is still very much an unknown quantity in the industry. Security professionals are in considerable need of tools capable of exploring the threat landscape, and generating awareness in this area. BadUSB2, is a tool capable of compromising USB fixed-line communications through an active man-in-the-middle attack. It is able to achieve the same results as hardware keyloggers, keyboard emulation, and BadUSB hardware implants. Furthermore, BadUSB2 introduces new techniques to defeat keyboard-based one-time-password systems, automatically replay user credentials, as well as acquiring an interactive command shell over USB. […] So how is this any different from existing USB hardware implants like the Rubber Ducky, or keyloggers. Firstly, the devices I’ve seen can only achieve one or two attack classes such as eavesdropping or message fabrication. BadUSB2 can eavesdrop, replay, modify, fabricate, exfiltrate data and BadUSB in one device. Furthermore, when combining these attack classes really interesting attack scenarios begin to surface. Secondly, keyboard emulation devices register as an additional USB device making them easy to detect and block, i.e. why do I now have two keyboards attached!? Yes, such devices can be easily detected and blocked. The same can be said of BadUSB, it often needs to register as a secondary USB device to perform a malicious task. BadUSB2 is an INLINE hardware implant giving it the stealth of a hardware keylogger but far more capabilities as mentioned above. Finally, (law of 3’s), just cos. […] This project builds on the USB-MITM architecture introduced by Rijnard van Tonder and Herman Engelbrecht in their paper titled, “Lowering the USB Fuzzing Barrier by Transparent Two-Way Emulation”. A special thanks to Rijnard for such a brilliant idea. […]

https://github.com/withdk/badusb2-mitm-poc

USB Type-C authentication protocol: defense against bad cables

April 16, 2016 ~ hucktech ~ Leave a comment

https://twitter.com/CypressSemi/status/721416739372855301

The USB-IF has developed a cryptographic-based authentication protocol to help protect from bad USB Type-C cables!

http://www.engadget.com/2016/04/13/usb-type-c-authentication-protocol/

http://www.businesswire.com/news/home/20160412005983/en/USB-3.0-Promoter-Group-Defines-Authentication-Protocol

Click to access USB_Type-C_Authentication_PR_FINAL.pdf

http://www.usb.org/press

IBM research on USB eavesdropping attacks

April 6, 2016 ~ hucktech ~ Leave a comment

Turns out you can run a USB device in "promiscuous" mode. Check out our new work https://t.co/79uK58I85i @sictune pic.twitter.com/B2mCpZDNnV

— Anil Kurmus (@kurmus) April 6, 2016

IBM Research has new research on USB attacks and an “UScramBle” implementation for Linux:

USB Eavesdropping Attacks

Attacks that leverage USB as an attack vector are gaining popularity. While attention has so far focused on attacks that either exploit the host’s USB stack or its unrestricted device privileges, it is not necessary to compromise the host to mount an attack over USB. This paper describes and implements a USB sniffing attack. In this attack a USB device passively eavesdrops on all communications from the host to other devices, without being situated on the physical path between the host and the victim device. To prevent this attack, we present UScramBle, a lightweight encryption solution which can be transparently used, with no setup or intervention from the user. Our prototype implementation of UScramBle for the Linux kernel […]

new USB trojan: USB Thief

March 27, 2016 ~ hucktech ~ Leave a comment

Dark Reading and other news sources are reporting a new USB malware on the loose, called ‘USB Thief’:

Dangerous New USB Trojan Discovered https://t.co/xJoagv5Vvm

— Dark Reading (@DarkReading) March 25, 2016

http://www.darkreading.com/attacks-breaches/dangerous-new-usb-trojan-discovered/d/d-id/1324853

DIY USB Cable Tester

March 16, 2016 ~ hucktech ~ Leave a comment

New OSH Park blog post: @davedarko created USB Cable Tester controlled by @Atmel ATtiny45 https://t.co/so1xYZ7Bia pic.twitter.com/xhNvslphUe

— OSH Park (@oshpark) March 16, 2016

https://hackaday.io/project/6858-usb-cable-tester

USB Cable Tester

Fuzzing USB with QEMU and Scapy

March 5, 2016 ~ hucktech ~ Leave a comment

Virtualised USB Fuzzing using QEMU and Scapy – Tobias Muller: https://t.co/pumjWoxjT8 via @YouTube

— Ekoparty | Hacking everything (@ekoparty) February 28, 2016

DIY Google USB Type-C USB sniffer

March 5, 2016 ~ hucktech ~ Leave a comment

"Explore Google Chromium USB Type-C example designs using USB – C Thru " on @LinkedIn https://t.co/6QnO9obTa7 @crowd_supply @JanAxelson

— Rajaram Regupathy (@Rajaram_Re) March 4, 2016

Rajaram Regupathy has a blog post on building your own Google USB-PD Sniffer:

Explore Google Chromium USB Type-C example designs using USB – C Thru

One of the early adopters of USB Type-C and USB Power Delivery is Google for their Chromium projects. More interestingly Google shared the complete design of the USB Type-C products in public domain right from schematic to source code of the solutions. This article explores how to use USB C-Thru board to explore Google’s designs there by enabling you to develop custom USB Type-C design of your own. This article enables you to make your own Google USB-PD Sniffer aka “Twinkie” using USB C-Thru and a STM32 development board for just 65$ in 3 steps […]

https://www.linkedin.com/pulse/explore-google-chromium-usb-type-c-example-designs-using-regupathy

USB devices phoning home

February 11, 2016 ~ hucktech ~ Leave a comment

"USB devices phoning home" by @NerdingByDoing + @twillnix, data exfiltration w/ USB armoryhttps://t.co/dnUgYwyrFU https://t.co/2Q1zpUhwpc

— Andrea Barisani (@AndreaBarisani) February 11, 2016

Roland Schilling and Frieder Steinmetz have interesting new research on USB data exfiltration:

USB devices phoning home

USB is a versatile standard defining various features to allow maximum flexibility for evices. This flexibility, by design, leads to complex device configurations, combining multiple functions into one, making it impossible for users to identify the function of a device by its looks. This can be exploited by crafting programmable USB devices, looking and behaving like an ordinary flash drive that also expose virtual network devices and other functionality to their host OS. This paper outlines such a device, exploiting several USB features to establish a rogue HTTP channel used to leak data stored on the device’s disk to an internet back end. We describe the device itself and its architecture and our conclusions and methods for dealing with the issues presented in a user–friendly way.

https://tubdok.tub.tuhh.de/handle/11420/1282

Repo for the paper “USB Devices phoning home”
https://github.com/willnix/usbpoc

vUSBf – QEMU/KEMU USB-Fuzzing framework

February 8, 2016 ~ hucktech ~ Leave a comment

vUSBf:A KVM/QEMU based USB-fuzzing framework https://t.co/P8zfYXL4ns

— TROOPERS Conference (@WEareTROOPERS) February 8, 2016

vusbf-Framework: A KVM/QEMU based USB-fuzzing framework.
Sergej Schumilo, OpenSource Security Spenneberg 2015
Version: 0.2

A USB-fuzzer which takes advantage of massive usage of virtual machines and also offers high reproducibility. This framework was initially released at Black Hat Europe 2014. This software is licensed under GPLv2. vUSBf was written in Python2 and requires the Scapy-framework. This framework provides:
* USB-fuzzing in practical time frames
* multiprocessing and clustering
* export sequences of payloads and replay them for debugging or investigation
* XML-based dynamic testcase generating
* expandable by writing new testcases, USB-emulators or monitoring-modules

https://github.com/schumilo/vUSBf

Hardware security at Security B-Sides Seattle

February 2, 2016 ~ hucktech ~ Leave a comment

Talks have been posted! https://t.co/E9ZC7qNKfk #bsidesseattle kick ass goodness . Workshops postd, data coming out. sry for delays

— Bsidesseattle (@bsidesseattle) January 29, 2016

My trainings:@bsidesseattle 2h: https://t.co/Pg4fdiPI1J @CanSecWest 2d: https://t.co/N1C6COL6yc @BlackHatEvents 4d: https://t.co/AyiQyhxpOF

— Joe Fitz (@securelyfitz) January 29, 2016

This month is B-Sides Seattle, and there are 3 hardware workshops (Attacking USB, JTAG, and Arduino) one by Joe (SecurelyFitz) and two by Matt (CryptoMonkey):

http://www.securitybsides.com/w/page/103147483/BsidesSeattle2015
https://www.eventbrite.com/e/bsides-seattle-2016-tickets-19822367234

I'll be running Hands-on JTAG for Fun and Root shells at @bsidesseattle, check it out: https://t.co/Pg4fdiPI1J pic.twitter.com/L9ipwMAtkB

— Joe Fitz (@securelyfitz) January 29, 2016

I think I heard Matt say this was the last time he was offering this Attacking USB training…

Note that Joe also has training at CanSecWest and Black Hat, in addition to B-Sides Seattle..
https://www.blackhat.com/us-16/training/applied-physical-attacks-on-x86-systems.html
https://cansecwest.com/dojos/2016/advanced_hardware.html