USB Killer

October 12, 2015 ~ hucktech ~ Leave a comment

USB Killer V2.0 now injects 220V directly onto the USB signal wires. http://t.co/z68eTTA1ld < Going to start dropping these in lobbies.

— Jerry Gamblin (@JGamblin) October 11, 2015

Dark_Purple has an article on Habrahabr.ru on an interesting device, a ‘USB killer’, the v2 version. Excerpt of Google Translate:

Finally we managed to organize the installation and testing of prototypes of a new version of the device. Devices that perform only one function – the destruction of computers. But let’s not limited to computers, the device is able to incapacitate almost any equipment equipped with USB Host interface. For example, I have on the table is an oscilloscope with USB interface (but it is still useful), almost all smart phones support USB OTG mode, TV, routers, modems, etc. The main feature of the new version of the device is increased twice, “output” voltage, it is now 220 (strictly speaking, minus 220). Also in the new version the efforts were aimed at making the device even more compact, as in the first version had slightly modifying the body, so that everything fits. The principle of operation is not changed. Connecting to the USB port starts operation of the voltage converter, which charges the capacitor to 220V. By achieving this voltage converter is switched off and the stored up energy in the capacitor is supplied to the signal lines USB interface. After the capacitors discharge cycle is repeated.

https://translate.google.com/translate?sl=ru&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=http%3A%2F%2Fhabrahabr.ru%2Fpost%2F268421%2F

Brandon Wilson from DerbyCon: Intercepting USB Traffic

September 28, 2015 ~ hucktech ~ Leave a comment

DerbyCon just finished. Brandon Wilson gave a presentation called “Intercepting USB Traffic for Attack and Defense”

Intercepting USB Traffic for Attack and Defense – Brandon Wilson for @DerbyCon http://t.co/soIQOzZcUk

— ࿆࿆࿆࿆࿆࿆࿆࿆࿆࿆࿆࿆࿆࿆࿆࿆࿆࿆࿆࿆࿆࿆࿆࿆࿆࿆࿆࿆࿆࿆ (@HikeInstead) September 28, 2015

BadUSB reminded the world about the dangers of maliciously intelligent USB devices such as flash drives with modified firmware, but little has been released to effectively defend against the threat. A customizable man-in-the-middle USB connection can not only do that, but provide even more benefits to both attackers and defenders, such as modifying or denying specific traffic (similar to a USB write blocker) or bypassing mass storage restrictions in a locked-down corporate environment. In this talk, I will explain how to easily assemble a USB passthrough device using cheap, existing hardware and flash it to either attack ‘secure’ environments, or isolate yourself from untrustworthy or potentially malicious peripherals. Instructions for purchasing the hardware, assembling it, and code for several different scenarios will be released and demonstrated.
Brandon Wilson is an independent security researcher and software developer. He has more than a decade of experience in reverse-engineering embedded systems and protocols, from graphing calculators to gaming consoles to flash drives. He has appeared in numerous publications such as the Wall Street Journal and Wired, and also collects DMCA takedown notices for fun.

Video of the presentation (this video crashed my browser, so don’t view this link if you have anything important in your browser):

http://www.irongeek.com/i.php?page=videos/derbycon5/stable32-intercepting-usb-traffic-for-attack-and-defense-brandon-wilson

https://www.derbycon.com/derbycon-2015-schedule-and-abstract/
http://www.irongeek.com/i.php?page=videos/derbycon5/mainlist

HID emulation for USB Armory

September 21, 2015 ~ hucktech ~ Leave a comment

Last month (and I just noticed…), Collin Mulliner updated the USB Armory github project with some HID emulation code:

Some more HID tools for the USBARMORY https://t.co/yGqge5PssJ … more stuff soon

— Collin Mulliner (@collinrm) August 27, 2015

The project includes a few scripts, including:
* hidonly.sh : switches the usbarmory to be usb hid gadget
* hidnet.sh : switches the usbarmory to be a usb hid and usb ethernet gadget
* button_setup.sh : switches pin 3 and 4 to in and out
* button.sh : checks if pin 3 and 4 are connected

More info:
https://github.com/crmulliner/hidemulation

UDeck: USB Deck

September 6, 2015 ~ hucktech ~ Leave a comment

Yesterday code was released for a USB pentest project, as presented at DEF CON 23 a few weeks ago by Dr. Phil Polstra, Professor of Bloomsburg University, at his talk: “One Device to Pwn Them All“.

Code from @_defcon_ talk "One Device to Pwn Them All" now available on GitHub https://t.co/bKZC8R274J

— Infosec Dr Phil (@ppolstra) September 5, 2015

The code uses Deck Linux, a pentest distro for the BeagleBone Black, and adds new scripts for USB pentesting.

Abstract: This talk will present a device that can be used as a dropbox, remote hacking drone, hacking command console, USB writeblocker, USB Mass Storage device impersonator, or scripted USB HID device. The device is based on the BeagleBone Black, can be battery operated for several days, and is easily constructed for under $100. The dropbox, remote hacking drone, and hacking command console functionality were presented at DEF CON 21. This talk will emphasize the new USB-based attack functionality. Topics will include injecting payloads by emulating an optionally write-protected USB mass storage device, rapidly executing commands on a target using the BeagleBone Black operating as a scripted USB HID device, USB mass storage device impersonation, and other attacks that can be performed with brief physical access to the target. Some familiarity with Linux and USB devices would be helpful, but not required. All hardware and software to be discussed is 100% open source.

Bio: Phil was born at an early age. He cleaned out his savings at age 8 in order to buy a TI99-4A computer for the sum of $450. Two years later he learned 6502 assembly and has been hacking computers and electronics ever since. Dr. Phil currently works as a professor at Bloomsburg University of Pennsylvania. His research focus over the last few years has been on the use of microcontrollers and small embedded computers for forensics and pentesting. Phil has developed a custom pentesting Linux distro and related hardware to allow an inexpensive army of remote pentesting drones to be built using the BeagleBone Black computer boards. This work is described in detail in Phil’s book “Hacking and Penetration Testing With Low Power Devices” (Syngress, 2015). Prior to entering academia, Phil held several high level positions at well-known US companies. He holds a couple of the usual certs one might expect for someone in his position. When not working, he likes to spend time with his family, fly, hack electronics, and has been known to build airplanes.

The UDeck or USB Deck is an addon to Deck Linux. Deck Linux is a pentesting Linux which was created for the BeagleBoard and BeagleBone family of devices and also for similar devices. Scripts include:
* mount-usb.sh: Exports a USB drive attached to the BBB as read-only to a PC which the BBB is plugged in to.
* mount-usb-rw.sh: Makes a drive previously exported with mount-usb.sh writeable.
* impersonator.sh: This will cycle through the VID/PID combinations in vidpid-list until it is killed. This allows you to bypass endpoint security software that filters based on VID/PID. If you know the appropriate VID/PID that should work you can easily modify this script to go directly to the appropriate VID/PID.
* create-hid.sh: This creates a scriptable USB HID keyboard device on the BBB. You could then send HID reports directly to this new device or you can use udeckHid.py to make this easy.
* udeckHid.py: This is defines a set of Python classes that make scripting a HID keyboard much easier. There is also an example Linux script in this file.
* attackWindows.py: This is an example of how the scriptable HID keyboard can be used under Windows.

https://github.com/ppolstra/UDeck
https://www.defcon.org/html/defcon-23/dc-23-speakers.html#Polstra
http://beagleboard.org/project/TheDeck/

http://www.philpolstra.com/
http://sourceforge.net/projects/thedeck/

Numato Opsis

September 5, 2015 ~ hucktech ~ Leave a comment

A new USB-firmware-based open hardware product is being funded on CrowdSupply: Numato Lab’s Opsis, an FPGA-based HDMI2USB video capture device:

Numato Opsis: An #opensource #FPGA for real time #video capture, creation & manipulation https://t.co/CFzDYgneRJ https://t.co/viV3YcbX7m

— Crowd Supply (@crowd_supply) September 5, 2015

Liked the NeTV? Checkout new FOSS hardware w/ @TimVideosUs http://t.co/HGjuptrhu4 firmware – The @numatolab Opsis (http://t.co/YZO0D5qJV8)!

— bunnie (@bunniestudios) August 26, 2015

The Opsis was designed to run the HDMI2USB firmware developed by the TimVideos.us project. This firmware makes it easy to build automated conference/event recording systems. The HDMI2USB.tv firmware emulates a standard UVC webcam, allowing any video software, such as Skype, Google Hangouts, or WebRTC, to then send it to an online audience.

https://www.crowdsupply.com/numato-lab/opsis
http://hdmi2usb.tv/home/

fwupd and Linux Vendor Firmware Service

September 2, 2015 ~ hucktech ~ Leave a comment

I haven’t been covering LVFS and fwupd much. Luckily, Michael Larabel of Phoronix.com has been doing a good job. Richard Hughes has built a Firmware Update for GNOME-based Linux systems. Excerpting from some of Richard’s posts, including his asking for help getting word out to vendors to support it:

fwupd is a simple daemon to allow session software to update device firmware on your local machine. It’s designed for desktops, but this project is also usable on phones, tablets and on headless servers. You can either use a GUI software manager like GNOME Software to view and apply updates, the command-line tool or the system D-Bus interface directly.

I’ve spent the last couple of months talking with various Red Hat partners and other OpenHardware vendors that produce firmware updates. These include most of the laptop vendors that you know and love, along with a few more companies making very specialized hardware. We’ve now got a process, fwupd, that is capable of taking the packaged update and applying it to the hardware using various forms of upload mechanism. We’ve got a specification, AppStream, which is used to describe the updates and provide metadata for what firmware updates are available to be installed. What we were missing was to “close the circle” and provide a web service for small and medium size vendors to use to upload new firmware and make it available to Linux users. Microsoft already provides such a thing for vendors to use, and it’s part of the Microsoft Update service. From the vendors I’ve talked to, the majority don’t want to run any tools on their firmware to generate metadata. Most of them don’t even want to commit to hosting the metadata or firmware files in the same place forever, and with a couple of exceptions actually like the Microsoft Update model. I’ve created a simple web service that’s being called Linux Vendor Firmware Service (perhaps not the final name). You can see the site in action here, although it’s not terribly useful or exciting if you’re not a hardware vendor. If you are vendor that produces firmware and want an access key for the beta site, please let me know. All firmware uploaded will be transferred to the final site, although I’m still waiting to hear back from Red Hat legal about a longer version of the redistribution agreement.

Over the last couple of months I’ve been emailing various tech companies trying to get hold of the right people to implement this. So far the reaction from companies has been enthusiastic and apathetic in equal measures. I’ve had a few vendors testing the process, but I can’t share those names just yet as most companies have been testing with unreleased hardware. This is where you come in. On your Linux computer right now, think about what hardware you own that works in Linux that you know has user-flashable firmware? What about your BIOS, your mouse, or your USB3 hub? Your network card, your RAID card, or your video card? Things I want you to do:

* Find the vendor on the internet, and either raise a support case or send an email. Try and find a technical contact, not just some sales or marketing person
* Tell the vendor that you would like firmware updates when using Linux, and that you’re not able to update the firmware booting to Windows or OS-X
* Tell the vendor that you’re more likely to buy from them again if firmware updates work on Linux
* Inform the vendor about the LVFS project : https://beta-lvfs.rhcloud.com/

At all times I need you to be polite and courteous, after all we’re asking the vendor to spend time (money) on doing something extra for a small fraction of their userbase. Ignoring one email from me is easy, but getting tens or hundreds of support tickets about the same issue is a great way to get an issue escalated up to the people that can actually make changes. So please, spend 15 minutes opening a support ticket or sending an email to a vendor now.

If you know of any vendors, please try to help Richard out with his above request. I hope Richard has contacts at the USB and UEFI trade groups, to directly get word out to their member-vendors.

http://www.fwupd.org/
https://beta-lvfs.rhcloud.com/
https://github.com/hughsie/fwupd
http://www.freedesktop.org/software/appstream/docs/

Linux Vendor Firmware Service: We Need Your Help

Introducing the Linux Vendor Firmware Service

Embargoed firmware updates in LVFS

http://www.phoronix.com/scan.php?page=news_item&px=Linux-LVFS-Embargoed
https://www.phoronix.com/scan.php?page=news_item&px=Linux-Vendor-Firmware-S
http://www.phoronix.com/scan.php?page=news_item&px=linux-lvfs-embargoed

USB Armory with BadBIOS

August 26, 2015 ~ hucktech ~ Leave a comment

Andrea Barisani posted an a document to the USB Armory wik related to BadUSB:

BadUSB with USB Armory: "USB Armory as an Offensive Attack Platform" by Jeroen van Kessel and Nick Triantafyllidishttps://t.co/s1oIJOeoPG

— Andrea Barisani (@AndreaBarisani) August 25, 2015

BadUSB with USB Armory: “USB Armory as an Offensive Attack Platform”
by Jeroen van Kessel and Nick Triantafyllidis

This research explores the feasibility of performing attacks on computer systems with the use of USB Armory, a newly introduced device which is an ARM computer in the size of a USB stick. Exploiting the USB emulation capabilities of the device we propose and test an attack scenario using a rogue DHCP server installed on the device. Based on the success of this attack we extend the scenario to DNS hijacking and traffic diversion setups with the injection of malicious static routes into the routing tables of the victim machines. This attack was successfully executed on the latest versions of Ubuntu 14.04 and Windows 8.1. The premise of the attacks as well as the scenarios themselves are explained in detail throughout the extent of this report.

[I need to learn USB-based firmware security issues more, and how they interact with UEFI and other firmware technologies… Currently, this blog is not covering USB firmware security issues properly.]

AMIDebug

July 22, 2015July 22, 2015 ~ hucktech ~ 1 Comment

[UDPATE: comment from a smart reader:
AMIDebug technology is not useful for end users and researchers because it’s support should be specifically compiled in in a special DEBUG build. The AMI DebugRX hardware part is OK to get port 80h codes via USB, mediocre source-level debugging. Intel XDP or Arium-ITP are similar to AMIDebug, both nice products, and don’t require any firmware changes or special build modes.
BTW, I don’t know why Comments don’t show up on blog web site, working on trying to fix that… ]

Earlier this week AMI announced USB3 support for their AMIDebug for UEFI product.

Apparently AMI has 3 versions of this: 1) AMIDebug for UEFI software for Aptio V, 2) the AMIDebug Rx handheld USB debug device, and 3) Aptio V UEFI Firmware from AMI.

Press release excerpts:

American Megatrends, Inc. (AMI), a global leader in BIOS, remote management, network data storage products and solutions for the Android(TM) operating system, is pleased to announce support for USB 3.0 controllers in the latest release of its AMIDebug(TM) for UEFI debugging solution for Aptio(R) V UEFI Firmware.

AMIDebug for UEFI from American Megatrends is a powerful software-based solution for debugging UEFI projects based on Aptio or the UEFI Shell, offering source-level symbolic (C and Assembler) debugging without the need for expensive JTAG hardware debug tools.

The latest AMIDebug for UEFI release, developed specifically for the company’s flagship Aptio V UEFI Firmware, adds support for USB 3.0 debug among other important features. These newly-added features signify a key development in the evolution of this debug software, since many chipsets now only support USB 3.0 (XHCI) and in many cases no longer incorporate older USB standards (EHCI) in their hardware designs, such as the Intel(R) Atom(TM) x5-Z8300 series processors.

What remains unchanged in AMIDebug for UEFI is its ability to facilitate firmware development for AMI OEM and ODM customers in unprecedented ways thanks to its deep integration into the entire UEFI development ecosystem. AMIDebug for UEFI continues to offer standard debugging features like Break, Step, Step Over, Step Into, Step, run to cursor and set next statement, in addition to UEFI-specific debugging features like Stop at Driver Name Entry, Stop at PEIM Name Entry, Stop at CheckPoint, Stop at beginning of PEI/DXE, SMM Debugging and disassembly view. Moreover, many different firmware development viewers are supported including memory, CPU registers, PCI Bus, call stack, I/O and Indirect I/O.

Sigh, I wish these were available for UEFI ISVs and UEFI Security Researchers, not just restricted to AMI’s UEFI OEM/ODMs! I want one. 😦

More Information:

http://www.ami.com/news/press-releases/?PressReleaseID=322&/American%20Megatrends%20Announces%20Support%20for%20USB%203.0%20Controllers%20in%20Aptio%20V%20AMIDebug%20for%20UEFI/
http://www.ami.com/products/bios-uefi-tools-and-utilities/amidebug-rx/
http://www.ami.com/resources/resource-library/?documentationSearch=amidebug