Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

DerbyCon 2014 - Making BadUSB Work For You

33,628 views

Published on

DerbryCon 2014 talk, Making BadUSB Work For You

Published in: Devices & Hardware
  • Hey guys! Who wants to chat with me? More photos with me here 👉 http://www.bit.ly/katekoxx
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

DerbyCon 2014 - Making BadUSB Work For You

  1. 1. Making BadUSB Work For You Adam Caudill (@adamcaudill) Brandon Wilson (@brandonlwilson)
  2. 2. What is BadUSB? ● NOT a technical flaw ● NOT a vulnerability
  3. 3. Patriot 8GB Supersonic Xpress
  4. 4. Phison 2251-03
  5. 5. Reverse Engineering
  6. 6. A word of warning...
  7. 7. ● Always starts at boot ROM ● Attempts to read firmware from NAND ● If successful, first 32KB loaded to XDATA ● If not, waits to receive code to RAM and executes it Boot Process
  8. 8. Pin Shorting
  9. 9. Paging ... Page 0 Page 1 Page 2 Page A Base section 0x0000 0x5000 0xEFFF
  10. 10. Firmware Update Process Boot ROM Burner Executable Firmware
  11. 11. Pain Points ● Patching existing firmware o Very touchy o Limited RAM available ● Writing from-scratch firmware o NAND sucks o Non-standard command sets o Bad block management o Global wear leveling ● Lots...and lots...of pin shorting
  12. 12. Quick Reset Cable
  13. 13. New Tools ● Desktop Flasher ● Firmware Patcher ● HID payload injector
  14. 14. What We've Done ● Custom HID firmware ● Hidden partition patch ● Password protection bypass patch
  15. 15. Custom HID Firmware
  16. 16. Hidden Partition Patch Read Request (Get LBA 0x00000073) Patch (Use hidden area?) Section 1 (Public) Section 2 (Hidden)
  17. 17. Password Protection Bypass
  18. 18. Defense & Detection ● Composite devices ● Modified firmware ?
  19. 19. Source Code & Tools Drive: bit.ly/badusb4you Code: github.com/adamcaudill/Psychson Burner & Stock Firmware: usbdev.ru/files/phison/
  20. 20. Special Thanks Security Research Labs ● Karsten Nohl ● Sascha Krißler ● Jakob Lell
  21. 21. Special Thanks Richard Harman (@xabean) ShmooCon 2014 Controlling USB Flash Drive Controllers bit.ly/1xaNkbP
  22. 22. Thanks github.com/adamcaudill/Psychson Adam Caudill (@adamcaudill) Brandon Wilson (@brandonlwilson)

×