1. MitM on USB
Introduction of USBProxy
からぼ(kalab1998{e})
2014年10月31日 第22回「ネットワークパケットを読む会（仮）」
2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 1

2. Self Introduction
● An engineer of a software company in Aizuwakamatsu
(until next Feb., and will not update)
● I'm looking for a next job very hard.
● I will found an independent researcher “KA-LAB”
(It's the second choice if no one employ me).
● I have no released open source software.
● I have two projects on github as follows.
– USBProxy is forked from dominicgs/USBProxy
– ｋalas is a BLAS on GPGPU for Huge Matrix
2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 2

3. Is USB a computer network?
YES!
USB is a computer network
2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 3

4. Is USB a computer network?
Hub
Hub
USB is a tree structure
network in physical.
Host
computer
2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 4

5. Is USB a computer network？
USB is one by one
connections from the host
to each device in logical.
Host
computer
2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 5

6. How to communicate on USB?
Case:
Device to Host
2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 6

7. How to communicate on USB?
Case:
Host to Device
2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 7

8. Where is the host computer?
Now a days, increasing
such connections.
Are there
host computers?
※Vector Graphics has copyright of
this navigation icon.
2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 8

9. Which devices are the host?
hhoosstt
host
※Vector Graphics has copyright of
this navigation icon.
2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 9

10. We have an important problem.
How do we investigate vulnerabilities
of such devices without any laptop?
● Hack devices such cameras, printers,
navigators, smartphones and so on.
⇒It's usually very difficult.
● Electrical tap on the USB cable.
⇒Next slides.
● Develop a USB Man in the Middle device.
⇒Main theme for this presentation.
2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 10

11. Electrical tapping on USB
http://hackaday.com/2011/03/16/usb-man-in-the-middle-adapter/
2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 11

12. Electrical tapping on USB
It's very easy, but it has some big problems.
● Conflicting signals
● Not enough electric power on signal lines
● Very weak against electrical noises
● Not running on USB2.0 by that specification
2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 12

13. dominicgs/USBProxy
● The device must have two USB ports.
– One is for connecting a host.
– Another is for connecting a device.
● Software relaying
● Connectable USB2.0
● Sniffable / Filterable / Injectable
● Very cheap, BeagleBone Black is about $60.0
● https://github.com/dominicgs/USBProxy
2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 13

14. USBProxy Structure
2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 14

15. How to relay?
● USBProxy makes 6 kinds of threads runninng.
– Reader for Input EP,
– Reader for output EP,
– Writer for Input EP,
– Writer for Output EP,
– Injection,
– Filter
2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 15

16. Connection Reader and Writer
2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 16

17. Relay from device to host
● Reader for Input EP always requests data to
the Endpoint on the device.
● Reader for Input EP send data to Writer for
Input EP when it got data.
● Writer for Input EP sends data to the host.
2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 17

18. Relay from host to device
● Reader for Output EP always wait a request
and data from the host.
● Reader for Output EP send data to Writer for
Output EP when it got data.
● Writer for Output EP sends data to the Endpoint
on the device.
That's it. Very rough.
2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 18

19. Notification!
● USBProxy does not simulate the USB line.
● It just simulates endpoints on only one device.
2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 19

20. We have problems yet
● We want to simulate more devices.
● In many cases, it fail to simulate a device.
● It can't handle some complex devices yet.
● Linux lose endpoints on a device sometimes.
● It can't notice reset signal from a device.
● Very slow.
– Original speed is 30.7MB/s,
– USBProxy relay speed is 1,9MB/s.
2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 20

21. Other solutions
● If you want to just snif on USB, you can use
USB protocol analizer such the Beagle USB480
Power.
● If you are interesting in deep side, maybe you
will fall in darkness.
2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 21

22. Beagle USB480 Power
● Easy to use
● Very fast, 29.8MB/s
● Cheap, just $2250.0
● Another device is
enable USB3.0,
just $3600.0
2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 22

23. Do you want to fall in darkness?
● Kali Linux NetHunter "Bad USB" MITM Attack
● http://vimeo.com/106065667
2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 23

24. White page
2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 24