Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

MitM on USB -- Introduction of USBProxy --

4,560 views

Published on

Introduction of USBProxy as a USB Man-in-the-Middle, advantage and disadvantage

Published in: Data & Analytics
  • Are you using a linux host? Have you tried windows? A windows host doesn't seem to be able to start any USB device (mass storage, HID, etc) via gadgetfs relayed by USPproxy,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

MitM on USB -- Introduction of USBProxy --

  1. 1. MitM on USB Introduction of USBProxy    からぼ(kalab1998{e}) 2014年10月31日 第22回「ネットワークパケットを読む会(仮)」 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 1
  2. 2. Self Introduction ● An engineer of a software company in Aizuwakamatsu (until next Feb., and will not update) ● I'm looking for a next job very hard. ● I will found an independent researcher “KA-LAB” (It's the second choice if no one employ me). ● I have no released open source software. ● I have two projects on github as follows. – USBProxy is forked from dominicgs/USBProxy – kalas is a BLAS on GPGPU for Huge Matrix  2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 2
  3. 3. Is USB a computer network? YES! USB is a computer network 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 3
  4. 4. Is USB a computer network? Hub Hub USB is a tree structure network in physical. Host computer 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 4
  5. 5. Is USB a computer network? USB is one by one connections from the host to each device in logical. Host computer 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 5
  6. 6. How to communicate on USB? Case: Device to Host 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 6
  7. 7. How to communicate on USB? Case: Host to Device 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 7
  8. 8. Where is the host computer? Now a days, increasing such connections. Are there host computers? ※Vector Graphics has copyright of this navigation icon. 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 8
  9. 9. Which devices are the host? hhoosstt host ※Vector Graphics has copyright of this navigation icon. 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 9
  10. 10. We have an important problem. How do we investigate vulnerabilities of such devices without any laptop? ● Hack devices such cameras, printers, navigators, smartphones and so on. ⇒It's usually very difficult. ● Electrical tap on the USB cable. ⇒Next slides. ● Develop a USB Man in the Middle device. ⇒Main theme for this presentation. 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 10
  11. 11. Electrical tapping on USB http://hackaday.com/2011/03/16/usb-man-in-the-middle-adapter/ 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 11
  12. 12. Electrical tapping on USB It's very easy, but it has some big problems. ● Conflicting signals ● Not enough electric power on signal lines ● Very weak against electrical noises ● Not running on USB2.0 by that specification 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 12
  13. 13. dominicgs/USBProxy ● The device must have two USB ports. – One is for connecting a host. – Another is for connecting a device. ● Software relaying ● Connectable USB2.0 ● Sniffable / Filterable / Injectable ● Very cheap, BeagleBone Black is about $60.0 ● https://github.com/dominicgs/USBProxy 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 13
  14. 14. USBProxy Structure 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 14
  15. 15. How to relay? ● USBProxy makes 6 kinds of threads runninng. – Reader for Input EP, – Reader for output EP, – Writer for Input EP, – Writer for Output EP, – Injection, – Filter 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 15
  16. 16. Connection Reader and Writer 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 16
  17. 17. Relay from device to host ● Reader for Input EP always requests data to the Endpoint on the device. ● Reader for Input EP send data to Writer for Input EP when it got data. ● Writer for Input EP sends data to the host. 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 17
  18. 18. Relay from host to device ● Reader for Output EP always wait a request and data from the host. ● Reader for Output EP send data to Writer for Output EP when it got data. ● Writer for Output EP sends data to the Endpoint on the device. That's it. Very rough. 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 18
  19. 19. Notification! ● USBProxy does not simulate the USB line. ● It just simulates endpoints on only one device. 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 19
  20. 20. We have problems yet ● We want to simulate more devices. ● In many cases, it fail to simulate a device. ● It can't handle some complex devices yet. ● Linux lose endpoints on a device sometimes. ● It can't notice reset signal from a device. ● Very slow. – Original speed is 30.7MB/s, – USBProxy relay speed is 1,9MB/s. 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 20
  21. 21. Other solutions ● If you want to just snif on USB, you can use USB protocol analizer such the Beagle USB480 Power. ● If you are interesting in deep side, maybe you will fall in darkness. 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 21
  22. 22. Beagle USB480 Power ● Easy to use ● Very fast, 29.8MB/s ● Cheap, just $2250.0 ● Another device is enable USB3.0, just $3600.0 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 22
  23. 23. Do you want to fall in darkness? ● Kali Linux NetHunter "Bad USB" MITM Attack ● http://vimeo.com/106065667 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 23
  24. 24. White page 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 24

×