Successfully reported this slideshow.

MitM on USB -- Introduction of USBProxy --

3

Share

1 of 24
1 of 24

More Related Content

MitM on USB -- Introduction of USBProxy --

  1. 1. MitM on USB Introduction of USBProxy    からぼ(kalab1998{e}) 2014年10月31日 第22回「ネットワークパケットを読む会(仮)」 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 1
  2. 2. Self Introduction ● An engineer of a software company in Aizuwakamatsu (until next Feb., and will not update) ● I'm looking for a next job very hard. ● I will found an independent researcher “KA-LAB” (It's the second choice if no one employ me). ● I have no released open source software. ● I have two projects on github as follows. – USBProxy is forked from dominicgs/USBProxy – kalas is a BLAS on GPGPU for Huge Matrix  2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 2
  3. 3. Is USB a computer network? YES! USB is a computer network 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 3
  4. 4. Is USB a computer network? Hub Hub USB is a tree structure network in physical. Host computer 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 4
  5. 5. Is USB a computer network? USB is one by one connections from the host to each device in logical. Host computer 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 5
  6. 6. How to communicate on USB? Case: Device to Host 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 6
  7. 7. How to communicate on USB? Case: Host to Device 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 7
  8. 8. Where is the host computer? Now a days, increasing such connections. Are there host computers? ※Vector Graphics has copyright of this navigation icon. 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 8
  9. 9. Which devices are the host? hhoosstt host ※Vector Graphics has copyright of this navigation icon. 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 9
  10. 10. We have an important problem. How do we investigate vulnerabilities of such devices without any laptop? ● Hack devices such cameras, printers, navigators, smartphones and so on. ⇒It's usually very difficult. ● Electrical tap on the USB cable. ⇒Next slides. ● Develop a USB Man in the Middle device. ⇒Main theme for this presentation. 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 10
  11. 11. Electrical tapping on USB http://hackaday.com/2011/03/16/usb-man-in-the-middle-adapter/ 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 11
  12. 12. Electrical tapping on USB It's very easy, but it has some big problems. ● Conflicting signals ● Not enough electric power on signal lines ● Very weak against electrical noises ● Not running on USB2.0 by that specification 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 12
  13. 13. dominicgs/USBProxy ● The device must have two USB ports. – One is for connecting a host. – Another is for connecting a device. ● Software relaying ● Connectable USB2.0 ● Sniffable / Filterable / Injectable ● Very cheap, BeagleBone Black is about $60.0 ● https://github.com/dominicgs/USBProxy 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 13
  14. 14. USBProxy Structure 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 14
  15. 15. How to relay? ● USBProxy makes 6 kinds of threads runninng. – Reader for Input EP, – Reader for output EP, – Writer for Input EP, – Writer for Output EP, – Injection, – Filter 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 15
  16. 16. Connection Reader and Writer 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 16
  17. 17. Relay from device to host ● Reader for Input EP always requests data to the Endpoint on the device. ● Reader for Input EP send data to Writer for Input EP when it got data. ● Writer for Input EP sends data to the host. 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 17
  18. 18. Relay from host to device ● Reader for Output EP always wait a request and data from the host. ● Reader for Output EP send data to Writer for Output EP when it got data. ● Writer for Output EP sends data to the Endpoint on the device. That's it. Very rough. 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 18
  19. 19. Notification! ● USBProxy does not simulate the USB line. ● It just simulates endpoints on only one device. 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 19
  20. 20. We have problems yet ● We want to simulate more devices. ● In many cases, it fail to simulate a device. ● It can't handle some complex devices yet. ● Linux lose endpoints on a device sometimes. ● It can't notice reset signal from a device. ● Very slow. – Original speed is 30.7MB/s, – USBProxy relay speed is 1,9MB/s. 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 20
  21. 21. Other solutions ● If you want to just snif on USB, you can use USB protocol analizer such the Beagle USB480 Power. ● If you are interesting in deep side, maybe you will fall in darkness. 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 21
  22. 22. Beagle USB480 Power ● Easy to use ● Very fast, 29.8MB/s ● Cheap, just $2250.0 ● Another device is enable USB3.0, just $3600.0 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 22
  23. 23. Do you want to fall in darkness? ● Kali Linux NetHunter "Bad USB" MITM Attack ● http://vimeo.com/106065667 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 23
  24. 24. White page 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 24

×