SlideShare a Scribd company logo

USB: Undermining Security Barriers

NCC Group
NCC Group
Technology
1 of 33
Download to read offline
NCC Group Plc, Manchester Technology Centre, Oxford Road, Manchester M1 7EF www.nccgroup.com Andy Davis Research Director Telephone: +44 (0) 208 401 0070 e-mail: andy.davis@ngssecure.com 04/08/2011
Agenda • USB Primer • Previous work • USB vulnerability classes • Phase one – Fuzzbox • Phase two – Commercial test equipment • Phase three – Frisbee • Security impact • Conclusion
USB – it’s everywhere! • PCs • Tablets • Cameras • TVs • Cable / Satellite set-top-boxes • Telephones • Microwave ovens!
USB Primer - Architecture • The aim of USB was to find a solution to the mixture of connection methods to the PC • Currently three speeds of data transfer (USB 2.0): • Low – 1.5Mbps (keyboard, mouse etc.) • Full – 12Mbps (originally for all other devices) • High – 480Mbps (developed in response to FireWire) • Architecture is a tiered star topology: • Single host controller and up to 127 slave devices • A device can be plugged into a hub, and that hub can be plugged into another hub and so on. The maximum number of tiers permitted is six  Host is Master - all communications on this bus are initiated by the host  Devices cannot communicate directly with other devices (except for USB On-The-Go protocol)
USB Primer - Terminology • The USB bus • When the host is transmitting a packet of data, it is sent to every device connected to an enabled port. It travels downwards via each hub in the chain which resynchronises the data transitions as it relays it. Only one device, the addressed one, actually accepts the data • Endpoints • Each USB device has a number of endpoints. Each endpoint is a source or sink of data. A device can have up to 16 OUT and 16 IN endpoints. • OUT always means from host to device. • IN always means from device to host. • Endpoint 0 is a special case which is a combination of endpoint 0 OUT and endpoint 0 IN, and is used for controlling the device. • Pipe • A logical data connection between the host and a particular endpoint, in which we ignore the lower level mechanisms for actually achieving the data transfers.
USB Primer – More Terminology • Configurations, Interfaces, and Endpoints • The device contains a number of descriptors (as shown to the right) which help to define the device’s capabilities • A device can have more than one configuration, though only one at a time, and to change configuration the whole device would have to stop functioning • A device can have one or more interfaces. Each interface can have a number of endpoints and represents a functional unit belonging to a particular class • Each endpoint is a source or sink of data
USB Primer – plugging in a device • Pull-up resistor on data line – Indicates device was connected (reset device) • Get Device descriptor – what’s the max packet size? – address 0 • Reset then Set Address - for the rest of the communications use this address • Get Device descriptor – What are the device basic capabilities? • Get Configuration descriptor – What are the configuration details? • Interface descriptors • Endpoint descriptors • HID descriptors • Get String descriptors – Get string language + product name etc. • Set Configuration – Configuration is chosen – the device can be used • Class-specific communication - from this point onwards HCI Driver USB Bus Driver USB Device Driver
USB Primer – Example descriptor A typical Device Descriptor
Agenda • USB Primer • Previous work • USB vulnerability classes • Phase one – Fuzzbox • Phase two – Commercial test equipment • Phase three – Frisbee • Security impact • Conclusion
Various approaches to interface fuzzing  Rafael Dominguez Vega used a number of different approaches including USB over IP, QEMU and a microcontroller to discover Linux- based USB vulnerabilities in String descriptors  David Dewey and Darrin Barrall used an SL811 USB controller to discover a heap overflow in Windows XP  Moritz Jodeit emulated USB devices in software and with a Netchip NET2280 peripheral controller  Tobias Mueller used virtualisation techniques with QEMU to identify USB vulnerabilities in a number of different operating systems  Jon Larimer investigated USB drive security and associated file system vulnerabilities in Windows and Linux
Difficulties in testing USB • Black box Testing of drivers for interfaces on embedded systems can be tough: • No low-level view of the firmware • Hard to debug • Hard to hook into firmware • Testing some interfaces is tough using conventional approaches: • Getting a PC to pretend to be a USB device requires some serious driver development – need to turn the root hub into a USB device.
Agenda • USB Primer • Previous work • USB vulnerability classes • Phase one – Fuzzbox • Phase two – Commercial test equipment • Phase three – Frisbee • Security impact • Conclusion
USB vulnerability classes • Stack overflows • String descriptors in Linux and Windows XP • Solaris 11 Express hub-class descriptor • Integer and Heap overflows • Sony PS3 hub-class descriptors • Apple iPod Touch jailbreak “0xA1,1” USB control message • Xbox 360 image-class descriptors • Null-pointer dereference (exploitable) • Apple iPhone jailbreak “0x21,2” USB control message • Logic errors • Windows 7 HID report descriptors
Agenda • USB Primer • Previous work • USB vulnerability classes • Phase one – Fuzzbox • Phase two – Commercial test equipment • Phase three – Frisbee • Security impact • Conclusion
Phase one - FuzzBox • Arduino microcontroller • Fuzzer written in C++ • Only emulates USB HID devices • Only allows semi-automated fuzzing • Has found bugs in: • Windows 7 • Windows XP • OS X • Limitations – not really fast enough to emulate most USB devices
FuzzBox details Simple circuit to interface with an Arduino: Driver code had already been written to emulate a HID device: http://code.google.com/p/vusb-for-arduino/
Agenda • USB Primer • Previous work • USB vulnerability classes • Phase one – Fuzzbox • Phase two – Commercial test equipment • Phase three – Frisbee • Security impact • Conclusion
Packet Master USB500 AG • Dedicated USB test equipment hardware • USB capture and playback • Emulates any USB host or device • Understands and analyses the different USB device classes • Uses a scripting language to generate USB traffic • Costs approx. US$1200 (plus specific class analysis options) • Limitations – doesn’t currently have a software API to control it
GraphicUSB – Capture and Analysis
GraphicUSB – Generator Scripts
So what can we fuzz? USB hosts: • The Device Descriptor (HCI driver) • String Descriptors (HCI driver / USB device drivers) • The Configuration Descriptor: Interface Descriptor (USB device driver) • The Configuration Descriptor: Endpoint Descriptor (USB device driver) • Class-specific descriptors e.g. HID Report Descriptor (USB device driver) • Class-specific communication (USB device driver and client software) USB devices: • Host -> device USB control messages
Why the new approach is different Device and Platform Independent: • Previous approaches have mainly focussed on either testing or emulating specific devices or hosts • We don’t care (for the most part) what the host or device is • If we understand USB and where vulnerabilities may be present then we can use a black-box fuzzing approach • It certainly produces results…
Agenda • USB Primer • Previous work • USB vulnerability classes • Phase one – Fuzzbox • Phase two – Commercial test equipment • Phase three – Frisbee • Security impact • Conclusion
Frisbee – the USB fuzzer • GraphicUSB currently has no API for controlling it • Frisbee modifies the GraphicUSB generator script created from a capture • The generator script must be loaded, compiled then executed to generate USB traffic • Frisbee uses the SendKeys Python library to inject Windows events into GraphicUSB • Although this is slow, the HCI driver needs time to identify a device, which has ostensibly just been plugged in • The host under test is connected to the same Ethernet network as the host running Frisbee and is periodically pinged to identify if the host has crashed
NCC Group Plc, Manchester Technology Centre, Oxford Road, Manchester M1 7EF www.nccgroup.com Demos
What have we found so far? • HID class descriptor memory corruption in Windows 7 • Hub class descriptor stack overflow in Solaris 11Express • Printer class communication memory corruption in Solaris 11Express • Image class communication memory corruption in Solaris 11Express • Image class communication integer overflows in Microsoft Xbox 360 • Image class descriptor memory corruption in Apple OS X
Why are USB vulnerabilities still prevalent? • Some vendors don’t seem to view USB vulnerabilities as a security issue Quote from vendor x: “Thank you for sending this to us. This is something that I will definitely pass on, however since this requires physical access its not something that we will fix in a security update” • The knowledge of how to emulate USB devices is not widespread Quote from vendor y: “We think we’ve fixed this issue, but we’ll need to get you to test it as we don’t have the ability to replicate your attack”
Agenda • USB Primer • Previous work • USB vulnerability classes • Phase one – Fuzzbox • Phase two – Commercial test equipment • Phase three – Frisbee • Security impact • Conclusion
The impact of exploiting USB Typical scenarios of exploiting USB vulnerabilities: • “Jailbreaking” embedded devices • Unlocking a locked workstation • Installing malware in seconds • Exfiltrating sensitive data in seconds • What about Endpoint Protection Systems?...
Endpoint Protection software Endpoint protection software: • Lumension (formerly Sanctuary) - Device Control • CoSoSys – Endpoint Protector • DeviceLock - Endpoint DLP Suite They work higher up the USB stack than many USB driver vulnerabilities exist Exploitable USB driver vulnerabilities will often circumvent them Some of the vulnerabilities we have discovered, when exploited will circumvent Endpoint Protection Software
Agenda • USB Primer • Previous work • USB vulnerability classes • Phase one – Fuzzbox • Phase two – Commercial test equipment • Phase three – Frisbee • Security impact • Conclusion
Conclusion • There are still plenty of USB vulnerabilities out there – many of which will be exploitable • Even though limited physical access is required, USB vulnerabilities still constitute a serious security risk • Endpoint Protection software is unlikely to protect you from many of these attacks • If you really don’t want people to exploit USB on your PCs, disable USB in the BIOS • For ultimate protection, fill the USB sockets with epoxy resin!
NCC Group Plc, Manchester Technology Centre, Oxford Road, Manchester M1 7EF www.nccgroup.com Questions? Andy Davis Research Director Telephone: +44 (0) 208 401 0070 e-mail: andy.davis@ngssecure.com

Recommended

Docking stations andy_davis_ncc_group_slides
Docking stations andy_davis_ncc_group_slidesDocking stations andy_davis_ncc_group_slides
Docking stations andy_davis_ncc_group_slidesNCC Group
 
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprints
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprintsAndy Davis' Black Hat USA Presentation Revealing embedded fingerprints
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprintsNCC Group
 
CNIT 123: Ch 9: Embedded Operating Systems: The Hidden Threat
CNIT 123: Ch 9: Embedded Operating Systems: The Hidden ThreatCNIT 123: Ch 9: Embedded Operating Systems: The Hidden Threat
CNIT 123: Ch 9: Embedded Operating Systems: The Hidden ThreatSam Bowne
 
CNIT 123: Ch 13: Network Protection Systems
CNIT 123: Ch 13: Network Protection SystemsCNIT 123: Ch 13: Network Protection Systems
CNIT 123: Ch 13: Network Protection SystemsSam Bowne
 
Polstra 44con2012
Polstra 44con2012Polstra 44con2012
Polstra 44con2012Philip Polstra
 
9: OllyDbg
9: OllyDbg9: OllyDbg
9: OllyDbgSam Bowne
 
Server Hardening Primer - Eric Vanderburg - JURINNOV
Server Hardening Primer - Eric Vanderburg - JURINNOVServer Hardening Primer - Eric Vanderburg - JURINNOV
Server Hardening Primer - Eric Vanderburg - JURINNOVEric Vanderburg
 
[CB16] Air-Gap security: State-of-the-art Attacks, Analysis, and Mitigation b...
[CB16] Air-Gap security: State-of-the-art Attacks, Analysis, and Mitigation b...[CB16] Air-Gap security: State-of-the-art Attacks, Analysis, and Mitigation b...
[CB16] Air-Gap security: State-of-the-art Attacks, Analysis, and Mitigation b...CODE BLUE
 

Recommended

Docking stations andy_davis_ncc_group_slides
Docking stations andy_davis_ncc_group_slidesDocking stations andy_davis_ncc_group_slides
Docking stations andy_davis_ncc_group_slidesNCC Group
 
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprints
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprintsAndy Davis' Black Hat USA Presentation Revealing embedded fingerprints
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprintsNCC Group
 
CNIT 123: Ch 9: Embedded Operating Systems: The Hidden Threat
CNIT 123: Ch 9: Embedded Operating Systems: The Hidden ThreatCNIT 123: Ch 9: Embedded Operating Systems: The Hidden Threat
CNIT 123: Ch 9: Embedded Operating Systems: The Hidden ThreatSam Bowne
 
CNIT 123: Ch 13: Network Protection Systems
CNIT 123: Ch 13: Network Protection SystemsCNIT 123: Ch 13: Network Protection Systems
CNIT 123: Ch 13: Network Protection SystemsSam Bowne
 
Polstra 44con2012
Polstra 44con2012Polstra 44con2012
Polstra 44con2012Philip Polstra
 
9: OllyDbg
9: OllyDbg9: OllyDbg
9: OllyDbgSam Bowne
 
Server Hardening Primer - Eric Vanderburg - JURINNOV
Server Hardening Primer - Eric Vanderburg - JURINNOVServer Hardening Primer - Eric Vanderburg - JURINNOV
Server Hardening Primer - Eric Vanderburg - JURINNOVEric Vanderburg
 
[CB16] Air-Gap security: State-of-the-art Attacks, Analysis, and Mitigation b...
[CB16] Air-Gap security: State-of-the-art Attacks, Analysis, and Mitigation b...[CB16] Air-Gap security: State-of-the-art Attacks, Analysis, and Mitigation b...
[CB16] Air-Gap security: State-of-the-art Attacks, Analysis, and Mitigation b...CODE BLUE
 
CNIT 123: Ch 7: Programming for Security Professionals
CNIT 123: Ch 7: Programming for Security ProfessionalsCNIT 123: Ch 7: Programming for Security Professionals
CNIT 123: Ch 7: Programming for Security ProfessionalsSam Bowne
 
Course 101: Lecture 1: Introduction to Embedded Systems
Course 101: Lecture 1: Introduction to Embedded SystemsCourse 101: Lecture 1: Introduction to Embedded Systems
Course 101: Lecture 1: Introduction to Embedded SystemsAhmed El-Arabawy
 
Course Syllabus
Course SyllabusCourse Syllabus
Course SyllabusAmir Villas
 
System Hardening Recommendations_FINAL
System Hardening Recommendations_FINALSystem Hardening Recommendations_FINAL
System Hardening Recommendations_FINALMartin Evans
 
Securitytools
SecuritytoolsSecuritytools
SecuritytoolsRichmond Adebiaye
 
Building Embedded Linux Full Tutorial for ARM
Building Embedded Linux Full Tutorial for ARMBuilding Embedded Linux Full Tutorial for ARM
Building Embedded Linux Full Tutorial for ARMSherif Mousa
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Applicationedavid2685
 
Embedded system design challenges
Embedded system design challenges Embedded system design challenges
Embedded system design challenges Aditya Kamble
 
1184 Quayle
1184 Quayle1184 Quayle
1184 QuayleStanley F. Quayle
 
Useful USB Gadgets on Linux
Useful USB Gadgets on LinuxUseful USB Gadgets on Linux
Useful USB Gadgets on LinuxGary Bisson
 
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsCaptain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsenSilo
 
Design of Software for Embedded Systems
Design of Software for Embedded SystemsDesign of Software for Embedded Systems
Design of Software for Embedded SystemsPeter Tröger
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangLyon Yang
 
Early Software Development through Palladium Emulation
Early Software Development through Palladium EmulationEarly Software Development through Palladium Emulation
Early Software Development through Palladium EmulationRaghav Nayak
 
Thotcon2013
Thotcon2013Thotcon2013
Thotcon2013Philip Polstra
 
Ch 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social EngineeringCh 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social EngineeringSam Bowne
 
Installing driver
Installing driverInstalling driver
Installing driverOnline
 
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...The Linux Foundation
 
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...The Linux Foundation
 
Embedded system
Embedded systemEmbedded system
Embedded systemmangal das
 
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 02013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0NCC Group
 
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_designNCC Group
 

More Related Content

What's hot

CNIT 123: Ch 7: Programming for Security Professionals
CNIT 123: Ch 7: Programming for Security ProfessionalsCNIT 123: Ch 7: Programming for Security Professionals
CNIT 123: Ch 7: Programming for Security ProfessionalsSam Bowne
 
Course 101: Lecture 1: Introduction to Embedded Systems
Course 101: Lecture 1: Introduction to Embedded SystemsCourse 101: Lecture 1: Introduction to Embedded Systems
Course 101: Lecture 1: Introduction to Embedded SystemsAhmed El-Arabawy
 
System Hardening Recommendations_FINAL
System Hardening Recommendations_FINALSystem Hardening Recommendations_FINAL
System Hardening Recommendations_FINALMartin Evans
 
Building Embedded Linux Full Tutorial for ARM
Building Embedded Linux Full Tutorial for ARMBuilding Embedded Linux Full Tutorial for ARM
Building Embedded Linux Full Tutorial for ARMSherif Mousa
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Applicationedavid2685
 
Embedded system design challenges
Embedded system design challenges Embedded system design challenges
Embedded system design challenges Aditya Kamble
 
Useful USB Gadgets on Linux
Useful USB Gadgets on LinuxUseful USB Gadgets on Linux
Useful USB Gadgets on LinuxGary Bisson
 
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsCaptain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsenSilo
 
Design of Software for Embedded Systems
Design of Software for Embedded SystemsDesign of Software for Embedded Systems
Design of Software for Embedded SystemsPeter Tröger
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangLyon Yang
 
Early Software Development through Palladium Emulation
Early Software Development through Palladium EmulationEarly Software Development through Palladium Emulation
Early Software Development through Palladium EmulationRaghav Nayak
 
Ch 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social EngineeringCh 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social EngineeringSam Bowne
 
Installing driver
Installing driverInstalling driver
Installing driverOnline
 
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...The Linux Foundation
 
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...The Linux Foundation
 
Embedded system
Embedded systemEmbedded system
Embedded systemmangal das
 

What's hot (20)

CNIT 123: Ch 7: Programming for Security Professionals
CNIT 123: Ch 7: Programming for Security ProfessionalsCNIT 123: Ch 7: Programming for Security Professionals
CNIT 123: Ch 7: Programming for Security Professionals
 
Course 101: Lecture 1: Introduction to Embedded Systems
Course 101: Lecture 1: Introduction to Embedded SystemsCourse 101: Lecture 1: Introduction to Embedded Systems
Course 101: Lecture 1: Introduction to Embedded Systems
 
Course Syllabus
Course SyllabusCourse Syllabus
Course Syllabus
 
System Hardening Recommendations_FINAL
System Hardening Recommendations_FINALSystem Hardening Recommendations_FINAL
System Hardening Recommendations_FINAL
 
Securitytools
SecuritytoolsSecuritytools
Securitytools
 
Building Embedded Linux Full Tutorial for ARM
Building Embedded Linux Full Tutorial for ARMBuilding Embedded Linux Full Tutorial for ARM
Building Embedded Linux Full Tutorial for ARM
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Application
 
Embedded system design challenges
Embedded system design challenges Embedded system design challenges
Embedded system design challenges
 
1184 Quayle
1184 Quayle1184 Quayle
1184 Quayle
 
Useful USB Gadgets on Linux
Useful USB Gadgets on LinuxUseful USB Gadgets on Linux
Useful USB Gadgets on Linux
 
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsCaptain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
 
Design of Software for Embedded Systems
Design of Software for Embedded SystemsDesign of Software for Embedded Systems
Design of Software for Embedded Systems
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
 
Early Software Development through Palladium Emulation
Early Software Development through Palladium EmulationEarly Software Development through Palladium Emulation
Early Software Development through Palladium Emulation
 
Thotcon2013
Thotcon2013Thotcon2013
Thotcon2013
 
Ch 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social EngineeringCh 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social Engineering
 
Installing driver
Installing driverInstalling driver
Installing driver
 
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
 
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
 
Embedded system
Embedded systemEmbedded system
Embedded system
 

Viewers also liked

2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 02013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0NCC Group
 
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_designNCC Group
 
How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)NCC Group
 
Practical SME Security on a Shoestring
Practical SME Security on a ShoestringPractical SME Security on a Shoestring
Practical SME Security on a ShoestringNCC Group
 
Pki 202 Architechture Models and CRLs
Pki 202 Architechture Models and CRLsPki 202 Architechture Models and CRLs
Pki 202 Architechture Models and CRLsNCC Group
 
Mobile App Security: Enterprise Checklist
Mobile App Security: Enterprise ChecklistMobile App Security: Enterprise Checklist
Mobile App Security: Enterprise ChecklistJignesh Solanki
 
Exploiting appliances presentation v1.1-vids-removed
Exploiting appliances presentation v1.1-vids-removedExploiting appliances presentation v1.1-vids-removed
Exploiting appliances presentation v1.1-vids-removedNCC Group
 
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group
 
Cryptography101
Cryptography101Cryptography101
Cryptography101NCC Group
 
07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security products07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security productsNCC Group
 
Current & Emerging Cyber Security Threats
Current & Emerging Cyber Security ThreatsCurrent & Emerging Cyber Security Threats
Current & Emerging Cyber Security ThreatsNCC Group
 
2012 12-04 --ncc_group_-_mobile_threat_war_room
2012 12-04 --ncc_group_-_mobile_threat_war_room2012 12-04 --ncc_group_-_mobile_threat_war_room
2012 12-04 --ncc_group_-_mobile_threat_war_roomNCC Group
 
Pki 201 Key Management
Pki 201 Key ManagementPki 201 Key Management
Pki 201 Key ManagementNCC Group
 
The Mobile Internet of Things and Cyber Security
The Mobile Internet of Things and Cyber Security The Mobile Internet of Things and Cyber Security
The Mobile Internet of Things and Cyber Security NCC Group
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleNCC Group
 
Creating value through technology
Creating value through technologyCreating value through technology
Creating value through technologyPavan Kumar Vijay
 
Etapas de la planificacion
Etapas de la planificacionEtapas de la planificacion
Etapas de la planificacionBanesa Ruiz
 

Viewers also liked (20)

2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 02013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0
 
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
 
How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)
 
Practical SME Security on a Shoestring
Practical SME Security on a ShoestringPractical SME Security on a Shoestring
Practical SME Security on a Shoestring
 
Pki 202 Architechture Models and CRLs
Pki 202 Architechture Models and CRLsPki 202 Architechture Models and CRLs
Pki 202 Architechture Models and CRLs
 
Mobile App Security: Enterprise Checklist
Mobile App Security: Enterprise ChecklistMobile App Security: Enterprise Checklist
Mobile App Security: Enterprise Checklist
 
Exploiting appliances presentation v1.1-vids-removed
Exploiting appliances presentation v1.1-vids-removedExploiting appliances presentation v1.1-vids-removed
Exploiting appliances presentation v1.1-vids-removed
 
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios apps
 
Cryptography101
Cryptography101Cryptography101
Cryptography101
 
07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security products07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security products
 
Cryptography - 101
Cryptography - 101Cryptography - 101
Cryptography - 101
 
Current & Emerging Cyber Security Threats
Current & Emerging Cyber Security ThreatsCurrent & Emerging Cyber Security Threats
Current & Emerging Cyber Security Threats
 
2012 12-04 --ncc_group_-_mobile_threat_war_room
2012 12-04 --ncc_group_-_mobile_threat_war_room2012 12-04 --ncc_group_-_mobile_threat_war_room
2012 12-04 --ncc_group_-_mobile_threat_war_room
 
Pki 201 Key Management
Pki 201 Key ManagementPki 201 Key Management
Pki 201 Key Management
 
The Mobile Internet of Things and Cyber Security
The Mobile Internet of Things and Cyber Security The Mobile Internet of Things and Cyber Security
The Mobile Internet of Things and Cyber Security
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By Example
 
Creating value through technology
Creating value through technologyCreating value through technology
Creating value through technology
 
Etapas de la planificacion
Etapas de la planificacionEtapas de la planificacion
Etapas de la planificacion
 
NUESTROS ADULTOS SE MUEVEN
NUESTROS ADULTOS SE MUEVENNUESTROS ADULTOS SE MUEVEN
NUESTROS ADULTOS SE MUEVEN
 
Corporate Social Responsibility
Corporate Social ResponsibilityCorporate Social Responsibility
Corporate Social Responsibility
 

Similar to USB: Undermining Security Barriers

Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Luis Grangeia
 
BadUSB — On accessories that turn evil by Karsten Nohl
BadUSB — On accessories that turn evil by Karsten NohlBadUSB — On accessories that turn evil by Karsten Nohl
BadUSB — On accessories that turn evil by Karsten NohlPriyanka Aash
 
Gnu linux for safety related systems
Gnu linux for safety related systemsGnu linux for safety related systems
Gnu linux for safety related systemsDTQ4
 
Chapter-05-IO (2).ppt
Chapter-05-IO (2).pptChapter-05-IO (2).ppt
Chapter-05-IO (2).pptMyName1sJeff
 
Null mumbai-reversing-IoT-firmware
Null mumbai-reversing-IoT-firmwareNull mumbai-reversing-IoT-firmware
Null mumbai-reversing-IoT-firmwareNitesh Malviya
 
Mickey, threats inside your platform final
Mickey, threats inside your platform finalMickey, threats inside your platform final
Mickey, threats inside your platform finalPacSecJP
 
Computer system organization
Computer system organizationComputer system organization
Computer system organizationSyed Zaid Irshad
 
A. Sirota "Building an Automation Solution based on Appium"
A. Sirota "Building an Automation Solution based on Appium"A. Sirota "Building an Automation Solution based on Appium"
A. Sirota "Building an Automation Solution based on Appium"DataArt
 
BadUSB, and what you should do about it
BadUSB, and what you should do about itBadUSB, and what you should do about it
BadUSB, and what you should do about itrobertfisk
 
Nomura UCCSC 2009
Nomura UCCSC 2009Nomura UCCSC 2009
Nomura UCCSC 2009dnomura
 
“Secure Hardware Architecture for Embedded Vision,” a Presentation from Neuro...
“Secure Hardware Architecture for Embedded Vision,” a Presentation from Neuro...“Secure Hardware Architecture for Embedded Vision,” a Presentation from Neuro...
“Secure Hardware Architecture for Embedded Vision,” a Presentation from Neuro...Edge AI and Vision Alliance
 
Choosing_(and_Implem..
Choosing_(and_Implem..Choosing_(and_Implem..
Choosing_(and_Implem..webhostingguy
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22MichaelM85042
 

Similar to USB: Undermining Security Barriers (20)

Adventures in USB land
Adventures in USB landAdventures in USB land
Adventures in USB land
 
Computer Fundamentals
Computer FundamentalsComputer Fundamentals
Computer Fundamentals
 
Computer fundamental
Computer fundamentalComputer fundamental
Computer fundamental
 
USB BASIC
USB BASICUSB BASIC
USB BASIC
 
Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1
 
BadUSB — On accessories that turn evil by Karsten Nohl
BadUSB — On accessories that turn evil by Karsten NohlBadUSB — On accessories that turn evil by Karsten Nohl
BadUSB — On accessories that turn evil by Karsten Nohl
 
Chapter-6_2.ppt
Chapter-6_2.pptChapter-6_2.ppt
Chapter-6_2.ppt
 
Gnu linux for safety related systems
Gnu linux for safety related systemsGnu linux for safety related systems
Gnu linux for safety related systems
 
Chapter-05-IO (2).ppt
Chapter-05-IO (2).pptChapter-05-IO (2).ppt
Chapter-05-IO (2).ppt
 
Null mumbai-reversing-IoT-firmware
Null mumbai-reversing-IoT-firmwareNull mumbai-reversing-IoT-firmware
Null mumbai-reversing-IoT-firmware
 
Mickey, threats inside your platform final
Mickey, threats inside your platform finalMickey, threats inside your platform final
Mickey, threats inside your platform final
 
Computer system organization
Computer system organizationComputer system organization
Computer system organization
 
A. Sirota "Building an Automation Solution based on Appium"
A. Sirota "Building an Automation Solution based on Appium"A. Sirota "Building an Automation Solution based on Appium"
A. Sirota "Building an Automation Solution based on Appium"
 
MCB_HL_v10.pdf
MCB_HL_v10.pdfMCB_HL_v10.pdf
MCB_HL_v10.pdf
 
BadUSB, and what you should do about it
BadUSB, and what you should do about itBadUSB, and what you should do about it
BadUSB, and what you should do about it
 
Nomura UCCSC 2009
Nomura UCCSC 2009Nomura UCCSC 2009
Nomura UCCSC 2009
 
Usb
UsbUsb
Usb
 
“Secure Hardware Architecture for Embedded Vision,” a Presentation from Neuro...
“Secure Hardware Architecture for Embedded Vision,” a Presentation from Neuro...“Secure Hardware Architecture for Embedded Vision,” a Presentation from Neuro...
“Secure Hardware Architecture for Embedded Vision,” a Presentation from Neuro...
 
Choosing_(and_Implem..
Choosing_(and_Implem..Choosing_(and_Implem..
Choosing_(and_Implem..
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
 

Recently uploaded

Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 

Recently uploaded (20)

Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 

USB: Undermining Security Barriers

  • 1. NCC Group Plc, Manchester Technology Centre, Oxford Road, Manchester M1 7EF www.nccgroup.com Andy Davis Research Director Telephone: +44 (0) 208 401 0070 e-mail: andy.davis@ngssecure.com 04/08/2011
  • 2. Agenda • USB Primer • Previous work • USB vulnerability classes • Phase one – Fuzzbox • Phase two – Commercial test equipment • Phase three – Frisbee • Security impact • Conclusion
  • 3. USB – it’s everywhere! • PCs • Tablets • Cameras • TVs • Cable / Satellite set-top-boxes • Telephones • Microwave ovens!
  • 4. USB Primer - Architecture • The aim of USB was to find a solution to the mixture of connection methods to the PC • Currently three speeds of data transfer (USB 2.0): • Low – 1.5Mbps (keyboard, mouse etc.) • Full – 12Mbps (originally for all other devices) • High – 480Mbps (developed in response to FireWire) • Architecture is a tiered star topology: • Single host controller and up to 127 slave devices • A device can be plugged into a hub, and that hub can be plugged into another hub and so on. The maximum number of tiers permitted is six  Host is Master - all communications on this bus are initiated by the host  Devices cannot communicate directly with other devices (except for USB On-The-Go protocol)
  • 5. USB Primer - Terminology • The USB bus • When the host is transmitting a packet of data, it is sent to every device connected to an enabled port. It travels downwards via each hub in the chain which resynchronises the data transitions as it relays it. Only one device, the addressed one, actually accepts the data • Endpoints • Each USB device has a number of endpoints. Each endpoint is a source or sink of data. A device can have up to 16 OUT and 16 IN endpoints. • OUT always means from host to device. • IN always means from device to host. • Endpoint 0 is a special case which is a combination of endpoint 0 OUT and endpoint 0 IN, and is used for controlling the device. • Pipe • A logical data connection between the host and a particular endpoint, in which we ignore the lower level mechanisms for actually achieving the data transfers.
  • 6. USB Primer – More Terminology • Configurations, Interfaces, and Endpoints • The device contains a number of descriptors (as shown to the right) which help to define the device’s capabilities • A device can have more than one configuration, though only one at a time, and to change configuration the whole device would have to stop functioning • A device can have one or more interfaces. Each interface can have a number of endpoints and represents a functional unit belonging to a particular class • Each endpoint is a source or sink of data
  • 7. USB Primer – plugging in a device • Pull-up resistor on data line – Indicates device was connected (reset device) • Get Device descriptor – what’s the max packet size? – address 0 • Reset then Set Address - for the rest of the communications use this address • Get Device descriptor – What are the device basic capabilities? • Get Configuration descriptor – What are the configuration details? • Interface descriptors • Endpoint descriptors • HID descriptors • Get String descriptors – Get string language + product name etc. • Set Configuration – Configuration is chosen – the device can be used • Class-specific communication - from this point onwards HCI Driver USB Bus Driver USB Device Driver
  • 8. USB Primer – Example descriptor A typical Device Descriptor
  • 9. Agenda • USB Primer • Previous work • USB vulnerability classes • Phase one – Fuzzbox • Phase two – Commercial test equipment • Phase three – Frisbee • Security impact • Conclusion
  • 10. Various approaches to interface fuzzing  Rafael Dominguez Vega used a number of different approaches including USB over IP, QEMU and a microcontroller to discover Linux- based USB vulnerabilities in String descriptors  David Dewey and Darrin Barrall used an SL811 USB controller to discover a heap overflow in Windows XP  Moritz Jodeit emulated USB devices in software and with a Netchip NET2280 peripheral controller  Tobias Mueller used virtualisation techniques with QEMU to identify USB vulnerabilities in a number of different operating systems  Jon Larimer investigated USB drive security and associated file system vulnerabilities in Windows and Linux
  • 11. Difficulties in testing USB • Black box Testing of drivers for interfaces on embedded systems can be tough: • No low-level view of the firmware • Hard to debug • Hard to hook into firmware • Testing some interfaces is tough using conventional approaches: • Getting a PC to pretend to be a USB device requires some serious driver development – need to turn the root hub into a USB device.
  • 12. Agenda • USB Primer • Previous work • USB vulnerability classes • Phase one – Fuzzbox • Phase two – Commercial test equipment • Phase three – Frisbee • Security impact • Conclusion
  • 13. USB vulnerability classes • Stack overflows • String descriptors in Linux and Windows XP • Solaris 11 Express hub-class descriptor • Integer and Heap overflows • Sony PS3 hub-class descriptors • Apple iPod Touch jailbreak “0xA1,1” USB control message • Xbox 360 image-class descriptors • Null-pointer dereference (exploitable) • Apple iPhone jailbreak “0x21,2” USB control message • Logic errors • Windows 7 HID report descriptors
  • 14. Agenda • USB Primer • Previous work • USB vulnerability classes • Phase one – Fuzzbox • Phase two – Commercial test equipment • Phase three – Frisbee • Security impact • Conclusion
  • 15. Phase one - FuzzBox • Arduino microcontroller • Fuzzer written in C++ • Only emulates USB HID devices • Only allows semi-automated fuzzing • Has found bugs in: • Windows 7 • Windows XP • OS X • Limitations – not really fast enough to emulate most USB devices
  • 16. FuzzBox details Simple circuit to interface with an Arduino: Driver code had already been written to emulate a HID device: http://code.google.com/p/vusb-for-arduino/
  • 17. Agenda • USB Primer • Previous work • USB vulnerability classes • Phase one – Fuzzbox • Phase two – Commercial test equipment • Phase three – Frisbee • Security impact • Conclusion
  • 18. Packet Master USB500 AG • Dedicated USB test equipment hardware • USB capture and playback • Emulates any USB host or device • Understands and analyses the different USB device classes • Uses a scripting language to generate USB traffic • Costs approx. US$1200 (plus specific class analysis options) • Limitations – doesn’t currently have a software API to control it
  • 19. GraphicUSB – Capture and Analysis
  • 21. So what can we fuzz? USB hosts: • The Device Descriptor (HCI driver) • String Descriptors (HCI driver / USB device drivers) • The Configuration Descriptor: Interface Descriptor (USB device driver) • The Configuration Descriptor: Endpoint Descriptor (USB device driver) • Class-specific descriptors e.g. HID Report Descriptor (USB device driver) • Class-specific communication (USB device driver and client software) USB devices: • Host -> device USB control messages
  • 22. Why the new approach is different Device and Platform Independent: • Previous approaches have mainly focussed on either testing or emulating specific devices or hosts • We don’t care (for the most part) what the host or device is • If we understand USB and where vulnerabilities may be present then we can use a black-box fuzzing approach • It certainly produces results…
  • 23. Agenda • USB Primer • Previous work • USB vulnerability classes • Phase one – Fuzzbox • Phase two – Commercial test equipment • Phase three – Frisbee • Security impact • Conclusion
  • 24. Frisbee – the USB fuzzer • GraphicUSB currently has no API for controlling it • Frisbee modifies the GraphicUSB generator script created from a capture • The generator script must be loaded, compiled then executed to generate USB traffic • Frisbee uses the SendKeys Python library to inject Windows events into GraphicUSB • Although this is slow, the HCI driver needs time to identify a device, which has ostensibly just been plugged in • The host under test is connected to the same Ethernet network as the host running Frisbee and is periodically pinged to identify if the host has crashed
  • 25. NCC Group Plc, Manchester Technology Centre, Oxford Road, Manchester M1 7EF www.nccgroup.com Demos
  • 26. What have we found so far? • HID class descriptor memory corruption in Windows 7 • Hub class descriptor stack overflow in Solaris 11Express • Printer class communication memory corruption in Solaris 11Express • Image class communication memory corruption in Solaris 11Express • Image class communication integer overflows in Microsoft Xbox 360 • Image class descriptor memory corruption in Apple OS X
  • 27. Why are USB vulnerabilities still prevalent? • Some vendors don’t seem to view USB vulnerabilities as a security issue Quote from vendor x: “Thank you for sending this to us. This is something that I will definitely pass on, however since this requires physical access its not something that we will fix in a security update” • The knowledge of how to emulate USB devices is not widespread Quote from vendor y: “We think we’ve fixed this issue, but we’ll need to get you to test it as we don’t have the ability to replicate your attack”
  • 28. Agenda • USB Primer • Previous work • USB vulnerability classes • Phase one – Fuzzbox • Phase two – Commercial test equipment • Phase three – Frisbee • Security impact • Conclusion
  • 29. The impact of exploiting USB Typical scenarios of exploiting USB vulnerabilities: • “Jailbreaking” embedded devices • Unlocking a locked workstation • Installing malware in seconds • Exfiltrating sensitive data in seconds • What about Endpoint Protection Systems?...
  • 30. Endpoint Protection software Endpoint protection software: • Lumension (formerly Sanctuary) - Device Control • CoSoSys – Endpoint Protector • DeviceLock - Endpoint DLP Suite They work higher up the USB stack than many USB driver vulnerabilities exist Exploitable USB driver vulnerabilities will often circumvent them Some of the vulnerabilities we have discovered, when exploited will circumvent Endpoint Protection Software
  • 31. Agenda • USB Primer • Previous work • USB vulnerability classes • Phase one – Fuzzbox • Phase two – Commercial test equipment • Phase three – Frisbee • Security impact • Conclusion
  • 32. Conclusion • There are still plenty of USB vulnerabilities out there – many of which will be exploitable • Even though limited physical access is required, USB vulnerabilities still constitute a serious security risk • Endpoint Protection software is unlikely to protect you from many of these attacks • If you really don’t want people to exploit USB on your PCs, disable USB in the BIOS • For ultimate protection, fill the USB sockets with epoxy resin!
  • 33. NCC Group Plc, Manchester Technology Centre, Oxford Road, Manchester M1 7EF www.nccgroup.com Questions? Andy Davis Research Director Telephone: +44 (0) 208 401 0070 e-mail: andy.davis@ngssecure.com