badusb, and what you should do about it

Fear & Loathing on your Desk

BadUSB, and what you should do about it

Robert Fisk

Outline

1. Why USB = Universal Serial Badness

2. Current defenses

3. Hardware defense gadget

– Demo, Preemptive FAQs

So who is this guy?

● Electronic engineer in Auckland, NZ● PhD in IC design – analog, mixed-signal, low power● Informal tech support for group of targeted users● Bored last year, BadUSB looked like an interesting project

1-Slide USB introduction

Host PC

Device

Configuration 1

Endpoint 0

Endpoint 1Endpoint ...

Interface 0

Endpoint 1Endpoint ...

Interface 1

USB Device● Endpoint 0

● Configuration 1– Interface 0

● Endpoint 1● Endpoint 2...

– Interface 1● Endpoint ...

USB descriptors

Bus 007 Device 003: ID 046d:c00c Logitech, Inc. Optical Wheel MouseDevice Descriptor: blength 18 bdescriptorType 1 bcdUSB 1.10 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 ...blah blah...

Untrusted length!!

[you@yourbox ~]$ lsusb -v

Universal Serial Badness #1

Type 1: Stack Attacks

● Untrusted input to host stack● Host driver or device driver of attacker's choice● 200 device drivers in Linux 3.13 kernel source

Host PC User space

USB host driver

USB class driver

USB device driver

USB device driver

POW!POW!

Universal Serial Badness #1

Stack Attack example:● Inadvertent Win7 attack from crappy mouse● Bluescreen in HIDCLASS.SYS

Universal Serial Badness #1

News Flash:Cisco Nexus 5000 Series USB Driver Denial of Service Vulnerability

A vulnerability in the USB driver for Cisco Nexus 5000 Series Switches could allow an unauthenticated, local attacker to cause a denial of service (DoS) condition due to a kernel crash.The vulnerability is due to insufficient handling of USB input parameters.

Cisco has not released software updates that address this vulnerability. There are no workarounds that mitigate this vulnerability.

“”

Universal Serial Badness #2

Type 2: Hidden Functionality Attacks● No exploit required● USB-compliant commands

User space

USB host driver

USB class driver

USB device driver

USB device driver

POW!POW!Host PC

Universal Serial Badness #2

Hidden Functionality example:Netragard's Hacker Interface DeviceUsage: Plug mouse into computer, get pwned.

Mouse

Hub

+HID USB Keystroke Dongle (Teensy)

USB flash drive

+

+

Universal Serial Badness #3

Type 3: Intended Functionality Attacks● No exploit required● The thing you want is bad!

User space

USB host driver

USB class driver

USB device driver

USB device driver

POW!POW!Host PC

Universal Serial Badness #3

Intended Functionality example:

SR Labs 'hidden rootkit' flash drive

● Host profiling● Activate payload only

when enumerated by BIOS

Universal Serial Badness

● Type 1: Stack attacks● Type 2: Hidden functionality● Type 3: Intended functionality

100% standards compliant

Problem?

How easily can a device turn Bad?

● Most USB chips use 8051 8-bit embedded CPU (from 1980!!!)● Firmware updates with proprietary tools

srlabs.de

“Up to half of USB chips are BadUSB-vulnerable”

(but you can't tell which half!)

You have no idea what code you are running on your system!

Current defense #1

● For mice on desktop PCs only● Not all USB mice support PS/2 protocol :(

Reduce your attack surface with advanced PS/2 technology!

NOT VERY USEFUL

NOT VERY USEFUL

Current defense #2

● Only protects against type 2 keyboard attacks● Windows only

G Data Keyboard GuardNOT VERY USEFUL

NOT VERY USEFUL

Current defense #3

Reduce your attack surface with virtualisation(the wrong way)

● Software passthrough of USB devices● Type 2 hypervisors: Virtualbox, etc ● Software passthrough increases your

attack surface!

USB device

USB host

Host OS

Hypervisor

Guest OS

BAM!BAM!

BAM!BAM!

BAM!BAM!

NOT VERY USEFUL

NOT VERY USEFUL

Current defense #3

Reduce your attack surface with virtualisation(the right way)

● Hardware passthrough of USB host controller

● Type 1 hypervisors: Qubes/Xen, etc● Requires VT-d (Intel) or IOMMU (AMD)● All USB devices attched to a host

controller move together

USB device

USB host

Host OS

Hypervisor

Guest OS

USB host

BAM!BAM!USEFUL?

USEFUL?

Virtualisation scorecard

● Type 1: Stack attacks – Isolated● Type 2: Hidden functionality – Isolated● Type 3: Intended functionality – Isolated

How does hardware virtualisation help us?

Sanitise data leaving the USB VM!

● No protection at boot time● Host OS inputs are unprotected:

USB kbd/mouse & other devices on the same host controller

For everything else, there's...

● Concept: reduce attack surface through isolation● Terminate the USB bus outside vulnerable PC

Windows, Mac, Linux: Uhhh...........

USB hostdriver

USB device driver

USB device

USB device emulator

USB devicedriver

BAM!BAM!

Simplest imaginable protocolBAM!BAM!

Sanity checks

Host PC

Hardware defense – concept

● Many device drivers● Slow bootup● More expensive

Start the project with off-the-shelf hardware

● Limited drivers● Instant bootup● Cheap(er)

Embedded Linux: Embedded bare-metal:

Thing 1 Thing 2USB

device

Simple interface Host port

Device port

Upstream(device)

Downstream(host)

Host PC

Prototype hardware

OlimexSTM32-H405

OlimexSTM32-H407

Host port

● STM32F405 / 407 ARM-core microcontrollers● ST provides USB middleware with various drivers● FS (12Mbps) with upgrade path to HS (480Mbps)

15 EUR30 EUR

Device port

Introducing the USG v0.9

Turning BadUSB good since 2015

Device port

Host portSPI data

interface

Let's talk firmware!

main.c

Dev board

Peripheral library (hardware drivers)

USB host library & device drivers

Linker script.ld Processor family headers.h

OpenOCD Olimex JTAG

☼Board.cfg

GNUARM Eclipse

Eclipse CDT

☼ ☼

Startup file.SMath/DSP libraries

newlib-nano

gdb

☼

☼

gcc-arm-none-eabi

Firmware current status

● Mass Storage support only– SCSI transparent command set– 512B blocks– 2TB max capacity– Single LUN

● ~700kB/s transfer speed● 2x 30kB binary images

Hardware isolation scorecard #1

● Type 1: Stack attacks – Isolated● Type 2: Hidden functionality● Type 3: Intended functionality

How does this dongle help us?

Hidden functionality defense

● Disable hubs– Embedded host stack supports single device only :)

● Disable multi-interface devices– Limit host to one active class driver

● Lock in requested device class on first enumeration– Device class change requires firmware reset

Stop Type 2 attacks with firmware features:

Intended functionality defense

● Mass Storage– Hardware AES keyed from device serial number– Bad firmware cannot maliciously alter blocks– Only partial protection

● HID– Rate-limit input actions– Only partial protection

– Bonus points: buffer keystrokes > user profiling

Type 3 attacks difficult to block!

None of this is currently implemented!

Hardware isolation scorecard #2

● Type 1: Stack attacks – Isolated● Type 2: Hidden functionality – Firmware blocked● Type 3: Intended functionality – Partial protection (eventually!)

Firmware features give more protection

● Some type 3 attacks cannot be hardware sanitised. Proceed with caution!

USG v1.0 beta

v0.9 v1.0 betaPCB Layout (KiCad)

World's shortest demo

● This slide● Also, all the other ones!

Preemptive FAQ #1

Q: Can I use my USB hub with the USG?

A: No!– No embedded host support (downstream)– Upstream cannot emulate a network of devices– Also, necessary to block type 2 attacks

Preemptive FAQ #1b

Q: Wait, that means I need a USG for every one of my USB devices??!!!!!

A: Yeah, sorry about that ;)

Also, this implies hubs cannot be sanitised.Hubs are untrusted devices too!

Preemptive FAQ #2

Q: Can the USG protect the firmware on my device from malicious hosts?

A: Yes. The isolation barrier is symmetric.

Preemptive FAQ #3

Q: Will the USG support [my obscure device]?

A: Probably not.– Requires device driver and device emulator– Requires some assurance that the data is safe (type 3 attacks)– Requires sufficient interest (or pull requests!)

Planned: – HID keyboard, mouse– CDC, serial– For everything else, there's Qubes ( )Or other type 1 hypervisor with hardware-

assisted virtualisation of USB host controllers

Preemptive FAQ #4

Q: Does it have a red flashing light to tell me when a USB is Bad?

A: No– False negatives from host profiling– False positives from crap devices or internal bugs– Fault LEDs are deliberately orange– Always use your USG!

Preemptive FAQ #5

Q: This thing works at USB1 speed? What is this, 1998 or something?

A:

12Mbps

● Wide embedded hardware support● 2 layer PCB, easy layout● Soldering level: advanced (0.5mm pitch LQFP)● Prototype cost: $150

480Mbps● Limited embedded hardware support● 4 layer PCB, controlled impedance routing● Soldering level: mortals need not apply (0.5mm pitch QFN)● Prototype cost: $300

5Gbps

● No embedded hardware support● 8 layer PCB, RF grade layout where every mm counts● Soldering level: impossible (BGA)● Prototype cost: $1000

Preemptive FAQ #6

Q: So do I need a USG?

A: Windows, Mac, Linux:Yes, but you are probably still vulnerable! (type 3 attacks)

Type 1 hypervisor with hardware-assisted virtualisation of USB host controllers:

Yes, for your HIDs and anything connected at boot-time

Embedded devices, eg Cisco switches :)Yes! (and pray the firmware image is signed)

Preemptive FAQ #7

Q: When can I buy one?

A: Sometime in 2016

– Firmware: add HID class support– Hardware: 1+ board revisions

DFM is boring and expensive

– Build your own USG v0.9 anytime you want!

Testers wanted

Bonus FAQ

Q: Hardware guys can't code for shit. Why should I trust you?

A1: That's a reasonable question!

A2: Go check the code yourself...

github.com/robertfisk/usg

robert_fisk@fastmail.fm

PGP: 2255 761A FE59 4D18 6511EE43 DEB9 5AC0 15AD AEBA

The good stuff

Firmware, Hardware, Wiki: