MitM on USB -- Introduction of USBProxy --

2014/10/31 (c) 2014 [email protected] 1

MitM on USBIntroduction of USBProxy

　　　からぼ(kalab1998{e})

2014年10月31日第22回「ネットワークパケットを読む会（仮）」


Self Introduction

● An engineer of a software company in Aizuwakamatsu (until next Feb., and will not update)

● I'm looking for a next job very hard.● I will found an independent researcher “KA-LAB”

(It's the second choice if no one employ me).● I have no released open source software.● I have two projects on github as follows.

– USBProxy is forked from dominicgs/USBProxy

– ｋalas is a BLAS on GPGPU for Huge Matrix　


Is USB a computer network?

YES!USB is a computer network


Is USB a computer network?

Hub

Hub

USB is a tree structure network in physical.

Hostcomputer


Is USB a computer network？

USB is one by one connections from the hostto each device in logical.

Hostcomputer


How to communicate on USB?

Case: Device to Host


How to communicate on USB?

Case: Host to Device


Where is the host computer?

Now a days, increasing such connections.

Are therehost computers?

※Vector Graphics has copyright of this navigation icon.


Which devices are the host?

hosthost

host

※Vector Graphics has copyright of this navigation icon.


We have an important problem.

● Hack devices such cameras, printers, navigators, smartphones and so on.

It's usually very difficult.⇒

● Electrical tap on the USB cable.Next slides.⇒

● Develop a USB Man in the Middle device.Main theme for this presentation.⇒

How do we investigate vulnerabilities of such devices without any laptop?


Electrical tapping on USB

http://hackaday.com/2011/03/16/usb-man-in-the-middle-adapter/


Electrical tapping on USB

● Conflicting signals● Not enough electric power on signal lines● Very weak against electrical noises● Not running on USB2.0 by that specification

It's very easy, but it has some big problems.


dominicgs/USBProxy

● The device must have two USB ports.– One is for connecting a host.

– Another is for connecting a device.

● Software relaying● Connectable USB2.0● Sniffable / Filterable / Injectable● Very cheap, BeagleBone Black is about $60.0● https://github.com/dominicgs/USBProxy


USBProxy Structure


How to relay?

● USBProxy makes 6 kinds of threads runninng.

– Reader for Input EP, – Reader for output EP, – Writer for Input EP, – Writer for Output EP, – Injection, – Filter


Connection Reader and Writer


Relay from device to host

● Reader for Input EP always requests data to the Endpoint on the device.

● Reader for Input EP send data to Writer for Input EP when it got data.

● Writer for Input EP sends data to the host.


Relay from host to device

● Reader for Output EP always wait a request and data from the host.

● Reader for Output EP send data to Writer for Output EP when it got data.

● Writer for Output EP sends data to the Endpoint on the device.

That's it. Very rough.


Notification!

● USBProxy does not simulate the USB line.● It just simulates endpoints on only one device.


We have problems yet

● We want to simulate more devices.● In many cases, it fail to simulate a device. ● It can't handle some complex devices yet.● Linux lose endpoints on a device sometimes.● It can't notice reset signal from a device.● Very slow.

– Original speed is 30.7MB/s,

– USBProxy relay speed is 1,9MB/s.


Other solutions

● If you want to just snif on USB, you can use USB protocol analizer such the Beagle USB480 Power.

● If you are interesting in deep side, maybe you will fall in darkness.


Beagle USB480 Power

● Easy to use● Very fast, 29.8MB/s● Cheap, just $2250.0● Another device is

enable USB3.0,just $3600.0


Do you want to fall in darkness?

● Kali Linux NetHunter "Bad USB" MITM Attack● http://vimeo.com/106065667


White page

MitM on USB -- Introduction of USBProxy --

Data & Analytics

Transcript of MitM on USB -- Introduction of USBProxy --