Universal Serial aBUSe: Remote Physical Access Attacks

DEF CON 24

Presented by: Rogan Dawes, Dominic White
Date: Saturday August 06, 2016
Time: 14:00 - 14:50
Location: Track Two

In this talk, we’ll cover some novel USB-level attacks, that can provide remote command and control of, even air-gapped machines, with a minimal forensic footprint, and release an open-source toolset using freely available hardware.

In 2000, Microsoft published its 10 Immutable laws of security [1]. One of which was "if a bad guy has unrestricted access to your computer, it's not your computer anymore." This has been robustly demonstrated over the years. Examples include numerous DMA-access attacks against interfaces such as firewire [2], PCMCIA and thunderbolt [3] as well as USB-based attacks including simple in-line keyloggers, "evil maid" attacks [4] and malicious firmware [5].

Despite these warnings, groups such as the NSA were still able to use physical access to bypass software controls with toolsets such as COTTONMOUTH [6]. Likewise, criminals have been able to defraud banks with a handful of simple hardware tricks [7]. While some progress has been made to secure some devices against some threats, such as the use of full disc encryption, or the impact of Apple's secure enclave in the physical security of the iPhone [8], most laptops and desktops remain vulnerable to attacks via physical interfaces.

In our experience, organisations merely view USB devices as a channel for malware or unsanctioned communications, and rely on protections placed elsewhere in their defensive stack to deal with them, but few deal with the risk the USB interface presents directly. There are many scenarios where gaining physical access to hosts is plausible [9], and having done so can provide access to "chewy" internal networks [10] ripe for lateral movement.

While most people are familiar with USB devices, many don't realise the extent to which the USB standard allows seemingly innocuous devices to have multiple personalities. There has been an extensive amount of research into malicious USB devices, such as TURNIPSCHOOL [15], GoodFET/Facedancer [16], Shikra [17], Rubber Ducky [11], USBdriveby [12] and BadUSB [5]. However, none of these implement an end-to-end attack either because that was not their intention, they only focus on a part of the attack or the project was never completed.

Additionally, existing attacks are predominantly "send only" with no built-in bidirectional communications. They usually rely on the executed payload and the host’s networks for any advanced remote access. Thus, these payloads can leave a significant forensic footprint in the form of network communications and on-host behaviours, and leave them vulnerable to anti-malware controls. Numerous companies are improving toolsets to detect such attacks [13][14]. Lastly, these attacks are often "spray and pray", unable to account for variations in the user's behaviour or computer setup.

Our approach is to create a stealthy bi-directional channel between the host and device, with remote connectivity via 3G/Wi-Fi/Bluetooth and offload the complexity to our hardware, leaving a small simple stub to run on the host. This talk will discuss the process of creating a set of malicious USB devices using low cost hardware. The design and toolkit will be released during the talk.

Our toolkit provides three significant improvements over existing work. The first is the ability to gain a stealthy bi-directional channel with the host via the device. No traffic is generated on the target network (i.e it would work against air-gapped hosts). This is done via the use of either a raw HID device or standard USB class printer driver linked to our device, with the stub merely wrapping commands and their output to our device. The second is the ability to communicate with the device remotely via Wi-Fi/3G/Bluetooth, allowing for updates to the payloads, exfiltration of data, real-time interaction with the host and an ability to debug problems. This also has the advantage that any network controls are bypassed. Finally, the stub running on the host will leave a minimal forensic trail, making detection of the attack, or analysis of it later, difficult. For completeness sake, a new transport for metasploit was developed to allow metasploit payloads to be used instead.

Our hope is that the tools will provide a method of demonstrating the risk of physical bypasses of software security without an NSA budget, and encourage defences to be built in this area.

[1] "10 Immutable Laws of Security" https://technet.microsoft.com/library/cc722487.aspx [2] "Physical memory attacks via Firewire/DMA - Part 1: Overview and Mitigation" https://web.archive.org/web/20160304055745/http://www.hermann-uwe.de/blog/physical-memory-attacks-via-firewire-dma-part-1-overview-and-mitigation [3] "Thunderstrike 2" https://trmm.net/Thunderstrike_2 [4] "Evil Maid goes after TrueCrypt!" http://theinvisiblethings.blogspot.co.za/2009/10/evil-maid-goes-after-truecrypt.html [5] "Turning USB peripherals into BadUSB" https://srlabs.de/badusb/ [6] "Your USB cable, the spy: Inside the NSA’s catalog of surveillance magic" http://arstechnica.com/information-technology/2013/12/inside-the-nsas-leaked-catalog-of-surveillance-magic/ [7] "How bank hackers stole £1.25 million with a simple piece of computer hardware" https://www.grahamcluley.com/2014/04/bank-hackers-hardware/ [8] "Apple vs FBI" https://www.apple.com/customer-letter/ [9] "Users Really Do Plug in USB Drives They Find" https://zakird.com/papers/usb.pdf [10] "The Design of a Secure Internet Gateway" http://www.cheswick.com/ches/papers/gateway.pdf [11] "USB Rubber Ducky Wiki" http://usbrubberducky.com/ [12] "USBDriveBy" http://samy.pl/usbdriveby/ [13] "Cylance, Math vs Malware" https://cdn2.hubspot.net/hubfs/270968/All_Web_Assets/White_Papers/MathvsMalware.pdf [14] "Carbon Black, Next Generation Endpoint Security" https://www.carbonblack.com/wp-content/uploads/2016/03/2016_cb_wp_next_gen_endpoint_security_small.pdf [15] "NSA Playset, TURNIPSCHOOL" http://www.nsaplayset.org/turnipschool [16] "Facedancer2" http://goodfet.sourceforge.net/hardware/facedancer21/ [17] "The Shikra" http://int3.cc/products/the-shikra

Rogan Dawes

Rogan Dawes is a senior researcher at SensePost and has been hacking since 1998, which, coincidentally, is also the time he settled on a final wardrobe. He used the time he saved on choosing outfits to live up to his colleague’s frequent joke that he has an offline copy of the Internet in his head. Rogan spent many years building web application assessment tools, and is credited as having built one of the first and most widely used intercepting proxies; WebScarab. In recent years, Rogan has turned his attentions towards hardware hacking; and these days many suspect him to be at least part cyborg. A good conversation starter is to ask him where he keeps his JTAG header.

Dominic White

Dominic White is the CTO of SensePost, an information security company based in South Africa and London. He has worked in the industry for 12 years. He tweets as @singe.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats