SlideShare a Scribd company logo

USB: Undermining Security Barriers

NCC Group
NCC Group
Technology
1 of 33
Download to read offline
NCC Group Plc, Manchester Technology Centre, Oxford Road, Manchester M1 7EF www.nccgroup.com Andy Davis Research Director Telephone: +44 (0) 208 401 0070 e-mail: andy.davis@ngssecure.com 04/08/2011
Agenda • USB Primer • Previous work • USB vulnerability classes • Phase one – Fuzzbox • Phase two – Commercial test equipment • Phase three – Frisbee • Security impact • Conclusion
USB – it’s everywhere! • PCs • Tablets • Cameras • TVs • Cable / Satellite set-top-boxes • Telephones • Microwave ovens!
USB Primer - Architecture • The aim of USB was to find a solution to the mixture of connection methods to the PC • Currently three speeds of data transfer (USB 2.0): • Low – 1.5Mbps (keyboard, mouse etc.) • Full – 12Mbps (originally for all other devices) • High – 480Mbps (developed in response to FireWire) • Architecture is a tiered star topology: • Single host controller and up to 127 slave devices • A device can be plugged into a hub, and that hub can be plugged into another hub and so on. The maximum number of tiers permitted is six  Host is Master - all communications on this bus are initiated by the host  Devices cannot communicate directly with other devices (except for USB On-The-Go protocol)
USB Primer - Terminology • The USB bus • When the host is transmitting a packet of data, it is sent to every device connected to an enabled port. It travels downwards via each hub in the chain which resynchronises the data transitions as it relays it. Only one device, the addressed one, actually accepts the data • Endpoints • Each USB device has a number of endpoints. Each endpoint is a source or sink of data. A device can have up to 16 OUT and 16 IN endpoints. • OUT always means from host to device. • IN always means from device to host. • Endpoint 0 is a special case which is a combination of endpoint 0 OUT and endpoint 0 IN, and is used for controlling the device. • Pipe • A logical data connection between the host and a particular endpoint, in which we ignore the lower level mechanisms for actually achieving the data transfers.
USB Primer – More Terminology • Configurations, Interfaces, and Endpoints • The device contains a number of descriptors (as shown to the right) which help to define the device’s capabilities • A device can have more than one configuration, though only one at a time, and to change configuration the whole device would have to stop functioning • A device can have one or more interfaces. Each interface can have a number of endpoints and represents a functional unit belonging to a particular class • Each endpoint is a source or sink of data
USB Primer – plugging in a device • Pull-up resistor on data line – Indicates device was connected (reset device) • Get Device descriptor – what’s the max packet size? – address 0 • Reset then Set Address - for the rest of the communications use this address • Get Device descriptor – What are the device basic capabilities? • Get Configuration descriptor – What are the configuration details? • Interface descriptors • Endpoint descriptors • HID descriptors • Get String descriptors – Get string language + product name etc. • Set Configuration – Configuration is chosen – the device can be used • Class-specific communication - from this point onwards HCI Driver USB Bus Driver USB Device Driver
USB Primer – Example descriptor A typical Device Descriptor
Agenda • USB Primer • Previous work • USB vulnerability classes • Phase one – Fuzzbox • Phase two – Commercial test equipment • Phase three – Frisbee • Security impact • Conclusion
Various approaches to interface fuzzing  Rafael Dominguez Vega used a number of different approaches including USB over IP, QEMU and a microcontroller to discover Linux- based USB vulnerabilities in String descriptors  David Dewey and Darrin Barrall used an SL811 USB controller to discover a heap overflow in Windows XP  Moritz Jodeit emulated USB devices in software and with a Netchip NET2280 peripheral controller  Tobias Mueller used virtualisation techniques with QEMU to identify USB vulnerabilities in a number of different operating systems  Jon Larimer investigated USB drive security and associated file system vulnerabilities in Windows and Linux
Difficulties in testing USB • Black box Testing of drivers for interfaces on embedded systems can be tough: • No low-level view of the firmware • Hard to debug • Hard to hook into firmware • Testing some interfaces is tough using conventional approaches: • Getting a PC to pretend to be a USB device requires some serious driver development – need to turn the root hub into a USB device.
Agenda • USB Primer • Previous work • USB vulnerability classes • Phase one – Fuzzbox • Phase two – Commercial test equipment • Phase three – Frisbee • Security impact • Conclusion
USB vulnerability classes • Stack overflows • String descriptors in Linux and Windows XP • Solaris 11 Express hub-class descriptor • Integer and Heap overflows • Sony PS3 hub-class descriptors • Apple iPod Touch jailbreak “0xA1,1” USB control message • Xbox 360 image-class descriptors • Null-pointer dereference (exploitable) • Apple iPhone jailbreak “0x21,2” USB control message • Logic errors • Windows 7 HID report descriptors
Agenda • USB Primer • Previous work • USB vulnerability classes • Phase one – Fuzzbox • Phase two – Commercial test equipment • Phase three – Frisbee • Security impact • Conclusion
Phase one - FuzzBox • Arduino microcontroller • Fuzzer written in C++ • Only emulates USB HID devices • Only allows semi-automated fuzzing • Has found bugs in: • Windows 7 • Windows XP • OS X • Limitations – not really fast enough to emulate most USB devices
FuzzBox details Simple circuit to interface with an Arduino: Driver code had already been written to emulate a HID device: http://code.google.com/p/vusb-for-arduino/
Agenda • USB Primer • Previous work • USB vulnerability classes • Phase one – Fuzzbox • Phase two – Commercial test equipment • Phase three – Frisbee • Security impact • Conclusion
Packet Master USB500 AG • Dedicated USB test equipment hardware • USB capture and playback • Emulates any USB host or device • Understands and analyses the different USB device classes • Uses a scripting language to generate USB traffic • Costs approx. US$1200 (plus specific class analysis options) • Limitations – doesn’t currently have a software API to control it
GraphicUSB – Capture and Analysis
GraphicUSB – Generator Scripts
So what can we fuzz? USB hosts: • The Device Descriptor (HCI driver) • String Descriptors (HCI driver / USB device drivers) • The Configuration Descriptor: Interface Descriptor (USB device driver) • The Configuration Descriptor: Endpoint Descriptor (USB device driver) • Class-specific descriptors e.g. HID Report Descriptor (USB device driver) • Class-specific communication (USB device driver and client software) USB devices: • Host -> device USB control messages
Why the new approach is different Device and Platform Independent: • Previous approaches have mainly focussed on either testing or emulating specific devices or hosts • We don’t care (for the most part) what the host or device is • If we understand USB and where vulnerabilities may be present then we can use a black-box fuzzing approach • It certainly produces results…
Agenda • USB Primer • Previous work • USB vulnerability classes • Phase one – Fuzzbox • Phase two – Commercial test equipment • Phase three – Frisbee • Security impact • Conclusion
Frisbee – the USB fuzzer • GraphicUSB currently has no API for controlling it • Frisbee modifies the GraphicUSB generator script created from a capture • The generator script must be loaded, compiled then executed to generate USB traffic • Frisbee uses the SendKeys Python library to inject Windows events into GraphicUSB • Although this is slow, the HCI driver needs time to identify a device, which has ostensibly just been plugged in • The host under test is connected to the same Ethernet network as the host running Frisbee and is periodically pinged to identify if the host has crashed
NCC Group Plc, Manchester Technology Centre, Oxford Road, Manchester M1 7EF www.nccgroup.com Demos
What have we found so far? • HID class descriptor memory corruption in Windows 7 • Hub class descriptor stack overflow in Solaris 11Express • Printer class communication memory corruption in Solaris 11Express • Image class communication memory corruption in Solaris 11Express • Image class communication integer overflows in Microsoft Xbox 360 • Image class descriptor memory corruption in Apple OS X
Why are USB vulnerabilities still prevalent? • Some vendors don’t seem to view USB vulnerabilities as a security issue Quote from vendor x: “Thank you for sending this to us. This is something that I will definitely pass on, however since this requires physical access its not something that we will fix in a security update” • The knowledge of how to emulate USB devices is not widespread Quote from vendor y: “We think we’ve fixed this issue, but we’ll need to get you to test it as we don’t have the ability to replicate your attack”
Agenda • USB Primer • Previous work • USB vulnerability classes • Phase one – Fuzzbox • Phase two – Commercial test equipment • Phase three – Frisbee • Security impact • Conclusion
The impact of exploiting USB Typical scenarios of exploiting USB vulnerabilities: • “Jailbreaking” embedded devices • Unlocking a locked workstation • Installing malware in seconds • Exfiltrating sensitive data in seconds • What about Endpoint Protection Systems?...
Endpoint Protection software Endpoint protection software: • Lumension (formerly Sanctuary) - Device Control • CoSoSys – Endpoint Protector • DeviceLock - Endpoint DLP Suite They work higher up the USB stack than many USB driver vulnerabilities exist Exploitable USB driver vulnerabilities will often circumvent them Some of the vulnerabilities we have discovered, when exploited will circumvent Endpoint Protection Software
Agenda • USB Primer • Previous work • USB vulnerability classes • Phase one – Fuzzbox • Phase two – Commercial test equipment • Phase three – Frisbee • Security impact • Conclusion
Conclusion • There are still plenty of USB vulnerabilities out there – many of which will be exploitable • Even though limited physical access is required, USB vulnerabilities still constitute a serious security risk • Endpoint Protection software is unlikely to protect you from many of these attacks • If you really don’t want people to exploit USB on your PCs, disable USB in the BIOS • For ultimate protection, fill the USB sockets with epoxy resin!
NCC Group Plc, Manchester Technology Centre, Oxford Road, Manchester M1 7EF www.nccgroup.com Questions? Andy Davis Research Director Telephone: +44 (0) 208 401 0070 e-mail: andy.davis@ngssecure.com

Recommended

Docking stations andy_davis_ncc_group_slides
Docking stations andy_davis_ncc_group_slidesDocking stations andy_davis_ncc_group_slides
Docking stations andy_davis_ncc_group_slides
NCC Group
 
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprints
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprintsAndy Davis' Black Hat USA Presentation Revealing embedded fingerprints
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprints
NCC Group
 
CNIT 123: Ch 9: Embedded Operating Systems: The Hidden Threat
CNIT 123: Ch 9: Embedded Operating Systems: The Hidden ThreatCNIT 123: Ch 9: Embedded Operating Systems: The Hidden Threat
CNIT 123: Ch 9: Embedded Operating Systems: The Hidden Threat
Sam Bowne
 
CNIT 123: Ch 13: Network Protection Systems
CNIT 123: Ch 13: Network Protection SystemsCNIT 123: Ch 13: Network Protection Systems
CNIT 123: Ch 13: Network Protection Systems
Sam Bowne
 
Polstra 44con2012
Polstra 44con2012Polstra 44con2012
Polstra 44con2012
Philip Polstra
 
9: OllyDbg
9: OllyDbg9: OllyDbg
9: OllyDbg
Sam Bowne
 
Server Hardening Primer - Eric Vanderburg - JURINNOV
Server Hardening Primer - Eric Vanderburg - JURINNOVServer Hardening Primer - Eric Vanderburg - JURINNOV
Server Hardening Primer - Eric Vanderburg - JURINNOV
Eric Vanderburg
 
[CB16] Air-Gap security: State-of-the-art Attacks, Analysis, and Mitigation b...
[CB16] Air-Gap security: State-of-the-art Attacks, Analysis, and Mitigation b...[CB16] Air-Gap security: State-of-the-art Attacks, Analysis, and Mitigation b...
[CB16] Air-Gap security: State-of-the-art Attacks, Analysis, and Mitigation b...
CODE BLUE
 

Recommended

Docking stations andy_davis_ncc_group_slides
Docking stations andy_davis_ncc_group_slidesDocking stations andy_davis_ncc_group_slides
Docking stations andy_davis_ncc_group_slides
NCC Group
 
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprints
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprintsAndy Davis' Black Hat USA Presentation Revealing embedded fingerprints
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprints
NCC Group
 
CNIT 123: Ch 9: Embedded Operating Systems: The Hidden Threat
CNIT 123: Ch 9: Embedded Operating Systems: The Hidden ThreatCNIT 123: Ch 9: Embedded Operating Systems: The Hidden Threat
CNIT 123: Ch 9: Embedded Operating Systems: The Hidden Threat
Sam Bowne
 
CNIT 123: Ch 13: Network Protection Systems
CNIT 123: Ch 13: Network Protection SystemsCNIT 123: Ch 13: Network Protection Systems
CNIT 123: Ch 13: Network Protection Systems
Sam Bowne
 
Polstra 44con2012
Polstra 44con2012Polstra 44con2012
Polstra 44con2012
Philip Polstra
 
9: OllyDbg
9: OllyDbg9: OllyDbg
9: OllyDbg
Sam Bowne
 
Server Hardening Primer - Eric Vanderburg - JURINNOV
Server Hardening Primer - Eric Vanderburg - JURINNOVServer Hardening Primer - Eric Vanderburg - JURINNOV
Server Hardening Primer - Eric Vanderburg - JURINNOV
Eric Vanderburg
 
[CB16] Air-Gap security: State-of-the-art Attacks, Analysis, and Mitigation b...
[CB16] Air-Gap security: State-of-the-art Attacks, Analysis, and Mitigation b...[CB16] Air-Gap security: State-of-the-art Attacks, Analysis, and Mitigation b...
[CB16] Air-Gap security: State-of-the-art Attacks, Analysis, and Mitigation b...
CODE BLUE
 
CNIT 123: Ch 7: Programming for Security Professionals
CNIT 123: Ch 7: Programming for Security ProfessionalsCNIT 123: Ch 7: Programming for Security Professionals
CNIT 123: Ch 7: Programming for Security Professionals
Sam Bowne
 
Course 101: Lecture 1: Introduction to Embedded Systems
Course 101: Lecture 1: Introduction to Embedded SystemsCourse 101: Lecture 1: Introduction to Embedded Systems
Course 101: Lecture 1: Introduction to Embedded Systems
Ahmed El-Arabawy
 
Course Syllabus
Course SyllabusCourse Syllabus
Course Syllabus
Amir Villas
 
System Hardening Recommendations_FINAL
System Hardening Recommendations_FINALSystem Hardening Recommendations_FINAL
System Hardening Recommendations_FINAL
Martin Evans
 
Securitytools
SecuritytoolsSecuritytools
Securitytools
Richmond Adebiaye
 
Building Embedded Linux Full Tutorial for ARM
Building Embedded Linux Full Tutorial for ARMBuilding Embedded Linux Full Tutorial for ARM
Building Embedded Linux Full Tutorial for ARM
Sherif Mousa
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Application
edavid2685
 
Embedded system design challenges
Embedded system design challenges Embedded system design challenges
Embedded system design challenges
Aditya Kamble
 
1184 Quayle
1184 Quayle1184 Quayle
1184 Quayle
Stanley F. Quayle
 
Useful USB Gadgets on Linux
Useful USB Gadgets on LinuxUseful USB Gadgets on Linux
Useful USB Gadgets on Linux
Gary Bisson
 
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsCaptain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
enSilo
 
Design of Software for Embedded Systems
Design of Software for Embedded SystemsDesign of Software for Embedded Systems
Design of Software for Embedded Systems
Peter Tröger
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Lyon Yang
 
Early Software Development through Palladium Emulation
Early Software Development through Palladium EmulationEarly Software Development through Palladium Emulation
Early Software Development through Palladium Emulation
Raghav Nayak
 
Thotcon2013
Thotcon2013Thotcon2013
Thotcon2013
Philip Polstra
 
Ch 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social EngineeringCh 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social Engineering
Sam Bowne
 
Installing driver
Installing driverInstalling driver
Installing driver
Online
 
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
The Linux Foundation
 
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
The Linux Foundation
 
Embedded system
Embedded systemEmbedded system
Embedded system
mangal das
 
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 02013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0
NCC Group
 
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
NCC Group
 

More Related Content

What's hot

System Hardening Recommendations_FINAL
System Hardening Recommendations_FINALSystem Hardening Recommendations_FINAL
System Hardening Recommendations_FINAL
Martin Evans
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Lyon Yang
 
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
The Linux Foundation
 
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
The Linux Foundation
 

What's hot (20)

CNIT 123: Ch 7: Programming for Security Professionals
CNIT 123: Ch 7: Programming for Security ProfessionalsCNIT 123: Ch 7: Programming for Security Professionals
CNIT 123: Ch 7: Programming for Security Professionals
 
Course 101: Lecture 1: Introduction to Embedded Systems
Course 101: Lecture 1: Introduction to Embedded SystemsCourse 101: Lecture 1: Introduction to Embedded Systems
Course 101: Lecture 1: Introduction to Embedded Systems
 
Course Syllabus
Course SyllabusCourse Syllabus
Course Syllabus
 
System Hardening Recommendations_FINAL
System Hardening Recommendations_FINALSystem Hardening Recommendations_FINAL
System Hardening Recommendations_FINAL
 
Securitytools
SecuritytoolsSecuritytools
Securitytools
 
Building Embedded Linux Full Tutorial for ARM
Building Embedded Linux Full Tutorial for ARMBuilding Embedded Linux Full Tutorial for ARM
Building Embedded Linux Full Tutorial for ARM
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Application
 
Embedded system design challenges
Embedded system design challenges Embedded system design challenges
Embedded system design challenges
 
1184 Quayle
1184 Quayle1184 Quayle
1184 Quayle
 
Useful USB Gadgets on Linux
Useful USB Gadgets on LinuxUseful USB Gadgets on Linux
Useful USB Gadgets on Linux
 
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit MitigationsCaptain Hook: Pirating AVs to Bypass Exploit Mitigations
Captain Hook: Pirating AVs to Bypass Exploit Mitigations
 
Design of Software for Embedded Systems
Design of Software for Embedded SystemsDesign of Software for Embedded Systems
Design of Software for Embedded Systems
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
 
Early Software Development through Palladium Emulation
Early Software Development through Palladium EmulationEarly Software Development through Palladium Emulation
Early Software Development through Palladium Emulation
 
Thotcon2013
Thotcon2013Thotcon2013
Thotcon2013
 
Ch 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social EngineeringCh 4: Footprinting and Social Engineering
Ch 4: Footprinting and Social Engineering
 
Installing driver
Installing driverInstalling driver
Installing driver
 
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
XPDDS19: How TrenchBoot is Enabling Measured Launch for Open-Source Platform ...
 
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
XPDS16: A Paravirtualized Interface for Socket Syscalls - Dimitri Stiliadis, ...
 
Embedded system
Embedded systemEmbedded system
Embedded system
 

Viewers also liked

2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 02013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0
NCC Group
 
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
NCC Group
 
How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)
NCC Group
 
Practical SME Security on a Shoestring
Practical SME Security on a ShoestringPractical SME Security on a Shoestring
Practical SME Security on a Shoestring
NCC Group
 
Pki 202 Architechture Models and CRLs
Pki 202 Architechture Models and CRLsPki 202 Architechture Models and CRLs
Pki 202 Architechture Models and CRLs
NCC Group
 
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group
 
Cryptography101
Cryptography101Cryptography101
Cryptography101
NCC Group
 
Current & Emerging Cyber Security Threats
Current & Emerging Cyber Security ThreatsCurrent & Emerging Cyber Security Threats
Current & Emerging Cyber Security Threats
NCC Group
 
2012 12-04 --ncc_group_-_mobile_threat_war_room
2012 12-04 --ncc_group_-_mobile_threat_war_room2012 12-04 --ncc_group_-_mobile_threat_war_room
2012 12-04 --ncc_group_-_mobile_threat_war_room
NCC Group
 
Pki 201 Key Management
Pki 201 Key ManagementPki 201 Key Management
Pki 201 Key Management
NCC Group
 
The Mobile Internet of Things and Cyber Security
The Mobile Internet of Things and Cyber Security The Mobile Internet of Things and Cyber Security
The Mobile Internet of Things and Cyber Security
NCC Group
 
Creating value through technology
Creating value through technologyCreating value through technology
Creating value through technology
Pavan Kumar Vijay
 

Viewers also liked (20)

2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 02013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0
2013 07-12 ncc-group_data_anonymisation_technical_aspects_v1 0
 
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
2012 06-19 --ncc_group_-_iet_seminar_-_mobile_apps_and_secure_by_design
 
How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)How we breach small and medium enterprises (SMEs)
How we breach small and medium enterprises (SMEs)
 
Practical SME Security on a Shoestring
Practical SME Security on a ShoestringPractical SME Security on a Shoestring
Practical SME Security on a Shoestring
 
Pki 202 Architechture Models and CRLs
Pki 202 Architechture Models and CRLsPki 202 Architechture Models and CRLs
Pki 202 Architechture Models and CRLs
 
Mobile App Security: Enterprise Checklist
Mobile App Security: Enterprise ChecklistMobile App Security: Enterprise Checklist
Mobile App Security: Enterprise Checklist
 
Exploiting appliances presentation v1.1-vids-removed
Exploiting appliances presentation v1.1-vids-removedExploiting appliances presentation v1.1-vids-removed
Exploiting appliances presentation v1.1-vids-removed
 
NCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios appsNCC Group 44Con Workshop: How to assess and secure ios apps
NCC Group 44Con Workshop: How to assess and secure ios apps
 
Cryptography101
Cryptography101Cryptography101
Cryptography101
 
07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security products07182013 Hacking Appliances: Ironic exploits in security products
07182013 Hacking Appliances: Ironic exploits in security products
 
Cryptography - 101
Cryptography - 101Cryptography - 101
Cryptography - 101
 
Current & Emerging Cyber Security Threats
Current & Emerging Cyber Security ThreatsCurrent & Emerging Cyber Security Threats
Current & Emerging Cyber Security Threats
 
2012 12-04 --ncc_group_-_mobile_threat_war_room
2012 12-04 --ncc_group_-_mobile_threat_war_room2012 12-04 --ncc_group_-_mobile_threat_war_room
2012 12-04 --ncc_group_-_mobile_threat_war_room
 
Pki 201 Key Management
Pki 201 Key ManagementPki 201 Key Management
Pki 201 Key Management
 
The Mobile Internet of Things and Cyber Security
The Mobile Internet of Things and Cyber Security The Mobile Internet of Things and Cyber Security
The Mobile Internet of Things and Cyber Security
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By Example
 
Creating value through technology
Creating value through technologyCreating value through technology
Creating value through technology
 
Etapas de la planificacion
Etapas de la planificacionEtapas de la planificacion
Etapas de la planificacion
 
NUESTROS ADULTOS SE MUEVEN
NUESTROS ADULTOS SE MUEVENNUESTROS ADULTOS SE MUEVEN
NUESTROS ADULTOS SE MUEVEN
 
Corporate Social Responsibility
Corporate Social ResponsibilityCorporate Social Responsibility
Corporate Social Responsibility
 

Similar to USB: Undermining Security Barriers

Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1
Luis Grangeia
 
Gnu linux for safety related systems
Gnu linux for safety related systemsGnu linux for safety related systems
Gnu linux for safety related systems
DTQ4
 
A. Sirota "Building an Automation Solution based on Appium"
A. Sirota "Building an Automation Solution based on Appium"A. Sirota "Building an Automation Solution based on Appium"
A. Sirota "Building an Automation Solution based on Appium"
DataArt
 
“Secure Hardware Architecture for Embedded Vision,” a Presentation from Neuro...
“Secure Hardware Architecture for Embedded Vision,” a Presentation from Neuro...“Secure Hardware Architecture for Embedded Vision,” a Presentation from Neuro...
“Secure Hardware Architecture for Embedded Vision,” a Presentation from Neuro...
Edge AI and Vision Alliance
 
Choosing_(and_Implem..
Choosing_(and_Implem..Choosing_(and_Implem..
Choosing_(and_Implem..
webhostingguy
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
MichaelM85042
 

Similar to USB: Undermining Security Barriers (20)

Adventures in USB land
Adventures in USB landAdventures in USB land
Adventures in USB land
 
Computer Fundamentals
Computer FundamentalsComputer Fundamentals
Computer Fundamentals
 
Computer fundamental
Computer fundamentalComputer fundamental
Computer fundamental
 
USB BASIC
USB BASICUSB BASIC
USB BASIC
 
Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1 Reverse Engineering the TomTom Runner pt. 1
Reverse Engineering the TomTom Runner pt. 1
 
BadUSB — On accessories that turn evil by Karsten Nohl
BadUSB — On accessories that turn evil by Karsten NohlBadUSB — On accessories that turn evil by Karsten Nohl
BadUSB — On accessories that turn evil by Karsten Nohl
 
Chapter-6_2.ppt
Chapter-6_2.pptChapter-6_2.ppt
Chapter-6_2.ppt
 
Gnu linux for safety related systems
Gnu linux for safety related systemsGnu linux for safety related systems
Gnu linux for safety related systems
 
Chapter-05-IO (2).ppt
Chapter-05-IO (2).pptChapter-05-IO (2).ppt
Chapter-05-IO (2).ppt
 
Null mumbai-reversing-IoT-firmware
Null mumbai-reversing-IoT-firmwareNull mumbai-reversing-IoT-firmware
Null mumbai-reversing-IoT-firmware
 
Mickey, threats inside your platform final
Mickey, threats inside your platform finalMickey, threats inside your platform final
Mickey, threats inside your platform final
 
Computer system organization
Computer system organizationComputer system organization
Computer system organization
 
A. Sirota "Building an Automation Solution based on Appium"
A. Sirota "Building an Automation Solution based on Appium"A. Sirota "Building an Automation Solution based on Appium"
A. Sirota "Building an Automation Solution based on Appium"
 
MCB_HL_v10.pdf
MCB_HL_v10.pdfMCB_HL_v10.pdf
MCB_HL_v10.pdf
 
BadUSB, and what you should do about it
BadUSB, and what you should do about itBadUSB, and what you should do about it
BadUSB, and what you should do about it
 
Nomura UCCSC 2009
Nomura UCCSC 2009Nomura UCCSC 2009
Nomura UCCSC 2009
 
Usb
UsbUsb
Usb
 
“Secure Hardware Architecture for Embedded Vision,” a Presentation from Neuro...
“Secure Hardware Architecture for Embedded Vision,” a Presentation from Neuro...“Secure Hardware Architecture for Embedded Vision,” a Presentation from Neuro...
“Secure Hardware Architecture for Embedded Vision,” a Presentation from Neuro...
 
Choosing_(and_Implem..
Choosing_(and_Implem..Choosing_(and_Implem..
Choosing_(and_Implem..
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
 

Recently uploaded

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 

Recently uploaded (20)

2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 

USB: Undermining Security Barriers

  • 1. NCC Group Plc, Manchester Technology Centre, Oxford Road, Manchester M1 7EF www.nccgroup.com Andy Davis Research Director Telephone: +44 (0) 208 401 0070 e-mail: andy.davis@ngssecure.com 04/08/2011
  • 2. Agenda • USB Primer • Previous work • USB vulnerability classes • Phase one – Fuzzbox • Phase two – Commercial test equipment • Phase three – Frisbee • Security impact • Conclusion
  • 3. USB – it’s everywhere! • PCs • Tablets • Cameras • TVs • Cable / Satellite set-top-boxes • Telephones • Microwave ovens!
  • 4. USB Primer - Architecture • The aim of USB was to find a solution to the mixture of connection methods to the PC • Currently three speeds of data transfer (USB 2.0): • Low – 1.5Mbps (keyboard, mouse etc.) • Full – 12Mbps (originally for all other devices) • High – 480Mbps (developed in response to FireWire) • Architecture is a tiered star topology: • Single host controller and up to 127 slave devices • A device can be plugged into a hub, and that hub can be plugged into another hub and so on. The maximum number of tiers permitted is six  Host is Master - all communications on this bus are initiated by the host  Devices cannot communicate directly with other devices (except for USB On-The-Go protocol)
  • 5. USB Primer - Terminology • The USB bus • When the host is transmitting a packet of data, it is sent to every device connected to an enabled port. It travels downwards via each hub in the chain which resynchronises the data transitions as it relays it. Only one device, the addressed one, actually accepts the data • Endpoints • Each USB device has a number of endpoints. Each endpoint is a source or sink of data. A device can have up to 16 OUT and 16 IN endpoints. • OUT always means from host to device. • IN always means from device to host. • Endpoint 0 is a special case which is a combination of endpoint 0 OUT and endpoint 0 IN, and is used for controlling the device. • Pipe • A logical data connection between the host and a particular endpoint, in which we ignore the lower level mechanisms for actually achieving the data transfers.
  • 6. USB Primer – More Terminology • Configurations, Interfaces, and Endpoints • The device contains a number of descriptors (as shown to the right) which help to define the device’s capabilities • A device can have more than one configuration, though only one at a time, and to change configuration the whole device would have to stop functioning • A device can have one or more interfaces. Each interface can have a number of endpoints and represents a functional unit belonging to a particular class • Each endpoint is a source or sink of data
  • 7. USB Primer – plugging in a device • Pull-up resistor on data line – Indicates device was connected (reset device) • Get Device descriptor – what’s the max packet size? – address 0 • Reset then Set Address - for the rest of the communications use this address • Get Device descriptor – What are the device basic capabilities? • Get Configuration descriptor – What are the configuration details? • Interface descriptors • Endpoint descriptors • HID descriptors • Get String descriptors – Get string language + product name etc. • Set Configuration – Configuration is chosen – the device can be used • Class-specific communication - from this point onwards HCI Driver USB Bus Driver USB Device Driver
  • 8. USB Primer – Example descriptor A typical Device Descriptor
  • 9. Agenda • USB Primer • Previous work • USB vulnerability classes • Phase one – Fuzzbox • Phase two – Commercial test equipment • Phase three – Frisbee • Security impact • Conclusion
  • 10. Various approaches to interface fuzzing  Rafael Dominguez Vega used a number of different approaches including USB over IP, QEMU and a microcontroller to discover Linux- based USB vulnerabilities in String descriptors  David Dewey and Darrin Barrall used an SL811 USB controller to discover a heap overflow in Windows XP  Moritz Jodeit emulated USB devices in software and with a Netchip NET2280 peripheral controller  Tobias Mueller used virtualisation techniques with QEMU to identify USB vulnerabilities in a number of different operating systems  Jon Larimer investigated USB drive security and associated file system vulnerabilities in Windows and Linux
  • 11. Difficulties in testing USB • Black box Testing of drivers for interfaces on embedded systems can be tough: • No low-level view of the firmware • Hard to debug • Hard to hook into firmware • Testing some interfaces is tough using conventional approaches: • Getting a PC to pretend to be a USB device requires some serious driver development – need to turn the root hub into a USB device.
  • 12. Agenda • USB Primer • Previous work • USB vulnerability classes • Phase one – Fuzzbox • Phase two – Commercial test equipment • Phase three – Frisbee • Security impact • Conclusion
  • 13. USB vulnerability classes • Stack overflows • String descriptors in Linux and Windows XP • Solaris 11 Express hub-class descriptor • Integer and Heap overflows • Sony PS3 hub-class descriptors • Apple iPod Touch jailbreak “0xA1,1” USB control message • Xbox 360 image-class descriptors • Null-pointer dereference (exploitable) • Apple iPhone jailbreak “0x21,2” USB control message • Logic errors • Windows 7 HID report descriptors
  • 14. Agenda • USB Primer • Previous work • USB vulnerability classes • Phase one – Fuzzbox • Phase two – Commercial test equipment • Phase three – Frisbee • Security impact • Conclusion
  • 15. Phase one - FuzzBox • Arduino microcontroller • Fuzzer written in C++ • Only emulates USB HID devices • Only allows semi-automated fuzzing • Has found bugs in: • Windows 7 • Windows XP • OS X • Limitations – not really fast enough to emulate most USB devices
  • 16. FuzzBox details Simple circuit to interface with an Arduino: Driver code had already been written to emulate a HID device: http://code.google.com/p/vusb-for-arduino/
  • 17. Agenda • USB Primer • Previous work • USB vulnerability classes • Phase one – Fuzzbox • Phase two – Commercial test equipment • Phase three – Frisbee • Security impact • Conclusion
  • 18. Packet Master USB500 AG • Dedicated USB test equipment hardware • USB capture and playback • Emulates any USB host or device • Understands and analyses the different USB device classes • Uses a scripting language to generate USB traffic • Costs approx. US$1200 (plus specific class analysis options) • Limitations – doesn’t currently have a software API to control it
  • 19. GraphicUSB – Capture and Analysis
  • 21. So what can we fuzz? USB hosts: • The Device Descriptor (HCI driver) • String Descriptors (HCI driver / USB device drivers) • The Configuration Descriptor: Interface Descriptor (USB device driver) • The Configuration Descriptor: Endpoint Descriptor (USB device driver) • Class-specific descriptors e.g. HID Report Descriptor (USB device driver) • Class-specific communication (USB device driver and client software) USB devices: • Host -> device USB control messages
  • 22. Why the new approach is different Device and Platform Independent: • Previous approaches have mainly focussed on either testing or emulating specific devices or hosts • We don’t care (for the most part) what the host or device is • If we understand USB and where vulnerabilities may be present then we can use a black-box fuzzing approach • It certainly produces results…
  • 23. Agenda • USB Primer • Previous work • USB vulnerability classes • Phase one – Fuzzbox • Phase two – Commercial test equipment • Phase three – Frisbee • Security impact • Conclusion
  • 24. Frisbee – the USB fuzzer • GraphicUSB currently has no API for controlling it • Frisbee modifies the GraphicUSB generator script created from a capture • The generator script must be loaded, compiled then executed to generate USB traffic • Frisbee uses the SendKeys Python library to inject Windows events into GraphicUSB • Although this is slow, the HCI driver needs time to identify a device, which has ostensibly just been plugged in • The host under test is connected to the same Ethernet network as the host running Frisbee and is periodically pinged to identify if the host has crashed
  • 25. NCC Group Plc, Manchester Technology Centre, Oxford Road, Manchester M1 7EF www.nccgroup.com Demos
  • 26. What have we found so far? • HID class descriptor memory corruption in Windows 7 • Hub class descriptor stack overflow in Solaris 11Express • Printer class communication memory corruption in Solaris 11Express • Image class communication memory corruption in Solaris 11Express • Image class communication integer overflows in Microsoft Xbox 360 • Image class descriptor memory corruption in Apple OS X
  • 27. Why are USB vulnerabilities still prevalent? • Some vendors don’t seem to view USB vulnerabilities as a security issue Quote from vendor x: “Thank you for sending this to us. This is something that I will definitely pass on, however since this requires physical access its not something that we will fix in a security update” • The knowledge of how to emulate USB devices is not widespread Quote from vendor y: “We think we’ve fixed this issue, but we’ll need to get you to test it as we don’t have the ability to replicate your attack”
  • 28. Agenda • USB Primer • Previous work • USB vulnerability classes • Phase one – Fuzzbox • Phase two – Commercial test equipment • Phase three – Frisbee • Security impact • Conclusion
  • 29. The impact of exploiting USB Typical scenarios of exploiting USB vulnerabilities: • “Jailbreaking” embedded devices • Unlocking a locked workstation • Installing malware in seconds • Exfiltrating sensitive data in seconds • What about Endpoint Protection Systems?...
  • 30. Endpoint Protection software Endpoint protection software: • Lumension (formerly Sanctuary) - Device Control • CoSoSys – Endpoint Protector • DeviceLock - Endpoint DLP Suite They work higher up the USB stack than many USB driver vulnerabilities exist Exploitable USB driver vulnerabilities will often circumvent them Some of the vulnerabilities we have discovered, when exploited will circumvent Endpoint Protection Software
  • 31. Agenda • USB Primer • Previous work • USB vulnerability classes • Phase one – Fuzzbox • Phase two – Commercial test equipment • Phase three – Frisbee • Security impact • Conclusion
  • 32. Conclusion • There are still plenty of USB vulnerabilities out there – many of which will be exploitable • Even though limited physical access is required, USB vulnerabilities still constitute a serious security risk • Endpoint Protection software is unlikely to protect you from many of these attacks • If you really don’t want people to exploit USB on your PCs, disable USB in the BIOS • For ultimate protection, fill the USB sockets with epoxy resin!
  • 33. NCC Group Plc, Manchester Technology Centre, Oxford Road, Manchester M1 7EF www.nccgroup.com Questions? Andy Davis Research Director Telephone: +44 (0) 208 401 0070 e-mail: andy.davis@ngssecure.com