SlideShare uma empresa Scribd logo

BadUSB — On accessories that turn evil by Karsten Nohl

Priyanka Aash
Priyanka Aash

This talk introduces a new form of malware that operates from controller chips inside USB devices. Peripherals can be reprogrammed in order to take control of a computer, exfiltrate data, or spy on the user. We demonstrate a full system compromise from USB and a self-replicating USB virus not detectable with current defenses. Karsten Nohl is a cryptographer and security researcher

Tecnologia
1 de 29
SRLabs  Template  v12   BadUSB  —  On  accessories  that  turn  evil   Karsten  Nohl  <nohl@srlabs.de>     Sascha  Krißler  <sascha@srlabs.de>   Jakob  Lell  <jakob@srlabs.de>  
2   Demo  1  –  USB  s&ck  takes  over   Windows  machine  
Agenda   3   §  USB  background   §  Reprogramming  peripherals   §  BadUSB  aLack  scenarios   §  BadUSB  exposure   §  Defenses  and  next  steps  
USB  devices  are  recognized  using  several  idenPfiers   4   USB  devices   Connectors  +  hubs   Host   Root   hub   Examples   USB  thumb  drive   8  –  Mass  Storage   AA627090820000000702   0  –  Control   1  –  Data  transfers   Interface  class   End  points   Iden&fier   a.  1      –  Audio   b.  14  –  Video   Webcam   Serial  number  (opPonal)   0258A350   0  –  Control   1  –  Video  transfers   6  –  Audio  transfers   7  –  Video  interrupts  
USB  devices  are  iniPalized  in  several  steps   5   Devices  can  have   several  iden&&es   §  A  device  indicates   its  capabiliPes   through  a   descriptor     §  A  device  can  have   several   descriptors  if  it   supports  mulPple   device  classes;  like   webcam  +   microphone   §  Device  can   deregister  and   register  again  as  a   different  device   Power-­‐on  +   Firmware  init   Load  driver   Register   Set  address   Send  descriptor   Set  configuraPon   Normal  operaPon   Register  again  …   OpPonal:  deregister   Load  another   driver   USB  device   USB  plug-­‐and-­‐play  
USB  devices  include  a  micro-­‐controller,  hidden  from  the  user   6   8051  CPU   Bootloader   USB  controller   Controller   firmware   Mass  storage   Flash   The  only  part     visible  to  the  user  
Agenda   7   §  USB  background   §  Reprogramming  peripherals   §  BadUSB  aLack  scenarios   §  BadUSB  exposure   §  Defenses  and  next  steps  
Reversing  and  patching  USB  firmware  took  2  months     8   1.  Find  leaked  firmware  and   flash  tool  on  the  net   2.  Sniff  update  communicaPon   using  Wireshark   3.  Replay  custom  SCSI   commands  used  for  updates   4.  (Reset  bricked  devices   through  short-­‐circuiPng   Flash  pins)   Document  firmware     update  process   Patch  firmware  Reverse-­‐engineer  firmware   1.  Load  into  disassembler   (complicaPon:  MMU-­‐like   memory  banking)   2.  Apply  heurisPcs:   –  Count  how  olen  funcPon   starts  match  up  with   funcPon  calls  for  different   memory  locaPon  guesses;   the  most  matches  indicate   that  you  guessed  right     –  Find  known  USB  bit  fields   such  as  descriptors   3.  Apply  standard  solware   reversing  to  find  hooking   points   1.  Add  hooks  to  firmware  to   add/change  funcPonality   2.  Custom  linker  script  compiles   C  and  assembly  code  and   injects  it  into  unused  areas  of   original  firmware   Other  possible  targets   We  focused  on  USB  sPcks,   but  the  same  approach   should  work  for:   §  External  HDDs   §  Webcams,  keyboards   §  Probably  many  more  …   A   B   C  
Agenda   9   §  USB  background   §  Reprogramming  peripherals   §  BadUSB  aKack  scenarios   §  BadUSB  exposure   §  Defenses  and  next  steps  
10   Demo  2  –  Windows  infects  USB   s&ck  which  then  takes  over   Linux  machine  
Keyboard  emulaPon  is  enough  for  infecPon  and  privilege  escalaPon     (w/o  need  for  solware  vulnerability)   11   Challenge  –  Linux  malware  runs  with  limited  user  privileges,  but  needs    root  privileges  to  infect  further  sPcks   Approach  –  Steal  sudo  password  in  screensaver   Restart  screensaver   (or  policykit)  with   password  stealer   added  via  an   LD_PRELOAD  library     §  User  enters  password  to   unlock  screen   §  Malware  intercepts   password  and  gains  root   privileges  using  sudo  
12   Demo  3  –  Android  phone  changes   DNS  sePngs  in  Windows  
Network  traffic  can  also  be  diverted  by  “DHCP  on  USB”   13   AKack  steps   1.  USB  sPck  spoofs   Ethernet  adapter   2.  Replies  to  DHCP  query   with  DNS  server  on  the   Internet,  but  without   default  gateway   Result   3.  Internet  traffic  is  sPll  routed   through  the  normal  Wi-­‐Fi   connecPon   4.  However,  DNS  queries  are  sent  to   the  USB-­‐supplied  server,  enabling   redirecPon  aLacks   DNS  assignment  in   DHCP  over  spoofed   USB-­‐Ethernet   adapter   All  DNS   queries  go  to   aLacker’s  DNS   server  
“Can  I  charge  my  phone  on  your  laptop?”  –     Android  phones  are  the  simplest  USB  aLack  plaworm   14   Prepara&on  –  Android  comes  with  an  Ethernet-­‐ over-­‐USB  emulaPon  needing  liLle  configuraPon   AKack  –  Phone  supplies  default  route  over  USB,   effecPvely  intercepPng  all  Internet  traffic   DHCP  overrides   default  gateway   over  USB-­‐Ethernet   Computer  sends  all   Internet  traffic   through  phone   Hacked  by  the  second  factor?   Using  keyboard  emulaPon,  a   virus-­‐infected  smartphone   could  hack  into  the  USB-­‐ connected  computer.   This  compromises  the   “second  factor”  security   model  of  online  banking.     Proof-­‐of-­‐concept   released  at:   srlabs.de/badusb  
Bonus:  Virtual  Machine  break-­‐out   15   Malicious   VM   Host   1.  VM  tenant  reprograms   USB  device  (e.g.,  using   SCSI  commands)   3.  USB  device  spoofs  key   strokes,  changes  DNS,  …   2.  USB  peripherals   spawns  a  second   device  that  gets   connected  to  the   VM  host  
Boot-­‐sector  virus,  USB  style   16   Hide  rootkit  from  OS/AV.   When  an  OS  accesses  the   sPck,  only  the  USB   content  is  shown   Infect  machine  when   boo&ng.   When  the  BIOS  accesses   the  sPck,  a  secret  Linux  is   shown,  booPng  a  root  kit,   infecPng  the  machine,   and  then  booPng  from   hard  disk   Fingerprint     OS/BIOS.   Patched  USB   sPck  firmware   can  disPnguish   Win,  Mac,   Linux,  and  the   BIOS  based  on   their  USB   behavior   USB  content,   for  example   Linux  install   image   Secret  Linux   image  
17   Demo  4  –  USB  thumb  drive  emulates   keyboard  and  second  drive  to  infect   computer  during  boot  
Family  of  possible  USB  aLacks  is  large   18   More  aKack  ideas   Effect   §  External  storage  can  choose  to  hide  files   instead  of  delePng  them   §  Viruses  can  be  added  to  files  added  to  storage   §  First  access  by  virus  scanner  sees  original  file,   later  access  sees  virus   §  Emulate  a  keyboard  during  boot  and  install  a   new  BIOS  from  a  file  in  a  secret  storage  area   on  a  USB  sPck   §  Emulate  a  USB  display  to  access  security   informaPon  such  as  Captchas  and  randomly   arranged  PIN  pads   AKacks  shown   Emulate   keyboard   Hide  data  on   s&ck  or  HDD   Rewrite  data   in-­‐flight   Update  PC   BIOS   Spoof  display   Spoof   network   card   “USB  boot-­‐   sector”  virus  
Agenda   19   §  USB  background   §  Reprogramming  peripherals   §  BadUSB  aLack  scenarios   §  BadUSB  exposure   §  Defenses  and  next  steps  
We  analyzed  the  possible  reach  of  BadUSB  from  two  perspecPves   20   Top-­‐down  analysis   BoKom-­‐up  analysis   §  Start  from  largest  USB  controller   vendors   §  Find  their  chip  families  for   popular  use  cases   §  Analyze  datasheets  and  web   sites  for  whether  chips  can  be   reprogrammed   §  Start  from  actual  hardware   §  Open  device  to  find  which  chips   are  used   §  Determine  whether  bootloader   and  firmware  storage  (e.g.  SPI   flash)  are  available   §  Try  to  find  firmware  update     tools  for  their  chips   §  5  device  classes:  Host,  Hub,   Charger,  Storage,  Peripheral   §  From  top  8  chip  vendors   §  Totaling  52  chip  families  (not   every  vendor  serves  each  class)   §  Analyzed  33  devices  from  six   device  classes:   Hub,  Input/HID,  Webcam,  SD   adapter,  SATA  adapter   §  Results  released  at   opensource.srlabs.de  
Both  analyses  suggest  that  up  to  half  of   USB  chips  are  BadUSB-­‐vulnerable   21   4   6   1   4   8   2   4   4   5   5   4   4   1   Peripheral   Storage   Charger   Hub   Host   1   4   1   2   3   3   2   4   3   4   1   5   SATA  adapter   SD  adapter   Webcam   Input   Probably  vulnerable   Top-­‐down:  Perhaps  vulnerable,     depends  on  design  /  configuraPon;     BoLom-­‐up:  more  research  needed   Unlikely  vulnerable   Top-­‐down  analysis   BoKom-­‐up  analysis  
Small  hardware  design  differences  can  determine  BadUSB-­‐ vulnerability   22   These  USB  hubs  both   contain  the  same   controller  chip   Only  one  of  them   also  contains  an   SPI  flash  that  can   store  BadUSB   modificaPons  
Recent  trends  suggest  that  BabUSB-­‐exposure  is  further  growing   23   Some  device  types  appear  more  reprogrammable  /  BadUSB-­‐vulnerable:   §  The  early  devices  of  a  new  standard  (e.g.  the  first  available  USB  3  devices)   §  Peripherals  with  special  funcPonality  (e.g.  SATA  adapter  that  can  copy  disks)   §  High-­‐end  peripherals   §  Custom-­‐tailored  chips  in  high-­‐volume  devices  were  tradiPonally  less  likely  to   be  reprogrammable;  probably  because  mask  ROMs  are  cheaper  than  Flash   §  Many  such  use  cases  are  increasingly  served  with  reprogrammable  mulP-­‐ purpose  chips,  that  realize  economies  of  scale  by  combining  applicaPons   §  USB  controllers  found  not  to  be  reprogrammable  were  missing  an  essenPal   component  for  upgrades,  such  as  bootloader  or  Flash  to  store  the  update   §  All  those  controllers  that  bring  the  essenPals  seem  to  be  upgradable   §  ProtecPon  from  malicious  updates  is  very  rare:  Only  one  (large)  chip  family   brings  fuse  bits;  none  implement  firmware  signing     Trend  1  –   Newer  and   more  complex   devices  are   more   vulnerable   Trend  2  –  Chips   become  more   versa&le,  and   thereby  more   vulnerable   Trend  3  –  Most   controllers  that   can  be   programmed   are  vulnerable   Insight  
Agenda   24   §  USB  background   §  Reprogramming  peripherals   §  BadUSB  aLack  scenarios   §  BadUSB  exposure   §  Defenses  and  next  steps  
No  effecPve  defenses  from  USB  aLacks  exist   25   Protec&on  idea   §  USB  devices  do  not  always  have  a  unique  serial  number   §  OS’s  don’t  (yet)  have  whitelist  mechanisms   Limita&on   §  The  firmware  of  a  USB  device  can  typically  only  be  read  back   with  the  help  of  that  firmware  (if  at  all):  A  malicious  firmware   can  spoof  a  legiPmate  one   Block  cri&cal  device   classes,  block  USB   completely     §  Obvious  usability  impact   §  Very  basic  device  classes  can  be  used  for  abuse;  not  much  is   lel  of  USB  when  these  are  blocked   §  ImplementaPon  errors  may  sPll  allow  installing  unauthorized   firmware  upgrades   §  Secure  cryptography  is  hard  to  implement  on  small   microcontrollers   §  Billions  of  exisPng  devices  stay  vulnerable   Whitelist  USB  devices   Scan  peripheral   firmware  for  malware   Use  code  signing  for   firmware  updates   Disable  firmware   updates  in  hardware   §  Simple  and  effec&ve  (but  mostly  limited  to  new  devices)  
        Responsibility  for  BadUSB  miPgaPon  is  unclear   26   BadUSB  malware   becomes  more  realis&c     Fixes  are  not  yet  in  sight   No  response   from  chip   vendors   §  Sample  exploit  code   for  Phison  USB  3   controllers  was   released  by  Adam   Caudill  and  Brandon   Wilson  at  Derbycon   in  September   §  Only  miPgaPon   aLempts  right  now   are  quick  fixes  such   as  GData’s  Keyboard   Guard   §  Phison,  the  mostly  discussed  vendor,   notes  that  they  are  already  offering   beLer  chips.  Their  customers  don’t  seem   to  chose  them  olen   §  Other  affected  vendors  have  stayed  quiet   No  response   from   peripheral   vendors   §  No  affected  vendor  offers  patches  or  a   threat  advisory   §  OS  implementers  do  not  appear  to  work   on  soluPon;  with  one  excepPon:  FreeBSD   adds  an  opPon  to  switch  off  USB   enumeraPon   No  OS   vendor   response   vs.  
§  Use  the   reprogrammable   chips  for  other   applicaPons  than  USB   storage   §  The  flowswitch  /   phison  project,  for   example,  aims  for  a   low-­‐cost  USB  3   interface  for  FPGAs   USB  peripherals  can  also  be  re-­‐programmed  for  construcPve   purposes   27   Idea  2  –  Repurpose   cheap  controller  chips   Idea  1  –  Speed  up  database  queries   §  Data  can  be  parsed  on  the  sPck  before  (or  instead  of)   sending  it  back  to  the  host   §  Our  original  moPvaPon  was  to  speed  up  of  A5/1  rainbow   table  lookups  
Take  aways   28   QuesPons?    usb@srlabs.de   §  USB  peripherals  provide  for  a  versaPle   infec&on  path   §  As  long  as  USB  controllers  are  re-­‐ programmable,  USB  peripherals  should   not  be  shared  with  others   §  Once  infected  –  through  USB  or  otherwise   –  malware  can  use  peripherals  as  a  hiding   place,  hindering  system  clean-­‐up  
Scope  of  top-­‐down  analysis   The  USB  microcontroller  market  is  split  among  many  vendors   29   Microchip  (SMSC)   10%   Cypress   8%   Alcor   7%   Renesas   6%   Genesys   5%   ASMedia   5%   Phison   5%  FTDI   4%   ST-­‐E   4%   JMicron   3%   TI   3%   Silicon  MoPon   3%   Silicon   Labs   3%   Exar   2%   Displaylink   2%   Fresco   1%   PLX   1%   Via  Labs   1%   Others   26%   Wired  USB  Market  Share   (2012  Cypress  Shareholders  MeePng)   Source:  goo.gl/NtN0cf  

Recomendados

Hacking cable modems the later years
Hacking cable modems the later yearsHacking cable modems the later years
Hacking cable modems the later yearsNullbyte Security Conference
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCanSecWest
 
Windows Server 2012 Hyper-V Networking Evolved
Windows Server 2012 Hyper-V Networking Evolved Windows Server 2012 Hyper-V Networking Evolved
Windows Server 2012 Hyper-V Networking Evolved Microsoft TechNet - Belgium and Luxembourg
 
IBM Security Identity and Access Management - Portfolio
IBM Security Identity and Access Management - PortfolioIBM Security Identity and Access Management - Portfolio
IBM Security Identity and Access Management - PortfolioIBM Sverige
 
WeirdAAL (AWS Attack Library)
WeirdAAL (AWS Attack Library) WeirdAAL (AWS Attack Library)
WeirdAAL (AWS Attack Library) Chris Gates
 
Sed Introduction
Sed IntroductionSed Introduction
Sed IntroductionAnthony Magee
 
Grupo 7 seguridad en S.O
Grupo 7 seguridad en S.OGrupo 7 seguridad en S.O
Grupo 7 seguridad en S.OAlumic S.A
 
Apresentação fortinet
Apresentação fortinetApresentação fortinet
Apresentação fortinetinternetbrasil
 

Recomendados

Hacking cable modems the later years
Hacking cable modems the later yearsHacking cable modems the later years
Hacking cable modems the later yearsNullbyte Security Conference
 
Csw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCsw2017 bazhaniuk exploring_yoursystemdeeper_updated
Csw2017 bazhaniuk exploring_yoursystemdeeper_updatedCanSecWest
 
Windows Server 2012 Hyper-V Networking Evolved
Windows Server 2012 Hyper-V Networking Evolved Windows Server 2012 Hyper-V Networking Evolved
Windows Server 2012 Hyper-V Networking Evolved Microsoft TechNet - Belgium and Luxembourg
 
IBM Security Identity and Access Management - Portfolio
IBM Security Identity and Access Management - PortfolioIBM Security Identity and Access Management - Portfolio
IBM Security Identity and Access Management - PortfolioIBM Sverige
 
WeirdAAL (AWS Attack Library)
WeirdAAL (AWS Attack Library) WeirdAAL (AWS Attack Library)
WeirdAAL (AWS Attack Library) Chris Gates
 
Sed Introduction
Sed IntroductionSed Introduction
Sed IntroductionAnthony Magee
 
Grupo 7 seguridad en S.O
Grupo 7 seguridad en S.OGrupo 7 seguridad en S.O
Grupo 7 seguridad en S.OAlumic S.A
 
Apresentação fortinet
Apresentação fortinetApresentação fortinet
Apresentação fortinetinternetbrasil
 
BKK16-504 Running Linux in EL2 Virtualization
BKK16-504 Running Linux in EL2 VirtualizationBKK16-504 Running Linux in EL2 Virtualization
BKK16-504 Running Linux in EL2 VirtualizationLinaro
 
Openstack glance
Openstack glanceOpenstack glance
Openstack glanceSHAMEEM F
 
OpenFlow Overview
OpenFlow OverviewOpenFlow Overview
OpenFlow OverviewJuniper Developer Resources Cooney
 
Launch the First Process in Linux System
Launch the First Process in Linux SystemLaunch the First Process in Linux System
Launch the First Process in Linux SystemJian-Hong Pan
 
Tout sur les solutions de Haute Disponibilité et Disaster Recovery de SQL Ser...
Tout sur les solutions de Haute Disponibilité et Disaster Recovery de SQL Ser...Tout sur les solutions de Haute Disponibilité et Disaster Recovery de SQL Ser...
Tout sur les solutions de Haute Disponibilité et Disaster Recovery de SQL Ser...Microsoft Technet France
 
Linux Porting to a Custom Board
Linux Porting to a Custom BoardLinux Porting to a Custom Board
Linux Porting to a Custom BoardPatrick Bellasi
 
Alcatel-Lucent OmniSwitch 6860/E AOS 8.1.1 Access Guardian and BYOD configura...
Alcatel-Lucent OmniSwitch 6860/E AOS 8.1.1 Access Guardian and BYOD configura...Alcatel-Lucent OmniSwitch 6860/E AOS 8.1.1 Access Guardian and BYOD configura...
Alcatel-Lucent OmniSwitch 6860/E AOS 8.1.1 Access Guardian and BYOD configura...Benjamin Eggerstedt
 
Yocto: Training in English
Yocto: Training in EnglishYocto: Training in English
Yocto: Training in EnglishOtavio Salvador
 
BeagleBone Black Bootloaders
BeagleBone Black BootloadersBeagleBone Black Bootloaders
BeagleBone Black BootloadersSysPlay eLearning Academy for You
 
OpenStack Glance
OpenStack GlanceOpenStack Glance
OpenStack GlanceDeepti Ramakrishna
 
App check pro_표준제안서_z
App check pro_표준제안서_zApp check pro_표준제안서_z
App check pro_표준제안서_z시온시큐리티
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
Embedded Linux Kernel - Build your custom kernel
Embedded Linux Kernel - Build your custom kernelEmbedded Linux Kernel - Build your custom kernel
Embedded Linux Kernel - Build your custom kernelEmertxe Information Technologies Pvt Ltd
 
NIST 800-63 Guidance & FIDO Authentication
NIST 800-63 Guidance & FIDO AuthenticationNIST 800-63 Guidance & FIDO Authentication
NIST 800-63 Guidance & FIDO AuthenticationFIDO Alliance
 
Plan de Seguridad en un Centro de Cómputo
Plan de Seguridad en un Centro de CómputoPlan de Seguridad en un Centro de Cómputo
Plan de Seguridad en un Centro de Cómputossuserdd0f8d
 
VMware Advance Troubleshooting Workshop - Day 4
VMware Advance Troubleshooting Workshop - Day 4VMware Advance Troubleshooting Workshop - Day 4
VMware Advance Troubleshooting Workshop - Day 4Vepsun Technologies
 
Marco Cavallini @ LinuxLab 2018 : Workshop Yocto Project, an automatic genera...
Marco Cavallini @ LinuxLab 2018 : Workshop Yocto Project, an automatic genera...Marco Cavallini @ LinuxLab 2018 : Workshop Yocto Project, an automatic genera...
Marco Cavallini @ LinuxLab 2018 : Workshop Yocto Project, an automatic genera...Marco Cavallini
 
Portfolio y líneas de productos fortinet
Portfolio y líneas de productos fortinetPortfolio y líneas de productos fortinet
Portfolio y líneas de productos fortinetConectarnos Soluciones de Internet
 
Seguridad en Redes de comunicacion
Seguridad en Redes de comunicacionSeguridad en Redes de comunicacion
Seguridad en Redes de comunicacionWilliam Matamoros
 
Modelos de seguridad de la información
Modelos de seguridad de la informaciónModelos de seguridad de la información
Modelos de seguridad de la informaciónluisrobles17
 
DerbyCon 2014 - Making BadUSB Work For You
DerbyCon 2014 - Making BadUSB Work For YouDerbyCon 2014 - Making BadUSB Work For You
DerbyCon 2014 - Making BadUSB Work For YouAdam Caudill
 
BadUSB, and what you should do about it
BadUSB, and what you should do about itBadUSB, and what you should do about it
BadUSB, and what you should do about itrobertfisk
 

Mais conteúdo relacionado

Mais procurados

BKK16-504 Running Linux in EL2 Virtualization
BKK16-504 Running Linux in EL2 VirtualizationBKK16-504 Running Linux in EL2 Virtualization
BKK16-504 Running Linux in EL2 VirtualizationLinaro
 
Openstack glance
Openstack glanceOpenstack glance
Openstack glanceSHAMEEM F
 
Launch the First Process in Linux System
Launch the First Process in Linux SystemLaunch the First Process in Linux System
Launch the First Process in Linux SystemJian-Hong Pan
 
Tout sur les solutions de Haute Disponibilité et Disaster Recovery de SQL Ser...
Tout sur les solutions de Haute Disponibilité et Disaster Recovery de SQL Ser...Tout sur les solutions de Haute Disponibilité et Disaster Recovery de SQL Ser...
Tout sur les solutions de Haute Disponibilité et Disaster Recovery de SQL Ser...Microsoft Technet France
 
Linux Porting to a Custom Board
Linux Porting to a Custom BoardLinux Porting to a Custom Board
Linux Porting to a Custom BoardPatrick Bellasi
 
Alcatel-Lucent OmniSwitch 6860/E AOS 8.1.1 Access Guardian and BYOD configura...
Alcatel-Lucent OmniSwitch 6860/E AOS 8.1.1 Access Guardian and BYOD configura...Alcatel-Lucent OmniSwitch 6860/E AOS 8.1.1 Access Guardian and BYOD configura...
Alcatel-Lucent OmniSwitch 6860/E AOS 8.1.1 Access Guardian and BYOD configura...Benjamin Eggerstedt
 
Yocto: Training in English
Yocto: Training in EnglishYocto: Training in English
Yocto: Training in EnglishOtavio Salvador
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
NIST 800-63 Guidance & FIDO Authentication
NIST 800-63 Guidance & FIDO AuthenticationNIST 800-63 Guidance & FIDO Authentication
NIST 800-63 Guidance & FIDO AuthenticationFIDO Alliance
 
Plan de Seguridad en un Centro de Cómputo
Plan de Seguridad en un Centro de CómputoPlan de Seguridad en un Centro de Cómputo
Plan de Seguridad en un Centro de Cómputossuserdd0f8d
 
VMware Advance Troubleshooting Workshop - Day 4
VMware Advance Troubleshooting Workshop - Day 4VMware Advance Troubleshooting Workshop - Day 4
VMware Advance Troubleshooting Workshop - Day 4Vepsun Technologies
 
Marco Cavallini @ LinuxLab 2018 : Workshop Yocto Project, an automatic genera...
Marco Cavallini @ LinuxLab 2018 : Workshop Yocto Project, an automatic genera...Marco Cavallini @ LinuxLab 2018 : Workshop Yocto Project, an automatic genera...
Marco Cavallini @ LinuxLab 2018 : Workshop Yocto Project, an automatic genera...Marco Cavallini
 
Seguridad en Redes de comunicacion
Seguridad en Redes de comunicacionSeguridad en Redes de comunicacion
Seguridad en Redes de comunicacionWilliam Matamoros
 
Modelos de seguridad de la información
Modelos de seguridad de la informaciónModelos de seguridad de la información
Modelos de seguridad de la informaciónluisrobles17
 

Mais procurados (20)

BKK16-504 Running Linux in EL2 Virtualization
BKK16-504 Running Linux in EL2 VirtualizationBKK16-504 Running Linux in EL2 Virtualization
BKK16-504 Running Linux in EL2 Virtualization
 
Openstack glance
Openstack glanceOpenstack glance
Openstack glance
 
OpenFlow Overview
OpenFlow OverviewOpenFlow Overview
OpenFlow Overview
 
Launch the First Process in Linux System
Launch the First Process in Linux SystemLaunch the First Process in Linux System
Launch the First Process in Linux System
 
Tout sur les solutions de Haute Disponibilité et Disaster Recovery de SQL Ser...
Tout sur les solutions de Haute Disponibilité et Disaster Recovery de SQL Ser...Tout sur les solutions de Haute Disponibilité et Disaster Recovery de SQL Ser...
Tout sur les solutions de Haute Disponibilité et Disaster Recovery de SQL Ser...
 
Linux Porting to a Custom Board
Linux Porting to a Custom BoardLinux Porting to a Custom Board
Linux Porting to a Custom Board
 
Alcatel-Lucent OmniSwitch 6860/E AOS 8.1.1 Access Guardian and BYOD configura...
Alcatel-Lucent OmniSwitch 6860/E AOS 8.1.1 Access Guardian and BYOD configura...Alcatel-Lucent OmniSwitch 6860/E AOS 8.1.1 Access Guardian and BYOD configura...
Alcatel-Lucent OmniSwitch 6860/E AOS 8.1.1 Access Guardian and BYOD configura...
 
Yocto: Training in English
Yocto: Training in EnglishYocto: Training in English
Yocto: Training in English
 
BeagleBone Black Bootloaders
BeagleBone Black BootloadersBeagleBone Black Bootloaders
BeagleBone Black Bootloaders
 
OpenStack Glance
OpenStack GlanceOpenStack Glance
OpenStack Glance
 
App check pro_표준제안서_z
App check pro_표준제안서_zApp check pro_표준제안서_z
App check pro_표준제안서_z
 
Container security
Container securityContainer security
Container security
 
Embedded Linux Kernel - Build your custom kernel
Embedded Linux Kernel - Build your custom kernelEmbedded Linux Kernel - Build your custom kernel
Embedded Linux Kernel - Build your custom kernel
 
NIST 800-63 Guidance & FIDO Authentication
NIST 800-63 Guidance & FIDO AuthenticationNIST 800-63 Guidance & FIDO Authentication
NIST 800-63 Guidance & FIDO Authentication
 
Plan de Seguridad en un Centro de Cómputo
Plan de Seguridad en un Centro de CómputoPlan de Seguridad en un Centro de Cómputo
Plan de Seguridad en un Centro de Cómputo
 
VMware Advance Troubleshooting Workshop - Day 4
VMware Advance Troubleshooting Workshop - Day 4VMware Advance Troubleshooting Workshop - Day 4
VMware Advance Troubleshooting Workshop - Day 4
 
Marco Cavallini @ LinuxLab 2018 : Workshop Yocto Project, an automatic genera...
Marco Cavallini @ LinuxLab 2018 : Workshop Yocto Project, an automatic genera...Marco Cavallini @ LinuxLab 2018 : Workshop Yocto Project, an automatic genera...
Marco Cavallini @ LinuxLab 2018 : Workshop Yocto Project, an automatic genera...
 
Portfolio y líneas de productos fortinet
Portfolio y líneas de productos fortinetPortfolio y líneas de productos fortinet
Portfolio y líneas de productos fortinet
 
Seguridad en Redes de comunicacion
Seguridad en Redes de comunicacionSeguridad en Redes de comunicacion
Seguridad en Redes de comunicacion
 
Modelos de seguridad de la información
Modelos de seguridad de la informaciónModelos de seguridad de la información
Modelos de seguridad de la información
 

Destaque

DerbyCon 2014 - Making BadUSB Work For You
DerbyCon 2014 - Making BadUSB Work For YouDerbyCon 2014 - Making BadUSB Work For You
DerbyCon 2014 - Making BadUSB Work For YouAdam Caudill
 
BadUSB, and what you should do about it
BadUSB, and what you should do about itBadUSB, and what you should do about it
BadUSB, and what you should do about itrobertfisk
 
ATP Technology Pillars
ATP Technology PillarsATP Technology Pillars
ATP Technology PillarsPriyanka Aash
 
NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF) NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF) Priyanka Aash
 
Keynote Session : The Non - Evolution of Security
Keynote Session : The Non - Evolution of SecurityKeynote Session : The Non - Evolution of Security
Keynote Session : The Non - Evolution of SecurityPriyanka Aash
 
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)Priyanka Aash
 
Keynote Session : Emerging Healthcare Tech & Future Security Impact
Keynote Session : Emerging Healthcare Tech & Future Security ImpactKeynote Session : Emerging Healthcare Tech & Future Security Impact
Keynote Session : Emerging Healthcare Tech & Future Security ImpactPriyanka Aash
 
Workshop on Endpoint Memory Forensics
Workshop on Endpoint Memory ForensicsWorkshop on Endpoint Memory Forensics
Workshop on Endpoint Memory ForensicsPriyanka Aash
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1Priyanka Aash
 
SOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOCSOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOCPriyanka Aash
 
From Business Architecture to Security Architecture
From Business Architecture to Security ArchitectureFrom Business Architecture to Security Architecture
From Business Architecture to Security ArchitecturePriyanka Aash
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingPriyanka Aash
 
Keynote Session : Internet Of Things (IOT) Security Taskforce
Keynote Session : Internet Of Things (IOT) Security TaskforceKeynote Session : Internet Of Things (IOT) Security Taskforce
Keynote Session : Internet Of Things (IOT) Security TaskforcePriyanka Aash
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security ArchitecturePriyanka Aash
 
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)Priyanka Aash
 
Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Priyanka Aash
 
Understanding the Cyber Security Vendor Landscape
Understanding the Cyber Security Vendor LandscapeUnderstanding the Cyber Security Vendor Landscape
Understanding the Cyber Security Vendor LandscapeSounil Yu
 
Keynote Session : Kill The Password
Keynote Session : Kill The PasswordKeynote Session : Kill The Password
Keynote Session : Kill The PasswordPriyanka Aash
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingPriyanka Aash
 

Destaque (20)

DerbyCon 2014 - Making BadUSB Work For You
DerbyCon 2014 - Making BadUSB Work For YouDerbyCon 2014 - Making BadUSB Work For You
DerbyCon 2014 - Making BadUSB Work For You
 
BadUSB, and what you should do about it
BadUSB, and what you should do about itBadUSB, and what you should do about it
BadUSB, and what you should do about it
 
SACON Orientation
SACON OrientationSACON Orientation
SACON Orientation
 
ATP Technology Pillars
ATP Technology PillarsATP Technology Pillars
ATP Technology Pillars
 
NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF) NIST Critical Security Framework (CSF)
NIST Critical Security Framework (CSF)
 
Keynote Session : The Non - Evolution of Security
Keynote Session : The Non - Evolution of SecurityKeynote Session : The Non - Evolution of Security
Keynote Session : The Non - Evolution of Security
 
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
 
Keynote Session : Emerging Healthcare Tech & Future Security Impact
Keynote Session : Emerging Healthcare Tech & Future Security ImpactKeynote Session : Emerging Healthcare Tech & Future Security Impact
Keynote Session : Emerging Healthcare Tech & Future Security Impact
 
Workshop on Endpoint Memory Forensics
Workshop on Endpoint Memory ForensicsWorkshop on Endpoint Memory Forensics
Workshop on Endpoint Memory Forensics
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
 
SOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOCSOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOC
 
From Business Architecture to Security Architecture
From Business Architecture to Security ArchitectureFrom Business Architecture to Security Architecture
From Business Architecture to Security Architecture
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat Modelling
 
Keynote Session : Internet Of Things (IOT) Security Taskforce
Keynote Session : Internet Of Things (IOT) Security TaskforceKeynote Session : Internet Of Things (IOT) Security Taskforce
Keynote Session : Internet Of Things (IOT) Security Taskforce
 
Enterprise Security Architecture
Enterprise Security ArchitectureEnterprise Security Architecture
Enterprise Security Architecture
 
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
 
Practical Enterprise Security Architecture
Practical Enterprise Security Architecture Practical Enterprise Security Architecture
Practical Enterprise Security Architecture
 
Understanding the Cyber Security Vendor Landscape
Understanding the Cyber Security Vendor LandscapeUnderstanding the Cyber Security Vendor Landscape
Understanding the Cyber Security Vendor Landscape
 
Keynote Session : Kill The Password
Keynote Session : Kill The PasswordKeynote Session : Kill The Password
Keynote Session : Kill The Password
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
 

Semelhante a BadUSB — On accessories that turn evil by Karsten Nohl

Алексей Мисник - USB устройства для пентеста
Алексей Мисник - USB устройства для пентестаАлексей Мисник - USB устройства для пентеста
Алексей Мисник - USB устройства для пентестаHackIT Ukraine
 
DefCon 2012 - Hardware Backdooring (Slides)
DefCon 2012 - Hardware Backdooring (Slides)DefCon 2012 - Hardware Backdooring (Slides)
DefCon 2012 - Hardware Backdooring (Slides)Michael Smith
 
USB: Undermining Security Barriers
USB: Undermining Security BarriersUSB: Undermining Security Barriers
USB: Undermining Security BarriersNCC Group
 
Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]RootedCON
 
Redteaming HID attacks
Redteaming HID attacksRedteaming HID attacks
Redteaming HID attacksJuan Espin
 
Starting Raspberry Pi
Starting Raspberry PiStarting Raspberry Pi
Starting Raspberry PiLloydMoore
 
DEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedDEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedAditya K Sood
 
computer archtecture lab, computer hardware , problem and solutons in computer
computer archtecture lab, computer hardware , problem and solutons in computercomputer archtecture lab, computer hardware , problem and solutons in computer
computer archtecture lab, computer hardware , problem and solutons in computerGS Kosta
 
Unix Security
Unix SecurityUnix Security
Unix Securityreplay21
 
Hacking and Forensics on the Go - 44CON 2012
Hacking and Forensics on the Go - 44CON 2012Hacking and Forensics on the Go - 44CON 2012
Hacking and Forensics on the Go - 44CON 201244CON
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsShakacon
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisTamas K Lengyel
 
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprints
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprintsAndy Davis' Black Hat USA Presentation Revealing embedded fingerprints
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprintsNCC Group
 
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxLab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxpauline234567
 

Semelhante a BadUSB — On accessories that turn evil by Karsten Nohl (20)

Алексей Мисник - USB устройства для пентеста
Алексей Мисник - USB устройства для пентестаАлексей Мисник - USB устройства для пентеста
Алексей Мисник - USB устройства для пентеста
 
BAD USB 2.0
BAD USB 2.0BAD USB 2.0
BAD USB 2.0
 
Presentación1
Presentación1Presentación1
Presentación1
 
DefCon 2012 - Hardware Backdooring (Slides)
DefCon 2012 - Hardware Backdooring (Slides)DefCon 2012 - Hardware Backdooring (Slides)
DefCon 2012 - Hardware Backdooring (Slides)
 
USB: Undermining Security Barriers
USB: Undermining Security BarriersUSB: Undermining Security Barriers
USB: Undermining Security Barriers
 
Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]Joxean Koret - Database Security Paradise [Rooted CON 2011]
Joxean Koret - Database Security Paradise [Rooted CON 2011]
 
Redteaming HID attacks
Redteaming HID attacksRedteaming HID attacks
Redteaming HID attacks
 
Starting Raspberry Pi
Starting Raspberry PiStarting Raspberry Pi
Starting Raspberry Pi
 
DEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedDEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and Operated
 
computer archtecture lab, computer hardware , problem and solutons in computer
computer archtecture lab, computer hardware , problem and solutons in computercomputer archtecture lab, computer hardware , problem and solutons in computer
computer archtecture lab, computer hardware , problem and solutons in computer
 
Notes for LX0-101 Linux
Notes for LX0-101 Linux Notes for LX0-101 Linux
Notes for LX0-101 Linux
 
Unix Security
Unix SecurityUnix Security
Unix Security
 
J+s
J+sJ+s
J+s
 
Polstra 44con2012
Polstra 44con2012Polstra 44con2012
Polstra 44con2012
 
Hacking and Forensics on the Go - 44CON 2012
Hacking and Forensics on the Go - 44CON 2012Hacking and Forensics on the Go - 44CON 2012
Hacking and Forensics on the Go - 44CON 2012
 
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan BalazsHacking Highly Secured Enterprise Environments by Zoltan Balazs
Hacking Highly Secured Enterprise Environments by Zoltan Balazs
 
Pitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysisPitfalls and limits of dynamic malware analysis
Pitfalls and limits of dynamic malware analysis
 
Beagle board101 esc-boston-2009b
Beagle board101 esc-boston-2009bBeagle board101 esc-boston-2009b
Beagle board101 esc-boston-2009b
 
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprints
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprintsAndy Davis' Black Hat USA Presentation Revealing embedded fingerprints
Andy Davis' Black Hat USA Presentation Revealing embedded fingerprints
 
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxLab-10 Malware Creation and Denial of Service (DoS) In t.docx
Lab-10 Malware Creation and Denial of Service (DoS) In t.docx
 

Mais de Priyanka Aash

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfPriyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfPriyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfPriyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfPriyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfPriyanka Aash
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdfPriyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfPriyanka Aash
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfPriyanka Aash
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfPriyanka Aash
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldPriyanka Aash
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksPriyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 

Mais de Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Último

Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfOverkill Security
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKJago de Vreede
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 

Último (20)

Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 

BadUSB — On accessories that turn evil by Karsten Nohl

  • 1. SRLabs  Template  v12   BadUSB  —  On  accessories  that  turn  evil   Karsten  Nohl  <nohl@srlabs.de>     Sascha  Krißler  <sascha@srlabs.de>   Jakob  Lell  <jakob@srlabs.de>  
  • 2. 2   Demo  1  –  USB  s&ck  takes  over   Windows  machine  
  • 3. Agenda   3   §  USB  background   §  Reprogramming  peripherals   §  BadUSB  aLack  scenarios   §  BadUSB  exposure   §  Defenses  and  next  steps  
  • 4. USB  devices  are  recognized  using  several  idenPfiers   4   USB  devices   Connectors  +  hubs   Host   Root   hub   Examples   USB  thumb  drive   8  –  Mass  Storage   AA627090820000000702   0  –  Control   1  –  Data  transfers   Interface  class   End  points   Iden&fier   a.  1      –  Audio   b.  14  –  Video   Webcam   Serial  number  (opPonal)   0258A350   0  –  Control   1  –  Video  transfers   6  –  Audio  transfers   7  –  Video  interrupts  
  • 5. USB  devices  are  iniPalized  in  several  steps   5   Devices  can  have   several  iden&&es   §  A  device  indicates   its  capabiliPes   through  a   descriptor     §  A  device  can  have   several   descriptors  if  it   supports  mulPple   device  classes;  like   webcam  +   microphone   §  Device  can   deregister  and   register  again  as  a   different  device   Power-­‐on  +   Firmware  init   Load  driver   Register   Set  address   Send  descriptor   Set  configuraPon   Normal  operaPon   Register  again  …   OpPonal:  deregister   Load  another   driver   USB  device   USB  plug-­‐and-­‐play  
  • 6. USB  devices  include  a  micro-­‐controller,  hidden  from  the  user   6   8051  CPU   Bootloader   USB  controller   Controller   firmware   Mass  storage   Flash   The  only  part     visible  to  the  user  
  • 7. Agenda   7   §  USB  background   §  Reprogramming  peripherals   §  BadUSB  aLack  scenarios   §  BadUSB  exposure   §  Defenses  and  next  steps  
  • 8. Reversing  and  patching  USB  firmware  took  2  months     8   1.  Find  leaked  firmware  and   flash  tool  on  the  net   2.  Sniff  update  communicaPon   using  Wireshark   3.  Replay  custom  SCSI   commands  used  for  updates   4.  (Reset  bricked  devices   through  short-­‐circuiPng   Flash  pins)   Document  firmware     update  process   Patch  firmware  Reverse-­‐engineer  firmware   1.  Load  into  disassembler   (complicaPon:  MMU-­‐like   memory  banking)   2.  Apply  heurisPcs:   –  Count  how  olen  funcPon   starts  match  up  with   funcPon  calls  for  different   memory  locaPon  guesses;   the  most  matches  indicate   that  you  guessed  right     –  Find  known  USB  bit  fields   such  as  descriptors   3.  Apply  standard  solware   reversing  to  find  hooking   points   1.  Add  hooks  to  firmware  to   add/change  funcPonality   2.  Custom  linker  script  compiles   C  and  assembly  code  and   injects  it  into  unused  areas  of   original  firmware   Other  possible  targets   We  focused  on  USB  sPcks,   but  the  same  approach   should  work  for:   §  External  HDDs   §  Webcams,  keyboards   §  Probably  many  more  …   A   B   C  
  • 9. Agenda   9   §  USB  background   §  Reprogramming  peripherals   §  BadUSB  aKack  scenarios   §  BadUSB  exposure   §  Defenses  and  next  steps  
  • 10. 10   Demo  2  –  Windows  infects  USB   s&ck  which  then  takes  over   Linux  machine  
  • 11. Keyboard  emulaPon  is  enough  for  infecPon  and  privilege  escalaPon     (w/o  need  for  solware  vulnerability)   11   Challenge  –  Linux  malware  runs  with  limited  user  privileges,  but  needs    root  privileges  to  infect  further  sPcks   Approach  –  Steal  sudo  password  in  screensaver   Restart  screensaver   (or  policykit)  with   password  stealer   added  via  an   LD_PRELOAD  library     §  User  enters  password  to   unlock  screen   §  Malware  intercepts   password  and  gains  root   privileges  using  sudo  
  • 12. 12   Demo  3  –  Android  phone  changes   DNS  sePngs  in  Windows  
  • 13. Network  traffic  can  also  be  diverted  by  “DHCP  on  USB”   13   AKack  steps   1.  USB  sPck  spoofs   Ethernet  adapter   2.  Replies  to  DHCP  query   with  DNS  server  on  the   Internet,  but  without   default  gateway   Result   3.  Internet  traffic  is  sPll  routed   through  the  normal  Wi-­‐Fi   connecPon   4.  However,  DNS  queries  are  sent  to   the  USB-­‐supplied  server,  enabling   redirecPon  aLacks   DNS  assignment  in   DHCP  over  spoofed   USB-­‐Ethernet   adapter   All  DNS   queries  go  to   aLacker’s  DNS   server  
  • 14. “Can  I  charge  my  phone  on  your  laptop?”  –     Android  phones  are  the  simplest  USB  aLack  plaworm   14   Prepara&on  –  Android  comes  with  an  Ethernet-­‐ over-­‐USB  emulaPon  needing  liLle  configuraPon   AKack  –  Phone  supplies  default  route  over  USB,   effecPvely  intercepPng  all  Internet  traffic   DHCP  overrides   default  gateway   over  USB-­‐Ethernet   Computer  sends  all   Internet  traffic   through  phone   Hacked  by  the  second  factor?   Using  keyboard  emulaPon,  a   virus-­‐infected  smartphone   could  hack  into  the  USB-­‐ connected  computer.   This  compromises  the   “second  factor”  security   model  of  online  banking.     Proof-­‐of-­‐concept   released  at:   srlabs.de/badusb  
  • 15. Bonus:  Virtual  Machine  break-­‐out   15   Malicious   VM   Host   1.  VM  tenant  reprograms   USB  device  (e.g.,  using   SCSI  commands)   3.  USB  device  spoofs  key   strokes,  changes  DNS,  …   2.  USB  peripherals   spawns  a  second   device  that  gets   connected  to  the   VM  host  
  • 16. Boot-­‐sector  virus,  USB  style   16   Hide  rootkit  from  OS/AV.   When  an  OS  accesses  the   sPck,  only  the  USB   content  is  shown   Infect  machine  when   boo&ng.   When  the  BIOS  accesses   the  sPck,  a  secret  Linux  is   shown,  booPng  a  root  kit,   infecPng  the  machine,   and  then  booPng  from   hard  disk   Fingerprint     OS/BIOS.   Patched  USB   sPck  firmware   can  disPnguish   Win,  Mac,   Linux,  and  the   BIOS  based  on   their  USB   behavior   USB  content,   for  example   Linux  install   image   Secret  Linux   image  
  • 17. 17   Demo  4  –  USB  thumb  drive  emulates   keyboard  and  second  drive  to  infect   computer  during  boot  
  • 18. Family  of  possible  USB  aLacks  is  large   18   More  aKack  ideas   Effect   §  External  storage  can  choose  to  hide  files   instead  of  delePng  them   §  Viruses  can  be  added  to  files  added  to  storage   §  First  access  by  virus  scanner  sees  original  file,   later  access  sees  virus   §  Emulate  a  keyboard  during  boot  and  install  a   new  BIOS  from  a  file  in  a  secret  storage  area   on  a  USB  sPck   §  Emulate  a  USB  display  to  access  security   informaPon  such  as  Captchas  and  randomly   arranged  PIN  pads   AKacks  shown   Emulate   keyboard   Hide  data  on   s&ck  or  HDD   Rewrite  data   in-­‐flight   Update  PC   BIOS   Spoof  display   Spoof   network   card   “USB  boot-­‐   sector”  virus  
  • 19. Agenda   19   §  USB  background   §  Reprogramming  peripherals   §  BadUSB  aLack  scenarios   §  BadUSB  exposure   §  Defenses  and  next  steps  
  • 20. We  analyzed  the  possible  reach  of  BadUSB  from  two  perspecPves   20   Top-­‐down  analysis   BoKom-­‐up  analysis   §  Start  from  largest  USB  controller   vendors   §  Find  their  chip  families  for   popular  use  cases   §  Analyze  datasheets  and  web   sites  for  whether  chips  can  be   reprogrammed   §  Start  from  actual  hardware   §  Open  device  to  find  which  chips   are  used   §  Determine  whether  bootloader   and  firmware  storage  (e.g.  SPI   flash)  are  available   §  Try  to  find  firmware  update     tools  for  their  chips   §  5  device  classes:  Host,  Hub,   Charger,  Storage,  Peripheral   §  From  top  8  chip  vendors   §  Totaling  52  chip  families  (not   every  vendor  serves  each  class)   §  Analyzed  33  devices  from  six   device  classes:   Hub,  Input/HID,  Webcam,  SD   adapter,  SATA  adapter   §  Results  released  at   opensource.srlabs.de  
  • 21. Both  analyses  suggest  that  up  to  half  of   USB  chips  are  BadUSB-­‐vulnerable   21   4   6   1   4   8   2   4   4   5   5   4   4   1   Peripheral   Storage   Charger   Hub   Host   1   4   1   2   3   3   2   4   3   4   1   5   SATA  adapter   SD  adapter   Webcam   Input   Probably  vulnerable   Top-­‐down:  Perhaps  vulnerable,     depends  on  design  /  configuraPon;     BoLom-­‐up:  more  research  needed   Unlikely  vulnerable   Top-­‐down  analysis   BoKom-­‐up  analysis  
  • 22. Small  hardware  design  differences  can  determine  BadUSB-­‐ vulnerability   22   These  USB  hubs  both   contain  the  same   controller  chip   Only  one  of  them   also  contains  an   SPI  flash  that  can   store  BadUSB   modificaPons  
  • 23. Recent  trends  suggest  that  BabUSB-­‐exposure  is  further  growing   23   Some  device  types  appear  more  reprogrammable  /  BadUSB-­‐vulnerable:   §  The  early  devices  of  a  new  standard  (e.g.  the  first  available  USB  3  devices)   §  Peripherals  with  special  funcPonality  (e.g.  SATA  adapter  that  can  copy  disks)   §  High-­‐end  peripherals   §  Custom-­‐tailored  chips  in  high-­‐volume  devices  were  tradiPonally  less  likely  to   be  reprogrammable;  probably  because  mask  ROMs  are  cheaper  than  Flash   §  Many  such  use  cases  are  increasingly  served  with  reprogrammable  mulP-­‐ purpose  chips,  that  realize  economies  of  scale  by  combining  applicaPons   §  USB  controllers  found  not  to  be  reprogrammable  were  missing  an  essenPal   component  for  upgrades,  such  as  bootloader  or  Flash  to  store  the  update   §  All  those  controllers  that  bring  the  essenPals  seem  to  be  upgradable   §  ProtecPon  from  malicious  updates  is  very  rare:  Only  one  (large)  chip  family   brings  fuse  bits;  none  implement  firmware  signing     Trend  1  –   Newer  and   more  complex   devices  are   more   vulnerable   Trend  2  –  Chips   become  more   versa&le,  and   thereby  more   vulnerable   Trend  3  –  Most   controllers  that   can  be   programmed   are  vulnerable   Insight  
  • 24. Agenda   24   §  USB  background   §  Reprogramming  peripherals   §  BadUSB  aLack  scenarios   §  BadUSB  exposure   §  Defenses  and  next  steps  
  • 25. No  effecPve  defenses  from  USB  aLacks  exist   25   Protec&on  idea   §  USB  devices  do  not  always  have  a  unique  serial  number   §  OS’s  don’t  (yet)  have  whitelist  mechanisms   Limita&on   §  The  firmware  of  a  USB  device  can  typically  only  be  read  back   with  the  help  of  that  firmware  (if  at  all):  A  malicious  firmware   can  spoof  a  legiPmate  one   Block  cri&cal  device   classes,  block  USB   completely     §  Obvious  usability  impact   §  Very  basic  device  classes  can  be  used  for  abuse;  not  much  is   lel  of  USB  when  these  are  blocked   §  ImplementaPon  errors  may  sPll  allow  installing  unauthorized   firmware  upgrades   §  Secure  cryptography  is  hard  to  implement  on  small   microcontrollers   §  Billions  of  exisPng  devices  stay  vulnerable   Whitelist  USB  devices   Scan  peripheral   firmware  for  malware   Use  code  signing  for   firmware  updates   Disable  firmware   updates  in  hardware   §  Simple  and  effec&ve  (but  mostly  limited  to  new  devices)  
  • 26.         Responsibility  for  BadUSB  miPgaPon  is  unclear   26   BadUSB  malware   becomes  more  realis&c     Fixes  are  not  yet  in  sight   No  response   from  chip   vendors   §  Sample  exploit  code   for  Phison  USB  3   controllers  was   released  by  Adam   Caudill  and  Brandon   Wilson  at  Derbycon   in  September   §  Only  miPgaPon   aLempts  right  now   are  quick  fixes  such   as  GData’s  Keyboard   Guard   §  Phison,  the  mostly  discussed  vendor,   notes  that  they  are  already  offering   beLer  chips.  Their  customers  don’t  seem   to  chose  them  olen   §  Other  affected  vendors  have  stayed  quiet   No  response   from   peripheral   vendors   §  No  affected  vendor  offers  patches  or  a   threat  advisory   §  OS  implementers  do  not  appear  to  work   on  soluPon;  with  one  excepPon:  FreeBSD   adds  an  opPon  to  switch  off  USB   enumeraPon   No  OS   vendor   response   vs.  
  • 27. §  Use  the   reprogrammable   chips  for  other   applicaPons  than  USB   storage   §  The  flowswitch  /   phison  project,  for   example,  aims  for  a   low-­‐cost  USB  3   interface  for  FPGAs   USB  peripherals  can  also  be  re-­‐programmed  for  construcPve   purposes   27   Idea  2  –  Repurpose   cheap  controller  chips   Idea  1  –  Speed  up  database  queries   §  Data  can  be  parsed  on  the  sPck  before  (or  instead  of)   sending  it  back  to  the  host   §  Our  original  moPvaPon  was  to  speed  up  of  A5/1  rainbow   table  lookups  
  • 28. Take  aways   28   QuesPons?    usb@srlabs.de   §  USB  peripherals  provide  for  a  versaPle   infec&on  path   §  As  long  as  USB  controllers  are  re-­‐ programmable,  USB  peripherals  should   not  be  shared  with  others   §  Once  infected  –  through  USB  or  otherwise   –  malware  can  use  peripherals  as  a  hiding   place,  hindering  system  clean-­‐up  
  • 29. Scope  of  top-­‐down  analysis   The  USB  microcontroller  market  is  split  among  many  vendors   29   Microchip  (SMSC)   10%   Cypress   8%   Alcor   7%   Renesas   6%   Genesys   5%   ASMedia   5%   Phison   5%  FTDI   4%   ST-­‐E   4%   JMicron   3%   TI   3%   Silicon  MoPon   3%   Silicon   Labs   3%   Exar   2%   Displaylink   2%   Fresco   1%   PLX   1%   Via  Labs   1%   Others   26%   Wired  USB  Market  Share   (2012  Cypress  Shareholders  MeePng)   Source:  goo.gl/NtN0cf