Turning USB peripherals BadUSB (A confession……)

08 Aug

There is currently a ‘stink’ about this article:

Turning USB peripherals into BadUSB

These guys appear to have put a quite an amount of research into this subject and attack vector.
However I’m disappointed about how little research and citations of prior work they seem to have included, even if it is not based around USB devices it is still relevant.
Then there is the ‘case’ of the 3rd party publicly available code to reprogram the SAME USB device released BEFORE their presentation.

For Example:
On Hacking MicroSD Cards

There are of course the usual followup articles/comments from people claiming it is nonsense or it is not possible to reprogram ‘cheap’ embedded controllers in USB peripherals because of cost, or the fact that they are based around ASIC technology.

There are also security companies attempting to mitigate the predicted fallout from their customer base, claiming that they can fully… mitigate the attacks, but that they “patiently await release of the hackers initial research at the conference…” (Corporate divination)

Sorry but it IS possible, and it’s EASILY possible to reprogram MANY of these devices for nefarious purposes.

Past Projects
About six years ago we already had working systems for ‘subversion’ of USB devices and I suspect we were not the only ones, we find it unlikely that other ‘groups’ did not pick up on these attack vectors.
During our research we looked specifically at ways to ‘mitigate’ forensic recovery on USB flash drives and fire wire devices.
We had a number of attack vectors which included blocking or contamination of the data being read(we know how you forensic types just LOVE your checksums) or by inhibiting forensic write-blocker functionality (Yes Mr policeman the drive was full until we attempted to forensically clone it and then all the content disappeared), we even had a system that allowed a ‘key file’ to be on the device and it opened up a ‘hidden’ section on the device, the ‘key’ file was hard erased and access remained until power was removed from the device.

Now before I get a load of emails and comments saying “prove it”, I will point you to this:

CY3686 EZ-USB NX2LP-Flex™ Development Kit User’s Guide
AN1267 Designing a USB Keyboard with the Cypress Semiconductor CY7C63413 USB Microcontroller

Also these tools:
href=”” title=”Various developer tools for reprogramming NAND FLASH sticks”>Various developer tools for reprogramming NAND FLASH sticks

As early as 1997 Cypress had re-programmable USB controllers, later with their ‘Flex’ technology they introduced complete systems consisting of an embedded Nand-Flash controller that you could/can easily reprogram(They were not the only ones to introduce re-programmable controllers, some controllers ‘look’ for a signature in block Zero of the Nand-Flash…. you know… incase the ‘Rockstar programmer’ makes a mistake and the company is left with a load of ‘hard’ programmed useless silicon, better to have a backup plan to use the chips)
From the Cypress White papers listed above we can see that our USB Nand-Flash storage device could be :

  • Nand-Flash storage
  • Keyboard controller
  • Any PID/UID block based device

And of course the obligatory:

  • Whatever you want USB malware kit
  • Anti-forensic storage

  • Cypress EVEN supplied the FULL commented source code as well as pointers to the build environment, enabling the would-be designer to write malware ‘code’ for the system/device.
    So here we have a complete malware ‘code’ development kit being sold by a major purveyor of USB controllers.(Thank goodness it’s only 2014, and its only taken 9 years for this to be discovered by the masses) This still gives security consultants a good 10 years to exploit this with consultancy fees. (Surely if they were any good they would have seen this already..Ahh yes that’s right they don’t teach this ‘material’ on those ‘certification courses’)

    Being poor back in 2007/2008, I had to use an off the shelf $20USD product for the development work( available from China)
    These USB controllers came in either ROM maskable or re-programmable format (as in download from the storage media), even Apple extensively uses the Cypress re-programmable one. ( I think there is a malware paper written sometime in 2011 for targeting the Apple parts that are embedded in their mice and keyboards), and yes these systems can be re-programmed in the field without the need for expensive equipment.

    The issue was of course that it required you to release your own USB Nand-Flash products… That is unless some cheap assed Chinese controller suppliers actually ‘borrowed’ the cypress design and used it for their production models.( it is an established fact that such companies NEVER rip off IP)

    The coolest feature of the re-programmable controllers is they actually allowed the binary to be downloaded FROM the Nand-Flash chip and executed, they even allow overlay programming…, now how cool is that? a whole host of different ‘templates’ that can be slid into the controller when needed with development tools so simple even a script kiddie can throw something together…..

    Ignorance is bliss
    The amazing thing is how little research people actually do, especially as regards to what is already FREELY available in the market from the silicon suppliers.
    Personally I just wish that Firewire had caught on as much as the USB standard, because firewire really was a fantastic system and protocol to abuse.

    Other interesting ‘caveats’ can be found in the startup sequences of these USB controllers, in many cases during the initial power-up sequence, or even when the USB master controller issues a ‘bus reset’ to the USB chain to ‘cycle’ the attached controllers.

    Your ass is owned
    The best however….is yet to come!!!… Yes USB3.0. good old USB2.0 with a shitload of newly added security issues.

    You may worry you can be ‘owned’ with USB 2.0, you thought that USB 2.0 re-programable products were a disaster.(Some of us)

    Wait until you see what you can do with USB 3.0/3.1, almost as exciting as firewire….
    Don’t even get me started about OTG.

    It’s a lie manufacturers don’t do stupid things with their silicon
    For all the naysayers, these new USB 3.0/3.1 devices ARE re-programmable, we have ‘chip’ samples as well as off the shelf ‘USB Nand-Flash storage devices'(devices from China) that can be exploited and re-programmed in the field.

    Don’t worry there are very few in the market
    The market penetration on USB3.0 Nand-flash devices from our current supplier Is claimed to be >50,000, I would say that this figure is a conservative estimate once you consider just how many suppliers are out there and how much crap is being dumped into EBay and other online sellers.

    I’m bored can we talk about fun with embedded SSD controllers yet ?


    Tags: , , ,

    Leave a Reply