際際滷

際際滷Share a Scribd company logo

MitM on USB -- Introduction of USBProxy --

?
?
Kiyotaka Atsumi
Kiyotaka Atsumi

The document introduces USBProxy, an open source USB man-in-the-middle tool. It discusses how USB functions as a computer network and the need for a MITM tool to investigate device vulnerabilities. USBProxy works by creating reader and writer threads to relay data between a host and device in both directions, but has limitations around speed and simulating complex devices. Other solutions like the Beagle USB480 analyzer or "Bad USB" attacks on NetHunter were also mentioned.

1 of 24
Downloaded 45 times
MitM on USB Introduction of USBProxy    からぼ(kalab1998{e}) 2014定10埖31晩 及22指仝ネットワ`クパケットをiむ氏■々 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 1
Self Introduction ¢ An engineer of a software company in Aizuwakamatsu (until next Feb., and will not update) ¢ I'm looking for a next job very hard. ¢ I will found an independent researcher ^KA-LAB ̄ (It's the second choice if no one employ me). ¢ I have no released open source software. ¢ I have two projects on github as follows. C USBProxy is forked from dominicgs/USBProxy C kalas is a BLAS on GPGPU for Huge Matrix  2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 2
Is USB a computer network? YES! USB is a computer network 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 3
Is USB a computer network? Hub Hub USB is a tree structure network in physical. Host computer 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 4
Is USB a computer network USB is one by one connections from the host to each device in logical. Host computer 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 5
How to communicate on USB? Case: Device to Host 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 6
How to communicate on USB? Case: Host to Device 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 7
Where is the host computer? Now a days, increasing such connections. Are there host computers? ☆Vector Graphics has copyright of this navigation icon. 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 8
Which devices are the host? hhoosstt host ☆Vector Graphics has copyright of this navigation icon. 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 9
We have an important problem. How do we investigate vulnerabilities of such devices without any laptop? ¢ Hack devices such cameras, printers, navigators, smartphones and so on. ?It's usually very difficult. ¢ Electrical tap on the USB cable. ?Next slides. ¢ Develop a USB Man in the Middle device. ?Main theme for this presentation. 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 10
Electrical tapping on USB http://hackaday.com/2011/03/16/usb-man-in-the-middle-adapter/ 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 11
Electrical tapping on USB It's very easy, but it has some big problems. ¢ Conflicting signals ¢ Not enough electric power on signal lines ¢ Very weak against electrical noises ¢ Not running on USB2.0 by that specification 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 12
dominicgs/USBProxy ¢ The device must have two USB ports. C One is for connecting a host. C Another is for connecting a device. ¢ Software relaying ¢ Connectable USB2.0 ¢ Sniffable / Filterable / Injectable ¢ Very cheap, BeagleBone Black is about $60.0 ¢ https://github.com/dominicgs/USBProxy 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 13
USBProxy Structure 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 14
How to relay? ¢ USBProxy makes 6 kinds of threads runninng. C Reader for Input EP, C Reader for output EP, C Writer for Input EP, C Writer for Output EP, C Injection, C Filter 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 15
Connection Reader and Writer 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 16
Relay from device to host ¢ Reader for Input EP always requests data to the Endpoint on the device. ¢ Reader for Input EP send data to Writer for Input EP when it got data. ¢ Writer for Input EP sends data to the host. 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 17
Relay from host to device ¢ Reader for Output EP always wait a request and data from the host. ¢ Reader for Output EP send data to Writer for Output EP when it got data. ¢ Writer for Output EP sends data to the Endpoint on the device. That's it. Very rough. 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 18
Notification! ¢ USBProxy does not simulate the USB line. ¢ It just simulates endpoints on only one device. 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 19
We have problems yet ¢ We want to simulate more devices. ¢ In many cases, it fail to simulate a device. ¢ It can't handle some complex devices yet. ¢ Linux lose endpoints on a device sometimes. ¢ It can't notice reset signal from a device. ¢ Very slow. C Original speed is 30.7MB/s, C USBProxy relay speed is 1,9MB/s. 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 20
Other solutions ¢ If you want to just snif on USB, you can use USB protocol analizer such the Beagle USB480 Power. ¢ If you are interesting in deep side, maybe you will fall in darkness. 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 21
Beagle USB480 Power ¢ Easy to use ¢ Very fast, 29.8MB/s ¢ Cheap, just $2250.0 ¢ Another device is enable USB3.0, just $3600.0 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 22
Do you want to fall in darkness? ¢ Kali Linux NetHunter "Bad USB" MITM Attack ¢ http://vimeo.com/106065667 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 23
White page 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 24

More Related Content

MitM on USB -- Introduction of USBProxy --

  • 1. MitM on USB Introduction of USBProxy    からぼ(kalab1998{e}) 2014定10埖31晩 及22指仝ネットワ`クパケットをiむ氏■々 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 1
  • 2. Self Introduction ¢ An engineer of a software company in Aizuwakamatsu (until next Feb., and will not update) ¢ I'm looking for a next job very hard. ¢ I will found an independent researcher ^KA-LAB ̄ (It's the second choice if no one employ me). ¢ I have no released open source software. ¢ I have two projects on github as follows. C USBProxy is forked from dominicgs/USBProxy C kalas is a BLAS on GPGPU for Huge Matrix  2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 2
  • 3. Is USB a computer network? YES! USB is a computer network 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 3
  • 4. Is USB a computer network? Hub Hub USB is a tree structure network in physical. Host computer 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 4
  • 5. Is USB a computer network USB is one by one connections from the host to each device in logical. Host computer 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 5
  • 6. How to communicate on USB? Case: Device to Host 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 6
  • 7. How to communicate on USB? Case: Host to Device 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 7
  • 8. Where is the host computer? Now a days, increasing such connections. Are there host computers? ☆Vector Graphics has copyright of this navigation icon. 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 8
  • 9. Which devices are the host? hhoosstt host ☆Vector Graphics has copyright of this navigation icon. 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 9
  • 10. We have an important problem. How do we investigate vulnerabilities of such devices without any laptop? ¢ Hack devices such cameras, printers, navigators, smartphones and so on. ?It's usually very difficult. ¢ Electrical tap on the USB cable. ?Next slides. ¢ Develop a USB Man in the Middle device. ?Main theme for this presentation. 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 10
  • 11. Electrical tapping on USB http://hackaday.com/2011/03/16/usb-man-in-the-middle-adapter/ 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 11
  • 12. Electrical tapping on USB It's very easy, but it has some big problems. ¢ Conflicting signals ¢ Not enough electric power on signal lines ¢ Very weak against electrical noises ¢ Not running on USB2.0 by that specification 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 12
  • 13. dominicgs/USBProxy ¢ The device must have two USB ports. C One is for connecting a host. C Another is for connecting a device. ¢ Software relaying ¢ Connectable USB2.0 ¢ Sniffable / Filterable / Injectable ¢ Very cheap, BeagleBone Black is about $60.0 ¢ https://github.com/dominicgs/USBProxy 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 13
  • 14. USBProxy Structure 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 14
  • 15. How to relay? ¢ USBProxy makes 6 kinds of threads runninng. C Reader for Input EP, C Reader for output EP, C Writer for Input EP, C Writer for Output EP, C Injection, C Filter 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 15
  • 16. Connection Reader and Writer 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 16
  • 17. Relay from device to host ¢ Reader for Input EP always requests data to the Endpoint on the device. ¢ Reader for Input EP send data to Writer for Input EP when it got data. ¢ Writer for Input EP sends data to the host. 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 17
  • 18. Relay from host to device ¢ Reader for Output EP always wait a request and data from the host. ¢ Reader for Output EP send data to Writer for Output EP when it got data. ¢ Writer for Output EP sends data to the Endpoint on the device. That's it. Very rough. 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 18
  • 19. Notification! ¢ USBProxy does not simulate the USB line. ¢ It just simulates endpoints on only one device. 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 19
  • 20. We have problems yet ¢ We want to simulate more devices. ¢ In many cases, it fail to simulate a device. ¢ It can't handle some complex devices yet. ¢ Linux lose endpoints on a device sometimes. ¢ It can't notice reset signal from a device. ¢ Very slow. C Original speed is 30.7MB/s, C USBProxy relay speed is 1,9MB/s. 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 20
  • 21. Other solutions ¢ If you want to just snif on USB, you can use USB protocol analizer such the Beagle USB480 Power. ¢ If you are interesting in deep side, maybe you will fall in darkness. 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 21
  • 22. Beagle USB480 Power ¢ Easy to use ¢ Very fast, 29.8MB/s ¢ Cheap, just $2250.0 ¢ Another device is enable USB3.0, just $3600.0 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 22
  • 23. Do you want to fall in darkness? ¢ Kali Linux NetHunter "Bad USB" MITM Attack ¢ http://vimeo.com/106065667 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 23
  • 24. White page 2014/10/31 (c) 2014 kiyotaka@ka-lab.jp 24