Bad USB - A Summary Review

Based on the work completed by [1], following is my summary and review on the USB style exploit. I completed these notes as part of work in Oxford University and towards GCHQ accreditation. All comments are my own.


This is a new class of attack associated with USB devices by looking at embedded devices and associating with computer security, and by asking the question how can these embedded devices be used in a malicious way? Rather than malware stored on the USB storage device and loading the malware onto a computer, the exploit focuses on the deployment method of the malware onto a host computer; e.g. with an infected USB device even if a user were to format the device and delete files from the USB device, the exploit still remains. This exploit allows for a new avenue of deployment, effectively an undetectable launch pad for malware. The result of this exploit can be classified as a game changer, in that the exploit is persistent in nature. It is not focused on exploiting vulnerabilities with the base OS (Microsoft Windows, Mac OS etc), instead this exploit is focused on the embedded micro controller chip, and, the concept is based on re-programming this chip in a malicious manner by re-purposing a USB device, e.g. turning a mass storage USB device into a USB keyboard device. The exploit is not focused on what malware can do once installed instead the focus is on deploying this malware, as mentioned this is a new deployment method. As noted previously the game changer and persistent nature; malware scanners are ineffective for such a type of attack; as the vulnerability is not focused on malware stored "on" the USB device, as malware scanners scan the files on a mass storage device, instead this exploit is related to the firmware files on the USB device, these firmware files are
not scanned by malware scanners. As part of the USB design, the USB embedded microcontrollers informs the host computer the functions / device class it offers, these functions can range from mass storage devices to webcams, keyboards, speakers etc. A USB device can present itself to the OS as ANY device as noted by [6]. As part of the design of these USB device microcontroller chips the USB device has the ability to reregister as an option, i.e. the USB device registers with the computer as a CDROM and then re-registers as a different type of device e.g. an example use case scenario where re-registering is utilized, is a 3G style modem, initially the device registers as a CD-ROM i.e. informs the computer it is a CD-ROM, allowing a device driver to be installed; once this driver is active, the device re-registers as the 3G
modem. This re-registering step can take place at any time. Furthermore a USB device can inform the host computer it is more than one type of device as is the case with a webcam e.g. audio and video. Effectively the design of the USB technology is designing flexibility and versatility and this flexibility becomes the platform to exploit.

The process of registering and re-registering looks as follows

Identifier

The function / device class the offered by the USB device e.g. mass storage device, keyboard, webcam, speaker etc. And, as noted not limited to any single function / class.

End Points

The method of communication akin to TCP style ports, again not limited to any one function. An end point is either a control or data end point. The data end points are used to transfer data. The negotiation and registration process
outlined previously occurs on end point '0' which is the control end point.

Serial Number

USB devices can be identified by a serial number, however no fixed length exists and some USB function types do not have a mandatory requirement for serial numbers. The net result being the USB design has no reliable unique identifier. It is very difficult for a computer to know how many physical devices are
connected, as a computer has several ports each of these ports can be mapped to USB hub(s), and as each USB device can identify as more than one function, this makes it difficult to determine how many physical devices are connected i.e. no one:one mapping exists.

This exploit focuses on taking these two concepts i.e. a computer does not know how many physical devices are attached and that a USB device can re-register at any point, and by leveraging these concepts the exploit attempts to re-purpose a device as a different function, if this is possible malicious activity may now be possible.

These two concepts coupled with the ability to reprogram the firmware leads to an ability for malicious activity, e.g. if its possible to take a commodity USB mass storage device and reprogram the firmware on the controller chip to have the ability to re-register as a USB keyboard device malicious activity may now be possible. The design of the USB technology has no protection in place if the micro controller chip can be reprogrammed to present itself as a different USB function. To realize and implement this concept, the following summarizes the steps taken Initially focused on the firmware update process, the authors reviewed the process for a firmware update, by using Wireshark to sniff the traffic during a firmware update between the USB device and the firmware update. By reviewing the Wireshark dump, authors where able to determine how the firmware update process works, this identified use of custom SCSI commands. This allowed authors the ability to replay the update and begin to reverse engineer the update process, leading to the ability write own firmware update. As part of the reverse engineering process, authors determined 8051 architecture is used but had a complication, files are bigger than the defined 64KB; leading authors to understand a memory management unit was being utilized. Before continuing with the reverse engineering authors had to understand the memory mapping process. Heuristics where used to determine known bit fields with particular focus on the field descriptors, once these fields can be determined they are used as hook points, and possible to 'inject' own code into the unused empty spaces in firmware files.

Some examples where this exploit has been implemented

  • A mass storage device repurposed as a keyboard, allowing the new keyboard device type commands as if the user entered, and therefore ability to download malware from a malicious site.

  • A mass storage device repurposed as a Ethernet card, allowing the adversary define their own DNS server, and therefore allowing redirecting traffic to malicious web sites.

[1] Bad USB Blackhat presentation