2. USB devices include a micro-‐controller, hidden from the user
2
8051 CPU
Bootloader
USB controller
Controller
firmware
Mass storage
Flash
The only part
visible to the user
3. USB devices are initialized in several steps
Power-‐on+
Firmware init
Load driver
Register
Set address
Send descriptor
Set configuration
Normal operation
Optional: deregister
Register again …
Load another
driver
USB device
USB plug-‐and-‐play
4. Reversing and patching USB firmware
Find leaked firmware
Sniff update communication using Wireshark
Replay custom SCSI commands used for
updates
5. Reverse-‐engineer firmware
Load into disassembler
Apply heuristics
Find known USB bit fields such as descriptors
Apply standard software reversing to find hooking
points
6. Patch firmware
Find leaked firmware
Sniff update communication using Wireshark
Replay custom SCSI commands used for updates
7. Network traffic can be diverted by “DHCP on
USB”
Attack steps
1. USB stick spoofs
Ethernet adapter
2. Replies to DHCP query
with DNS server on the
Internet, but without
default gateway
Result
3. Internet traffic is still routed
through the normal Wi-‐Fi
connection
4. However, DNS queries are sent to
the USB-‐supplied server, enabling
redirection attacks
DNS assignment in
DHCP over spoofed
USB-‐Ethernet
adapter
All DNS
queries go to
attacker’s DNS
server
8. possible USB attacks is large
Emulate keyboard
Spoof network card
USB boot-‐ sector virus
Hide data on stick or HDD
Rewrite data in-‐flight
Update PC BIOS
Spoof display
9. No effective defenses from USB attacks exist
Scan peripheral firmware for malware
Disable firmware updates in hardware