All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 10 posts ] 
Author Message
 Post subject: implications of "BadUSB"
PostPosted: August 21st, 2014, 9:28 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 3165
Location: Adelaide, Australia
With all this hype at the moment of BadUSB... I wonder what the implications are for Data Recovery. The situation hasn't really changed, we have been playing with USB firmwares thanks to the usual .ru sites for years. I think it is just the right time for this to surface, and actually for the last 2 years there have been similar things that didn't really get the love they deserved. Such as Travis Goodspeeds Facedancer that allows you to rip the hell out of the drivers, many of which will never get patched or updated, and Monks NAND flash talk that I don't think people realise the seriousness of. We learnt that the NSA has actually had in their catalogue a BadUSB equivalent, and much more for 2 years at least.

Which brings me to my focus - if the world is now focussing on USB vendors, what steps are they going to take to stop this kind of thing? Mix, XOR and crappy NAND is hard enough, but what happens when they can no longer put out this firmware that is so easily modified?


Top
 Profile  
 
 Post subject: Re: implications of "BadUSB"
PostPosted: September 15th, 2014, 10:52 
Offline
User avatar

Joined: August 13th, 2008, 13:10
Posts: 811
Location: World
are you speaking about this projet?

http://goodfet.sourceforge.net/hardware/facedancer21/


Top
 Profile  
 
 Post subject: Re: implications of "BadUSB"
PostPosted: September 15th, 2014, 12:00 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 3165
Location: Adelaide, Australia
I was talking about the general idea of BadUSB type attacks, of which there has been quite a few different researchers talking about.

The actual term "BadUSB" was at a Black Hat talk this year by Karsten Nohl & Jakob Lell , "BadUSB - On Accessories that Turn Evil":
https://www.youtube.com/watch?v=nuruzFqMgIw
https://srlabs.de/badusb/

And before that, Travis Goodspeed did the project you mention, slightly different idea, you write a device in python and it runs on the facedancer, then you can use it to research Vulns in the drivers of it.

There was bunnie and Xobs talk about SD Cards, basically was the same as Karstens talk but first, and for SD Cards, with them making hardware and sniffing USB with their own built laptop.

Another talk in the same vein was Black Hat 2013 "Hiding @ Depth - Exploring, Subverting and Breaking NAND Flash memory" by Josh 'm0nk' Thomas. Basically I believe it was about messing with NAND blocks and have them lying about their status.. say they were bad when they weren't, for example.

My point is that all of these attacks are very silent. We as users have NO WAY to easily tell if the firmware on our USBs have been tampered with. We have no way of verifying if our blocks are bad or if some malware has just told them they are bad. We have no anti-malware/AV to detect if a firmware on any USB device is malware infected. The current swathe of POS terminals that have been infected should scare the bejeezus out of everyone, but you only hear about it on InfoSec podcasts and InfoSec Blogs.

So it stands to reason that something needs to be done to lock down these devices.. and this is going to make it harder for us, I guess in similar ways the WD encryption has


Top
 Profile  
 
 Post subject: Re: implications of "BadUSB"
PostPosted: September 16th, 2014, 12:51 
Offline
User avatar

Joined: August 13th, 2008, 13:10
Posts: 811
Location: World
Hi HaQue!

I untherstand, i am very interesed on this project, but wehre can we start?
you are very good on flash, can you think in point to start this project?


Top
 Profile  
 
 Post subject: Re: implications of "BadUSB"
PostPosted: September 16th, 2014, 13:14 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 3165
Location: Adelaide, Australia
Probably start by reading bunnie and Xobs docs, watching their presentation a few times and then looking at their code repo. Also flowswitch's Phison stuff is a huge help to understand the controller. Watch all the other presentations and follow the links/hints given in each. Then get familiar with 8051 programming, and as you go, each new bit you need to learn should present itself.. Also might want to learn USB a bit and setup ways to sniff it.

For fast results, look at flowswitch's code repo for Phison, install the required packages and play around with Phisons.


Top
 Profile  
 
 Post subject: Re: implications of "BadUSB"
PostPosted: September 16th, 2014, 14:24 
Offline
User avatar

Joined: August 26th, 2012, 19:18
Posts: 284
Location: England
Nice post Mr H.
This really turns my cogs

Code:
We as users have NO WAY to easily tell if the firmware on our USBs have been tampered with


TL:DR Should we play Hide or Seek?

As with most things, we are at the mercy of the journalist/translator or his boss.
We only read what "truth" they decide to tell us.
We can't even bypass them as we neither have access to the truth as it is, nor the means to verify it should we see it directly.

This kinda harks back to wiping data/drives securely, forensics and bad blocks ...
so:

What's your proposition then, Mr Haque?

1: find some way to bypass the reporting system and seek the truth ourselves, ie what is ACTUALLY on nand rather than what the intermediary tells us? (hacking/forensics)
or
2: as Mr m0nk, we seek to break the system in order to prove the cracks exist and/or subvert it to further our own goals.?
(cracking/anti-forensics)

Essentially, should we play hiders or seekers?

Either way I'll take the red pill ;)

_________________
Когда хочется кушать – съешь всё.
Голод не тётка!


Top
 Profile  
 
 Post subject: Re: implications of "BadUSB"
PostPosted: September 18th, 2014, 16:06 
Offline

Joined: May 16th, 2009, 9:32
Posts: 329
Location: UNited Kingdom
Another good read is https://www.blackhat.com/docs/us-14/mat ... enefit.pdf


Top
 Profile  
 
 Post subject: Re: implications of "BadUSB"
PostPosted: September 18th, 2014, 18:39 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 3165
Location: Adelaide, Australia
Kern: both your points are reliant on someone(us) learning as much about the system as the adversary. Look around you as you do your shopping... or more worrying, take notice of people employed as they talk to you. Do you really see any hope? For laughs watch the reaction as you tell the checkout operator that you are worried about POS terminals and mention that for example Target had the firmware replaced on theirs to steal credit card data... I did it yesterday and she justs half giggled and said oh that's not good. Maybe the niggling seed was planted and she subconsciously thinks about it for a bit, but how is she supposed to process an further.
No.. we are screwed!


Top
 Profile  
 
 Post subject: Re: implications of "BadUSB"
PostPosted: September 18th, 2014, 19:32 
Offline
User avatar

Joined: August 26th, 2012, 19:18
Posts: 284
Location: England
Quote:
Kern: both your points are reliant on someone(us) learning as much about the system as the adversary.


Couldn't agree more mate.
Getting more like The Matrix every day. Gatekeepers and those who aren't ready to be unplugged.

screwed ? Royally so.

btw, Santa been yet ? (new toys)

_________________
Когда хочется кушать – съешь всё.
Голод не тётка!


Top
 Profile  
 
 Post subject: Re: implications of "BadUSB"
PostPosted: September 18th, 2014, 19:48 
Offline
User avatar

Joined: December 4th, 2012, 1:35
Posts: 3165
Location: Adelaide, Australia
digitalferret wrote:
Couldn't agree more mate.
Getting more like The Matrix every day. Gatekeepers and those who aren't ready to be unplugged.

Good analogy, unfortunately.

digitalferret wrote:
btw, Santa been yet ? (new toys)

Yes! :-) just activating and trying first case right now.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 10 posts ] 

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group