Exploiting Smart-Phone USB

Connectivity For Fun And Profit!

Angelos Stavrou & Zhaohui Wang!

Department of Computer Science !
George Mason University!
Talk Outline!

  Background  –  Why  USB  a2acks?  What’s  new  here?  

  New  a2ack  vectors,  different  from  simple  USB  storage    

  Phone-­‐to-­‐Computer  A2ack  

  Computer-­‐to-­‐Phone  A2ack  

  Phone-­‐to-­‐Phone  A2ack  

  Demo  &  Discussion  Points!

  Defenses  &  Future  Work  

USB is Pervasive in Gadgets !

  All Smart-Phone devices use USB!

  Google Android Devices (HTC, Motorola, …)!
  Apple iPhone!
  Blackberry!
  Others !
!

  Multi-purpose Usage!
  Charging the Device Battery!
  Data & Media Transfer!
  Control external Devices (new capability)!

!
USB-borne Threats only focused on Auto-Mounting !
USB-borne Threats are much more complex… !

  USB  protocol  can  be  (ab)used  to  connect  *any*  

device  to  a  compuLng  plaMorm  *without*  
authenLcaLon  
 Desktops,  Laptops,  phones,  kiosks,  tables  (ipad)  

  USB  Storage  is  just  the  Lp  of  the  iceberg  and  it  is  
usually  locked-­‐down  and  scanned  by  anL-­‐virus  
and  other  defenses  
  USB  Human  Interface  Devices  (HIDs)  are  one  
class  of  devices  that  are  *much*  more  appealing  
 Keyboard/Mouse/???  on  your  Android  Phone  

 Other  USB  devices?    

USB-borne Threats are much more complex… !

Many  other  devices:  

  Ethernet/Wireless  Network  Adapter  

 No  password,  man  in  the  middle  for  your  network  

traffic  installed  as  the  default  “gateway”  
  Printer  

 Capture  all  the  documents  printed  

  JoysLc(!)  

  Biometric  USB  Reader  

 Brute  force  your  way  into  a  protected  system(?)  

 
Phone-to-Computer Attacks!
•  Program the Phone with USB Gadget API for Linux
•  Pretend to be a USB Human Interface Driver,
  Dell USB keyboard, VendorID=413C,ProductID=2105!
  Touchpad or Mouse!

•  Pre-programmed key code.

 User-lever or System-level attacks
  Anything you would imagine

•  Transparent to Victim Machine

  No Human Input or approval

HIDs are recognized automatically…

Phone-to-Computer Attacks (Cont)!
•  Traditional autorun attacks are easy but easily detectable

•  Autorun and autoplay are default since Windows XP SP2

 (MS KB967715) tries to address that

•  Flash Autoplay Content exploitation by re-enumeration

 Exploit different content (PDF, HTML, DOC, MP3)
 ReMount/unmount MMC card controlled by device

• Exploit Autoplay feature of default Media Programs

  Selectively prepare attack payload, i.e. Malicious mp3 files
targeting MacOSX iTunes, pdf targeting unpatched Adobe Reader
  Highly robust exploit, works for for a variety of programs
Computer-to-Phone Attacks!
  Gaining Root Access to the Smart Phone Device!
  Official: simulate screen tap event to the oem unlock menu on
selected devices!
  Universal: linux local root exploit (CVE-2009-1185,
RLIMIT_NPROC exhaustion) send via USB!

  Insert malicious payload!

  Kernel-level: disassemble boot partition !
  Replace kernel zimage with your own!
  Replace Applications !
!
  Remove traces by un-rooting to avoid detection!
  We can quickly cleanup, not need for traces!
  Next reboot, not traces at all!
  Very very difficult to identify, it has to happen before next reboot!
Computer-to-Phone Attacks (Cont.)!

  Kernel manipulation!
  Rootkits!

  Traffic Redirection to a known proxy!

  Data Exfiltration!

  Native ARM ELF binary !

  bypasses Android framework permissions and checks !

  A complete phone provisioning process fully

automated with evil payload!
  No application-level traces!
Phone-to-Phone Attacks - OTG!
USB(Mini) OTG Connector

  USB OTG (On-the-Go) controller !

  Capability to switch the controller and become a host or a gadget!
!
  Smart Phones are shipped with such OTG capable chipset!
  Qualcomm QSD8250, Texas Instruments OMAP 3430!
!
  The 5th pin (ID) pin identifies the function of the controller
host or gadget !
  floating ID denotes gadget, grounded ID denotes host!
Smart Phone as a Host Controller!

  Specially shorted USB mini-B dongle to signal the OTG

controller behave as a host!

  USB transgender or USB micro-A to Standard-A Female

cable.( out-of-box cable is micro-B to Standard-A Male)!
Smart Phone as a Host Controller (Cont.)!

  Power hub, for additional power supply!

  Host side software stack, UHCI/EHCI HCD driver, device

driver, userland programs!
!
USB Hacking 101!

Crucial Steps for USB Hacking:!

  Understand the USB Background (coming up)!
  Low-level “USB Hubs” VS device driver!
  Good tools to help debugging (Demo !
  Some tools are helpful but have flaws as we will show!
  Combination of tools much better!
  (Some) Hardware hacking!
  Craft cables to put the phone in “Master” mode!
  Use the phone to connect and hack Other Phones!
  Patience!!
!
USB Reconnaissance !

OperaLng  System  FingerprinLng  using  USB:  

  Not  all  USB  implementaLons  are  the  same  

  Windows  vs  Linux  vs  Mac  OSX  

  Flavors  of  Windows  

  The  protocol  is  the  same  but  not  the  

implementaLon    
  USB  devices  in  “slave”/  gadget  mode  can  idenLfy  
the  OS  upon  connecLon  
  Smart  (i.e.  programmable  USB  devices)  can  do  so  
much  more  as  we  will  see.  
USB Reconnaissance !

Operating System
USB Gadget
Observations

Full function probe

Bare device w/o 6 12 1

configuration retries

Device alive probe

Single adb/umass
interface bus reset
USB Background: Hierarchical Topology!
USB: Series of Events (Overview)!
Interrupt notifying the host that a
device connected

G et D
e
Descr vice
iptor
, The
The host send Get Device
d , V e ndorID l peripheral
Descriptor setup request Spee tID, Seria identifies
c
Produ nufacture itself
a
No., M
G et C The peripheral
The host setup kernel data onfigu supply the
ration
structures of the device configuration, can
descriptor SB be dynamically
-s to ra ge , U changed in smart
Mass her etc.
et gadget
G e t In
te
The host continues enumerate all Descr rface The peripheral
iptor
the interfaces specify interface
, information
fa c e Class
nte r ol
USB I ass, Protoc
Subc l
The host sets up endpoints for
every interface

USB data transfer starts

USB Host USB Peripheral

Standard USB Handshake

USB: Series of Events !
Interrupt notifying the host that a
device connected

G et D
e
Descr vice
iptor
The
peripheral
identifies
itself

USB Host USB Peripheral

Standard USB Handshake

USB: Series of Events!
Interrupt notifying the host that a
device connected

G et D
e
Descr vice
iptor
, The
The host send Get Device
d , V e ndorID l peripheral
Descriptor setup request Spee tID, Seria identifies
c
Produ nufacture itself
a
No., M

USB Host USB Peripheral

Standard USB Handshake

USB: Series of Events!
Interrupt notifying the host that a
device connected

G et D
e
Descr vice
iptor
, The
The host send Get Device
d , V e ndorID l peripheral
Descriptor setup request Spee tID, Seria identifies
c
Produ nufacture itself
a
No., M
G et C The peripheral
onfigu supply the
ration
configuration, can
be dynamically
changed in smart
gadget

USB Host USB Peripheral

Standard USB Handshake

USB: Series of Events!
Interrupt notifying the host that a
device connected

G et D
e
Descr vice
iptor
, The
The host send Get Device
d , V e ndorID l peripheral
Descriptor setup request Spee tID, Seria identifies
c
Produ nufacture itself
a
No., M
G et C The peripheral
The host setup kernel data onfigu supply the
ration
structures of the device configuration, can
descriptor SB be dynamically
-s to rage, U changed in smart
Mass her etc.
et gadget

USB Host USB Peripheral

Standard USB Handshake

USB: Series of Events!
Interrupt notifying the host that a
device connected

G et D
e
Descr vice
iptor
, The
The host send Get Device
d , V e ndorID l peripheral
Descriptor setup request Spee tID, Seria identifies
c
Produ nufacture itself
a
No., M
G et C The peripheral
The host setup kernel data onfigu supply the
ration
structures of the device configuration, can
descriptor SB be dynamically
-s to rage, U changed in smart
Mass her etc.
et gadget
Get In
te
Descr rface The peripheral
iptor
specify interface
information

USB Host USB Peripheral

Standard USB Handshake

USB: Series of Events!
Interrupt notifying the host that a
device connected

G et D
e
Descr vice
iptor
, The
The host send Get Device
d , V e ndorID l peripheral
Descriptor setup request Spee tID, Seria identifies
c
Produ nufacture itself
a
No., M
G et C The peripheral
The host setup kernel data onfigu supply the
ration
structures of the device configuration, can
descriptor SB be dynamically
-s to rage, U changed in smart
Mass her etc.
et gadget
Get In
te
The host continues enumerate all Descr rface The peripheral
iptor
the interfaces specify interface
, information
fa c e Class
nte r ol
USB I ass, Protoc
Subc l

USB Host USB Peripheral

Standard USB Handshake

USB: Series of Events!
Interrupt notifying the host that a
device connected

G et D
e
Descr vice
iptor
, The
The host send Get Device
d , V e ndorID l peripheral
Descriptor setup request Spee tID, Seria identifies
c
Produ nufacture itself
a
No., M
G et C The peripheral
The host setup kernel data onfigu supply the
ration
structures of the device configuration, can
descriptor SB be dynamically
-s to rage, U changed in smart
Mass her etc.
et gadget
Get In
te
The host continues enumerate all Descr rface The peripheral
iptor
the interfaces specify interface
, information
fa c e Class
nte r ol
USB I ass, Protoc
Subc l
The host sets up endpoints for
every interface

USB Host USB Peripheral

Standard USB Handshake

USB: Series of Events (Overview)!
Interrupt notifying the host that a
device connected

G et D
e
Descr vice
iptor
, The
The host send Get Device
d , V e ndorID l peripheral
Descriptor setup request Spee tID, Seria identifies
c
Produ nufacture itself
a
No., M
G et C The peripheral
The host setup kernel data onfigu supply the
ration
structures of the device configuration, can
descriptor SB be dynamically
-s to ra ge , U changed in smart
Mass her etc.
et gadget
G e t In
te
The host continues enumerate all Descr rface The peripheral
iptor
the interfaces specify interface
, information
fa c e Class
nte r ol
USB I ass, Protoc
Subc l
The host sets up endpoints for
every interface

USB data transfer starts

USB Host USB Peripheral

Standard USB Handshake

Device Configuration Map!
USB Host Enumeration!

  Enumeration: How the host learns about devices!

  All USB devices must support (HW/SW) control
transfers, the standard requests, and endpoint zero.!
  Smart gadgets are often composite devices!
  Enumeration is transparent and automatic!
USB Enumeration Hierarchy!

  Device!
  Configuration!
Interface!
 

  Endpoint!

  Configuration changes the "

ProductID!
  USB debugging will Change N1 s
ProductID from 4e11 to 4e12)!
Demo Demo Demo!
•  Show Exploitation of Computer using the phone as
Keyboard!

• Android based "

!but *any* smart phone device with modern USB
!controller can perform the attack!

• *Any* operating system is vulnerable, core functionality not

just a hack!

• We can lunch, reboot, redirect, …!

Discussion!

•  USB connections are unprotected in current USB

1.1/2.0/3.0 protocol!

•  USB is the new venue for emerging exploits due to

trust in physical proximity !

•  Smart gadget can cause more damages than

traditional passive USB devices.!

• Mutual USB authentication!

• Revise the USB protocol for security features!

Phone-to-Computer Defenses!

Potential Defense Strategies

•  Disable autorun on USB storage device
 MS KB971029, non mandatory

•  Disable all USB storage devices from automatically

attaching
 MS KB823732

•  Validate the Autenticity of the USB Devices once upon

connect
  Bluetooth devices
  Does not prevent attacks from corrupted devices
Discussion – Defenses?!
•  Potential Defenses – Adding Device Authentication is :!
Discussion– Defenses?!

  Adding static token authentication is not enough!

  Guessable!

  Easy to bypass (wait for the USB device to get authenticated,

swap to another device)!

  Data Exfiltration!

  Mutual Dynamic Authentication is good but…!

  Passive and Dumb devices cannot cope with!

  Many devices support partially the protocols!

  Windows USB-Hub subsystem a problem…!

Discussion– Defenses?!

  Getting the Human in the loop!

  Bluetooth has tried that!

  It works but only to validate the device it cannot prevent a device

which is “approved” but compromized from corrupting and
taking over the other end.!

  The Solution requires Human to verify both Type of

Device and restrict its permissions!
  Very very difficult given the current user body!

  Can only be applied to enterprise settings!

  Disabling the USB not an option (Why? Recharging…)!