 All right, welcome to the first talk in track one. We're gonna get started here in just a second Again, one of the fortunate things about having track one is I get introduced a lot of friends up here I've got Kyle Temkin and Dominic and despite the fact that he's Last name is abnormally short. He's no less of a man than I am Dominic spill is up here to present on face dancer to so please welcome them to the stage Sorry for taking a few minutes to get set up there. It turns out you shouldn't run a bunch of updates like 20 minutes before you give a talk So so my ex server doesn't work. So I can't show you any of the demos on my laptop We're gonna try the best as we can on on K-10 can slap top here So these are our names which has already been mentioned So that one work There we go. This is deep magic technology. All right. There we go. I hear myself So this is not at all a 100% original work We are standing on the shoulders of a lot of people the probably two biggest names on here in terms of this project You're Travis Goodspeed and Sergei who actually conceptualized this over a bottle of whiskey As a legend goes and then later the good-fet project, which is the original home of face dancer Became the intellectual property of great Scott gadgets via transaction that as I understand it involved five dollars in beer and $5 cash because Travis probably doesn't believe in other currencies. I don't know And as you can hear fairly vocally in the second row here is my cost man. So let's not thank him He designs it he employs me Thanks for that, but it's signed this hardware which we call great fat Which is a new generation version of the good fat It also replaces Travis Goodspeed's face dancer in many ways and we'll come on to that in a little bit Do you want to talk about yeah, so you will see a demo from my friend Micah goes by scan line Who was one of the first users of the new face dancer to platform whether she liked it or not? Then of course we have our employers actually paid us to do the work and we won't talk about them Yeah, we have employed by these people So like most people Ask us why we hack on USB and it's because it's literally everywhere. I mean, it's the most common interface in Thanks, Mike for laughing at my joke It's like the most common interface it's it's everywhere I've got more like USB outlets in my house than I have power outlets So some of them deliver power some of them are data They're hooked up to all sorts of weird embedded systems that you don't have any control over Almost every single one of those embedded systems is running like a 10 to 15 year old Linux kernel So like but that's cool because there have never been any Linux bugs as my laptop will show you And the other reason is and I find myself quoting Josh right quite a lot in fact he said it here a few years back which is about why we need to build tools and One of the reasons that the two of us and Mike and various other people we work with build tools is that We can we can talk about flaws in in code and we can talk about problems with hardware interfaces but until we've got a way for someone to pick up a device plug it into your laptop and Own your laptop people are going to just ignore them and say that's no practical attack and I Think by building the tools to enable that we allow people to get closer to Have more leverage trying to solve those problems and have those arguments within organizations to to solve those problems And I've previously heard this described as like, you know, it's not an attack until a Script kitty can just you know run build something and run or run something that they downloaded from the internet And I think that that's kind of in 2017. That's probably more like a journalist So if you can go to a journalist and say here's a device plug it into a laptop And it'll like weird things will come up on the screen then they're gonna pay attention and hopefully write articles about us Right so Why do we want to hack on USB other than the fact that everything down to our cars these days has USB ports? My car takes firmware updates over USB You can imagine how secure that is I haven't been able to find out because my spouse will kill me if I break their car, but So the kind of classic use case for face dancer was finding vulnerabilities in USB or driver stacks So the actual USB stack running on your PC that runs USB Whatever embedded system that runs USB or the drivers that are sitting on top of that stack So if you have like a USB mass storage device, there's gonna be a USB attached Driver sitting on top of the actual USB stack. You can find vulnerabilities in either of those, but this has actually been used Especially as legacy face dancer in a lot of other ways including building tools that work with existing softwares If you want to prototype something really quickly or trick a piece of software into working with a device That is not quite its security dongle You can do that with face dancer really quickly my favorite new application for face dancer and one of the things that we're gonna be talking a lot about is that it Actually lets you get a foot in the door in terms of understanding embedded systems So a lot of times you have an embedded system with a USB port You know nothing else about it, and you'll probably wind up with the divorce if you take it apart Like my Nintendo switch, but Yeah, so so we own like between between us we own what like three Nintendo switches because two are for playing with them One is for hacking right because That's why this guess Because of us. Yeah. Yeah, that's right. We've eaten the supply there's also a point in this on the side about playing NSA and I'm sorry. Were you not finished with the previous? But I was gonna say like it's just fun to play in a say and like who in the room doesn't love pretending They're the NSA. I mean it I guess well. Yeah, like people who are people who already work for the NSA sure, right? Yeah, everyone who already works for the NSA raise your hand and not you but everyone Worth a try And and one of the things I think you were saying about I should stop stepping away from the microphone about getting closer to analyzing black box systems is An interesting thing that we can do with this system that we can't do with with other devices Necessarily is is we can actually log in a lot of interesting information and kind of metrics about systems that we're talking to so if we spoof a USB mass storage dongle like if you can if you take a dongle and you go plug it into a computer and like Maybe that system will read the files off there and maybe it'll automatically run your your malware if you're lucky or whatever But but for us we can start doing things like Profiling the system so I can go up to a TV with with our face dancer code I can plug in as a USB mass storage system and I can look at how it reads the file system that I'm pretending to present to it and At that stage we can start saying well, okay, it reads this block like 50 times It reads the the first block of the file system 50 times repeatedly for no apparent reason must be a window system and When I think Windows XP reads fat file systems first block like a bunch of times for no apparent reason back to back And then and then go to the other thing Linux and BSD will do other different things So you can you can profile what the host is by the way they access the file system And the same is going to go beyond even that how they enumerate the device itself So even if the device doesn't have mass storage and have any capability I can plug in to like my rental car and see what operating system that rental car is likely running usually down to a rough Approximation aversion like if the first thing it does is set an address to the USB device I know it's OS X and I'm really freaked out because my rental car is running the same system that this presentation is But yeah, exactly and there's I in fact I fixed a bug in a USB stack recently where Linux says how big are your your descriptors? How much data am I getting from you? Okay, I'm gonna request 32 bytes because that's what you tell me you've got and Windows says You've probably got less than 256 bytes. I'll just request 256 bytes and You only the device is supposed to only send it back 32 bytes because that's all it's got and There was a bug whereby we were not telling it We were done sending data and things like that And so the Windows system would be sat there waiting for more data But from the device side I can tell what kind of device enumerate to me by how many bytes it requests like in the first Transaction that it that it talks to me right so like two weeks ago when we bricked Mike's projector We know exactly how we bricked Mike's projector. Yeah, that's that's very true And we do we want to come on to that now talk about that now or come on to that later come on to it later Okay, in general don't lend us things that have USB ports So what are the slide? Really in terms of how USB works. We've done a bunch of studying of USB and probably for this kind of application We use about One percent of it like that so the USB spec is hundreds of pages long as of the 3.0 revision I'm still hundreds of pages long as a 2.0 there's a 36 page chapter called chapter 9 which is almost everything you need to do USB hacking and That is like really sparsely Populated pages probably about 10 pages of reading if you want to be able to do basic USB hacking, right? So isn't the Linux kernel header file for all the stuff you need called CH9? I think so like yeah, so so like they named their header file after like the two chapters you care about from the USB spec So go look at the header file names and just read those chapters done So okay, we're gonna run through this relatively quickly because Well when we're running late and to it's it's USB and hopefully you either know about it or are willing to go and read those two chapters because they explain it better than we do but Largely if you think back to the 90s a simpler time and well in terms of computer interfaces a more complicated time and You'll see here a delightful picture I managed to find of serial ports and parallel ports and ps2 and you needed to like remember how to set up the speed on your serial port and your which mode your parallel port was running and a smart engineer who I should really know the name of it Intel decided this was absolute rubbish and There should be one single interface that was Able to support all these different devices that you want to plug into a PC, right? So if you ever use like a USB to serial adapter like one of the USB to legacy RS 232 style adapters and tried to communicate with the device If you're on Linux for example, you've probably seen the operating system running a program called motor manager That just spams a bunch of things into the port So your USB devices tend not to work the first time that was your USB to serial devices tend not to work the first time And that's just because back when things were running off things like RS 232 There was no way to plug in a device and know what device that was you had to kind of guess and check So motor manager sends a bunch of AT commands as soon as you plug anything that looks like a serial port into the Computer and it's trying to figure out whether there's a modem there So USB one of its major contributions one of the major benefits of USB over something like RS 232 Is that it allows you to plug in a device and you'll see immediately? Windows for example will pop up and say hey you've plugged a new device to identify it by name It'll possibly tell you what type of device and it'll start looking for a driver And that's all because it's part of the standardization in the effort to get this down to a single port USB built in a lot of standard protocol onto the Regular bus transactions that enable it to do that self identification or enumeration process, right? So so the first thing the USB in fact This is not the slide. I thought it was The first thing the the USB is just like it's just too wide There's two wires for power and there's two wires for data in you in your standard USB to point one Yeah, yeah, a regular you ignore super speed, which we're ignoring everything that you can hack right now is pretty much Easily hackable on 2.0 with maybe a couple of exceptions, right? Right and almost anything that supports USB super speed supports regular USB is anyway So like let's let's attack that until we need to worry about the higher speed and until someone designs hardware to attack it hint Osmond So But basically you got these things called endpoints largely you got two wires It's logically split into different endpoints. I guess you could conceptually think of them a little bit like Like different ports on a network connection like that So like one of the goals of USB is to be able to have more than one Logical kind of transaction going over the bus at the same time in order to do that They basically say I have two wires But conceptually I'm gonna pretend like I have more like 16 channels that I can send data by directionally through And that is just done by taking every transaction that goes over USB with an endpoint number So while you have two physical wires You can think of it as being able to send 16 disparate up to 16 disparate communications at a time and it will worry about sequencing them over the bus This is another good example of why it's so much easier to worry about things kind of from our level of abstraction Because the device doesn't have to worry about any of that It's all the host's job to figure out how things go over the bus and the device just kind of conceptually demultiplexes it for you right and the and these endpoints are kind of tied together in groups as of interfaces and and those No, no, I still know the slide. I think it is it's okay, but they're tied together in like interfaces Which have kind of potentially like functions associated with them So you can have a device that says hey, I'm a keyboard. I'm also a mouse. I'm also a network connection I'm also a mass storage device and it just has more and more endpoints to support those and largely those are hardware limited by the Controller you're using And that's one of the reasons we like the chip that we're using on great That is that it allows us to be quite flexible about the number of devices We appear as and the type of devices we appear as and things like that right so a common example would be if you have a camera usually those have a video device an audio device and Something that's letting you for example, press play pause Communicated as a keyboard. Yeah, right and those kind of devices actually even though they're conceptually one device. They have one function They appear as multiple independent communication channels actually with each with their own drivers Those are just conceptually organized into a set of different endpoints Right, so there's four kinds of endpoints that USB supports. I really we will talking about the first two Yeah, I also we have 36 minutes left So I don't think I don't know how much anyone cares about the four different types of endpoints They make different guarantees about what how fast you get data latency throughput that sort of thing Again if in fact we mentioned going to look at the USB spec But if you look at the bottom left of this screen it says This came from USB in a nutshell which if you Google that it's a website that basically praises the chapters you need to know from the USB spec and adds nice diagrams and honestly That's the only resource. I've never read the USB spec That's the resource I've used to read to implement USB devices and things so any any tweaks I've ever made to like Hacker F or RF cat or uber tooth or any of their USB stacks have come from that website Not from the USB spec because it just explains it really really nicely at a level that you need to care about So so that's worth looking at the in addition to the Three kind of high high speed endpoints listed here. There's control endpoints They go in both directions and that's kind of how you configure devices. It's how the system they always exist and the system requests Descriptors about what the devices from there So when you type LS USB on your laptop that information has been received by the kernel using control endpoints and control requests and They allow you to send data out to the device to configure it to tell it, you know, tune to this frequency Or or receive data from the device say what frequency you chin to but when we want to stream high data rate data on Say our SDR platform Hacker F. You can You use bulk endpoints to get the higher throughput And so they offer different guarantees kind of the important thing here is that every USB device has to support a standard set of requests These control requests are used for enumeration. They're used for things like And when you plug in the device the first thing it'll do is say hey What kind of device are you tell me a description of yourself send me a device descriptor and that device descriptor will say Here's my vendor ID. Here's my product idea here's everything you would theoretically need to load a driver for me and Being able to emulate all this standard stuff Enables you to actually pretend to be a USB device and one of the nice things that the face dancer library Actually provides for you is all the boilerplate for USB communications so you can go and plug in a device and Just emulate the limited amount that you want to in order to describe your particular device It handles all the boilerplate handles all the stuff that handles all the standard transactions So the face dancer takes a lot of this burden away from you So if you want to hack something using face dancer theoretically, you don't even have to know how this kind of stuff works Yeah, this is all abstracted away from you. We're just telling you now so you know that we did it for you Ah This is the slide I've been waiting for right enumeration when you plug in a device the port on your laptop or other System says oh, there's a device here tells the kernel and the kernel says okay I'm gonna send a control request. Tell me what kind of device you are at which point the device sends back some bytes Obviously with face dancer we get to pick what those bytes are when you plug in a mass storage device They it has it all hard coded in there. It's all Stored in in some kind of story long-term storage on the device and Those generally As you just said I used to determine which driver to load and there are a couple of different ways that happens So every device had every device is supposed to have a vendor ID and a product ID And the vendor ID says I was made by this company and the product ID It says I am this specific product and sometimes these are important because for example if you want to plug in I'm failing to think about a single USB device now If you want to plug in one of those FTDI USB to serial cables The driver wants to know that it's FTDI and we'll go and load the FTDI driver into the kernel and And give it the device and then that that kernel module will say oh, I know this product ID This thing has these different modes that operates at this rate I can control this and that's one way to do it But not everyone has the ability to get code for the device into the kernel on especially not on a wider array of operating systems And so sometimes those things are Made out to be a kind of standard classes right, so When the device describes itself it can do one of two things can say I am this Vendor ID and product ID and this is exactly the driver you need to load for me or it can just say hey I'm a keyboard the USB spec in addition to defining the actual communications protocol also defines a bunch of standard class drivers that can be used to Say if you're a keyboard talk in a standard way really increasing the amount of machines you're likely to work with That's why anyone could produce a keyboard They don't have to go and work and get a driver into the Linux kernel and the Windows kernel right you could just plug in your keyboard or your flash drive or your printer and You know depending on you know assuming if I get a regular HP that was supported back when then it'll just work out of the box, right and as long as you're willing to make your device conform to a standard set of Like a sort of standard API then you know that it's going to be supported by a huge number of of target Target systems so for example if you build a keyboard Really people want to type on your keyboard and the characters to appear on screen You don't need fancy kind of multi-color back lights and things like that And you can add them as an additional interface or you can you can do with things like that But you want to know that if I take whatever keyboard I pick up from someone and go plug it into any system that supports USB keyboards It'll just work and that's because they use the human interface device class The other fun thing about human interface device spec And that one is worth a read is that a lot of their examples revolve around data gloves because it was written in the late 90s and somebody who wrote this spec thought data gloves were going to be a way we interacted with things and So it's actually a really cool spec because it was written back in the 90s They were trying to anticipate theoretically everything that could happen They were able to come up with a spec that was constrained enough that you can do things like have a full touchscreen with five finger multi-touch and That original spec was enough those kind of devices would work It's been expanded since with a little bit more But the spec itself was kind of comprehensive in general enough that it actually allowed these devices that are coming in the future To work including you know data gloves whenever those drop Yeah, like it's weirdly forward-thinking, but also it's 90s forward-thinking which is like it's pretty it's fun to go And look at the examples But but those things are there like if if someone wants to build a data glove you can just read the spec and conform to the USB data Glove spec and Linux and Windows and Mac OS I guess we'll probably support it in whatever way it's supposed to work I don't even know how it's supposed to work, but I really want it I want to I don't know so the really cool thing about this is the face dancer Doesn't just give you a platform for hacking on USB It gives you a platform for hacking on anything that rides atop USB So some of the things that we've done include actually just taking advantage of the way Devices interact with disks and that was super easy for us to do. We just said hey, I'm a flash drive Now I'm gonna be handled by your operating systems disk driver We didn't have to do any kind of special hardware to emulate a disk We just said okay, I'm emulating the transport and that enables all these kinds of applications and and these USB device Classes are defined at an interface level there. So you you have The device descriptors which say hey, I'm this product to DM this I was made by this company And I'm this product and then you have interfaces and you can like I was mentioning earlier you have Multiple you can have multiple interfaces so device single device can say I'm a network device. I'm a audio video I'm also a data glove. I'm real obsessed with data gloves I'm a keyboard, you know all these things and it can it can define all of those and your kernel will go off and Load all those drivers and say okay. Here you go These drivers can now communicate with this device one of the reasons this becomes kind of interesting is we can specify which driver We want at two different levels and those levels Both happen like the the kernel sees both of those things and and maybe it just picks one or the other and One of the reasons this is really interesting is there is white listing software out there that will like the white list by Device ID because you only want this very specific keyboard to be hooked up But I get to control that header and then at the interface level I get to say hey Guess what? I'm a network device. So I get to plug in your white listing software goes. Oh, you're the keyboard I expect that's cool, and then I get to tell another part of the kernel. Hey, I'm a network device and hey Here's a here's a DHCP response and here are some proxy settings. By the way, I'm all the websites on the internet Which is the the thing? Rob Fuller Mubix did Last year I think where he plugged in a USB networking device to a laptop and it went Oh, you're gigabits your gigabit speed cool You take priority over my wireless network connection because it's slower and he goes hey Here's an here's my peer-dress. I am every website on the network on the internet And you should just send me all like your standard traffic that you want to communicate over my connection instead of the wireless connection This thing was still locked and he had a bunch of settings about like things that were already running on air What was running updates like you get this information out because of the network traffic that just happened while the machine was locked Which was kind of a funnel Information leak and we could do that even if USB networking devices were potentially not whitelisted now This doesn't apply to all systems because there are tools that will hash the entire USB descriptor and Whitelist the hashes rather than whitelisting the the IDs, but that's not all of them Yeah, so Oh, yeah, we don't have I don't know how to use a Mac Sorry, all right. Hopefully the thoughts large enough Essentially, I have This is a list of the devices that are plugged into my USB port right now I actually have no physical USB devices plugged in There's already two devices that talk via USB a card reader and the Bluetooth USB host controller that are just built into my system if I plug in a real device You'll see basically the same thing we can kind of look at the stuff that we were talking about So you can see that this Bluetooth USB host controller actually has 10 endpoints that uses And we can go down and see the device descriptor the device descriptor says hey, I'm an Apple device I was produced by Broadcom so Apple's vendor ID even though the manufacturer string reads Broadcom, which I Guess makes sense if you're someone There's the product string. These are all data that's communicated via the enumeration process including a descriptor that describes how everything Wines up being communicated with and you can see that Bluetooth device actually provides two hid interfaces that say yeah I'm accessible at boot provides five wireless controllers. We've got some vendor specific Devices that require a specific driver. All this enumeration is cat encapsulated in those standard packets So without me even having to have a driver My system is capable of knowing how this device looks how it communicates who made it either Apple or Broadcom depending on who you believe and It's not super relevant yet. You will admit. I will admit make it look make it larger if you can talk about it so We'll go into GVM in a second and then I'll We'll actually show this off in the face dancer context Alright, so before we get into the actual specifics and de gritties of the demos Let's talk about what we've done so so far we've talked a lot about USB kind of the interesting things about USB Some of the background We're gonna get more into USB as we talk what we've done and kind of the interesting trust problems with USB But kind of the history of face dancer again started like all kind of Travis projects over a bottle of whiskey Yeah, I mean it's so like all Travis projects as an idea Sergei had and then he outsourced it so It's not a bus. It's a network And so Travis guys I'll build a thing and then like three o'clock the next morning Wow, yeah, there we go face dancer exists and this is this is a Travis good speeds good fat with a USB device chip on it. That's Like our cursor. So well, that's that's not you describe it in our point sure so Travis already had his good fed at this point Did the absolute that's on tire left if you've seen a good fat That is literally the good fit designed to the left hand of the board the one chip on the right there The Dominic's pointing at now is the USB controller that was added. So this thing is actually a really quick pretty neat USB attack device USB fuzzing device that was built using all technology Travis already had in Not that long and it actually as soon as he started using it He started finding all kinds of things about his systems like for example in trying to get this to work He repeatedly crashed his windows and Linux machines and that sounds familiar. Yeah And you know fast forward it's been what? Five years six years and a lot of that and now we're at the point where usually when we plug in face dancer things Things don't crash I mean now we're at the point where we can reliably crash a Linux machine Yeah, but we have to we have to work a little bit harder to crash things now Yeah, in part thanks to the legacy of this face dancer device because before that it was one of those attacks that was Oh, it's a physical attack. Someone needs access to your machine Why don't you even care about that until someone built a proof of concept and then via what we're calling rights law? People actually said okay, maybe I should care about that Maybe the fact that you can write over arbitrary kernel memory just by pretending to be whatever USB device you want is not a good thing Colonel memory is not important. Yeah, that's right. It's the least important memory in your system, right? Right, right, so the So the really neat thing about what this kind of demonstrated was that the trust boundary for USB is in the middle of nowhere Right, so the device Which is just something you plug into your computer the potentially you found on the sidewalk in the free USB bin is a Piece that is inherently sort of trusted by the system to behave correctly System assumes that your USB devices are going to behave correctly The host controller acts accordingly and then now we have this weird Additional world where your browser can communicate with your USB device So like there's actually a set of standards that let browsers talk to USB devices And those can be used for all kinds of crazy things like reprogramming the firmware on that USB device to not be malicious And then next time you plug it into the host it is limited luckily because the There are certain origin policies that were sort of put into the web USB thing and didn't really go all the way through so When web USB starts becoming a thing We're gonna start seeing some really interesting security properties of some of these devices So Travis's original face dancer. Do you want to talk about the limitations? Yeah? No, I was gonna say this it's interesting actually you talk about the trust boundary and and this idea that I Think a lot of the time we hear people kind of freak out a bit about the the idea that you have ports on the outside of your machine that like Thunderbolt ports and people saying well obviously there were attack vectors because you've got a PCI boss in the outside Machine it allows DMA like you can write straight to memory from a thing outside your machine But like that trust boundary has been moving for years because people seem to think USB is like slightly more careful about that stuff And USB doesn't necessarily have direct memory access, but it it does via the fact that Some of the some of the operating systems we all run have like really bad USB drivers and so like it might not be direct memory access, but it's pretty It's pretty indirect memory access. Yeah, so I'm not gonna lie Thunderbolt and PCI are way worse than USB. Oh, yeah, like I'm not I'm not suggesting they're the same thing I'm suggesting that like we we're already really far down this road like just put let's let's fix the Fix the way we think about these things rather than like being scared of PCI and thunderbolt and stuff like that I think to a certain extent right and you get Thunderbolt devices, you know on max and some Intel laptops now You get a USB port on pretty much everything so and everyone has their own custom USB stack now for their own embedded platform They're not making sure that devices are behaving correctly that you get right and that's how we In circumstances where like plugging a USB flash drive with a wrong file on it will brick Mike's projector It's not even the wrong file. It's just it's just 128 meg file and it went not and But before it read it it erased its own operating system So to actually give you a story on that this Projector takes its firmware updates via USB and one of the attacks that we will show you is actually a USB firmware update USB stick emulation attack and so we naturally decided to try it on Mike's projector Which is this adorable little like four inch by four inch projector really cute wouldn't want anything bad to happen to it and The and so before we even get to that point We look at the firmware image it has two files one says the full path on the flash drive to Where the far firmware images going to load should be and before we even start that I just said okay Let's replace that file with a file that contains 128 megabytes of null characters and serve that and a really cool thing about Emulating this is I can see everything that's happening on the device. I can see exactly what it's doing right It's that instrumentation thing we were talking about we can we can see exactly the access patterns And so we can see that it never read the file it just got to the point where I said hey Let me look at what's in this directory. Oh, there's a file that I need to read it's 128 megabytes long It allocated 128 megabyte buffer in the process of doing that. It smashed its own stack And then the next thing we see is firmware updating We it never read a firmware file. We didn't provide one and It just goes through rugby counts to a hundred flashing all zeros over the main flash chip for the projector So this is kind of this is the kind of weird trust boundary It still exists in USB devices and like luckily there happen to be two computers inside that projector one that drove the projector And then one that drove the media functionality and we only managed to draw it to kind of crash them and destroy the media functionality PC So Mike still has like 40 percent of a projector So we have raised 60 percent destruction down on that device All right We only have 20 or just shy of 20 minutes left and we want to get some demos So I would just want to run through what's wrong with the original face dancer. It's really slow the the beauty of adding a chip to a good fat meant that It was super flexible the good fat libraries already existed Travis didn't have to write a whole lot of code to just add the ability to talk over a spy interface to to this This peripheral chip, but that spine to face is really slow It's actually not the spy interface. Oh everything goes through an FTDI chip So if you look on the left, there's a USB to serial converter the way the face dancer worked Is it took every packet it wants send over USB? converted it down to 9.6 kBaud UART Sent the packet over to the microcontroller which then talked SPI to the max USB controller chip so everything winds up going through this horrible kind of bottleneck where it gets converted to Serial to UART and then sent to a microcontroller just because that was the way good fat worked That was the way it was super cheap at that point to make these good fat devices right and and To a certain extent like that's good enough because we want to play with the descriptors We we want to look at how the system loads things. We don't actually care how fast it runs Now theoretically it'd be possible to build a host stack that detected that you're running at nine Kilobits and Maybe But yeah, I think I think you could potentially you could start saying hey You're taking a little bit longer to respond to these descriptor requests and probably you're not a real USB device Yeah, I don't I don't believe that you're real. I'm just gonna kill the power to the port Nothing does that as far as we know But but it's it's feasible that you could build a host stack that did that so the much more significant limitation besides the fact the original Good fat based face dancer was really slow was that the chip that they use the USB controller had certain fixed function end points So certain end points could only be bulk ins or bulk outs And that means that if you're trying to take a real USB device emulated with some minor modifications or proxy it Which is one of our their men in the middle kind of attacks You can't do that unless it happens to have exactly the right end point setup. So it was a pretty limited chip It was a great proof of concept, but yeah at this point the attack we were talking about where you say I'm a keyboard and I'm also a network device and now I'm this other thing and now I'm this other thing doesn't work over Over original face dancer because you just don't have the end points to be able to pretend your weird things Necessarily all multiple weird things So then one of the main benefits of face dancer to Face dancer to came about actually because the original face dancer was too slow for something So we wound up building Actually wound up building one of these rasp dancers saw that it was It was actually much faster when you take out that USB serial converter But now I had this problem of that I wanted to be able to support multiple target devices instead of just the original face Dancer instead of just good fit face face dancers. So face dancer to kind of came out as a multi-platform Version multi-target platform version of face dancer and then since then we've ridden the support for Great fit which is pretty much our preferred platform because it has the most powerful USB controller on it If anyone went to CCC camp in 2015, which I know is unlikely for this group But there was a badge there that was a modified modified design from Hacker F. That now supports face dancer So soon it's no longer soon. It's no longer soon. Yeah, soon as now as soon as last week And potentially in the future. We're gonna possibly be able to support devices like single-ball computers that already have a USB device interface so like the Beagle bones the Small the Raspberry Pi some of those things. There's some Olimax Odroid makes some and things like that and that's what my old USB proxy code works on But you had to kind of SSH into the thing and and run like your script in a little terminal and one of things we like about the face dancer to code right now is that I can use my laptop to do mean things to this laptop and It's all running in like host code Python So the it's like ten lines to modify the USB descriptor if that like maybe five It's it's super simple and like you can plug and go. It's it's pretty quick So some of the new features we've pretty much discussed. We yeah, we mostly discussed We're able to to do proxy things we're able to man in the middle these these transactions So I can plug a device into my laptop I can then present myself as that device to this target laptop and as the data flows through I can modify I can log it. I can look at how things are working says This has been used historically to like reverse engineer drivers on on systems So if you have a Windows driver, you want to reverse engineer You can throw into a virtual machine and you can just like use USB mon on the host to monitor the trend USB transactions But that's not the case if you can't virtualize the system. So USB proxy has historically been used to Reverse engineer drivers on three systems and all of them are games consoles Because you can't virtualize a games console So you plug in a little interposer board and and look in the middle and reverse engineer them So we were able to build a little piece of code that injected combo moves into a An Xbox game so that a friend could like prank his friends and suddenly perform some super combo or something in some fighting game Because we're professionals I think So yeah, we've talked about about this We already talked about this so let's let's go to demos you want to do anything okay part of our pitch here We're not gonna get to demo yet first. We're gonna show the code. Okay. Hold on. Do you speak into that one? Yeah One of the more complicated demos because I have to use Vim Vim it's G Vim. It's Mac Vim. So let's quit them and start them again This is dialogue box Okay, so so all these demos and all this code are open on my laptop But it just won't show on the projector. In fact plugging in the adapter crashes My ex server just weird. I mean like that's what you get for using USB video adapters, I guess but You're gonna want to make that text somewhat bigger or everyone's just gonna have to move a lot further forward I'm just trying to figure out what font size probably works here 96 I knew how to use my own text editor. It's probably go faster Should I be saying anything now to distract people from the fact that you can't I can't no I can hit control plus apparently that works okay, awesome so I've actually opened the USB serial device Yep, and not the thing that just instantiates it So this code is the entirety of an emulator that emulates USB serial perverters Which is cool because one it's super simple So it makes a really good demo The USB is serial device that we're using is actually called simple serial all that it does is Communicate over two endpoints. So it needs to enumerate itself say who it is and basically take Data in spit data out. So if you look at this file, there's a minimum amount of boilerplate here That basically says hey, this is how a USB device should look. There's two endpoints one is in one is out We have the actual USB interface that describes those endpoint encapsulates those This is all the USB standard required stuff and then we have this hand handled data available function This is the actually from line 79 to line 89 in those 10 lines is the entirety of the emulation This code was I think originally written by Travis and if you look at the way this has been written Most this is just passing data from one variable to another So really the actual emulation code itself is two lines We have a replace it an upper and then we have send an endpoint so this so all this does as a device is you send it Characters and it sends them back to you as uppercase characters So it's like uppercase as a service But it turns out like this is enough. This is enough code just to get a kernel To get the linux kernel to load a driver called the USB simple serial driver and simple serial is kind of cool There's a small handful of those USB IDs that are assigned to being this very simple serial protocol One of them is HP calculators So if you pretend to be an HP calculator and and talk to the linux system It will pop up as a USB serial device within the system and It will start sending you AT commands, right? Because it thinks you're a modem. Yeah, it'll still think you're a modem Right because it sees a serial device. I can't remember any motor manager It will actually start trying to talk to your emulated device as and so So and like there's no like this will happen if the laptop's locked and you just plug in and you can't yeah, I'm a modem Why not? And so like and all you have to do is just fill out this this function in Python and say how do you want to respond to things? How do you want to respond to AT commands? How do you want to talk to the the host system? And do you want to plug this in and I will do things to your laptop sure I Say no one ever we have less than ten minutes left. So let's get on the other demos. Okay Are you running that? Yeah, what am I running? Yeah, no wow So I'll run face dancer. Let's um, let's switch this around because I honestly thought it was plugged in the other way around So top tip plug in the USB cable the right way around Wow We practice this talk I Swear All right. All right. So the main thing you're gonna see here is that suddenly I've got a new device Let me see the outputs. We can see this it crashed on my machine Your machine is really not my machine hates USB So if you go back and look through the great either the great fail the face dancer repository You'll see a commit from early August where I was sat in a field in the Netherlands like hacking away This is the shower hacker camp and there's just a commit that says something along the lines of hey this were reliably crashes my Linux host stack investigate and Pushed it to get hub just in case anyone wants to investigate that so go nuts But yeah, it will reliably like just kill my laptop so my laptop no longer like you have to hard So what you saw which was super exciting was basically a new USB device popped up It said it was an HP calculator because that was the product ID that we stole If we wanted to do the full demo we could actually open it up It's a serial port that you type into and it uppercases all your text I think you can imagine what that looks like So I think we'll go on to some of the more interesting Things that we can do with this before we open up the questions So my favorite application and kind of the token application that faced answer to enabled that I think is really cool Is what I call us UMS double fetch. That's a USB mass storage double fetch and It really is kind of summarized by these two bullet points. So in Practice most systems assume the discontext Discontents do not change on their own, but when you're emulating the disc they totally can So if you have a device like any of the devices we've hacked so far We've had like projectors and copiers that have an embedded USB host that take their firmware update over USB Usually they don't have a lot of memory Which means they can't take a firmware file that's stored in memory Run their checks to see that the signatures are okay and then apply it most of the time instead They read the file once they go procedurally through it compute their checksums or compute You know just make sure the signature matches and then they have to reread it a second time And what that means is that if we are sitting there pretending we're a USB device We can do all kinds of things like say Serve up the correct firmware file the first time it's read and then the second time is to have up whatever the heck We want so The kind of practical version of this demo that we usually give We're trying to show this off is just to take a file serve it up It shows up looking like a flash drive, and then we just compute its checksum twice Second time it is completely right I will happily show anyone this demo in the bar afterwards, but it only works against Well apparently it's not working against your laptop right now, so but I can I can do it to myself And yeah as long as you you're on a host system You have to drop the disc caches because Like I have enough memory to read the file once and cache it but on an embedded system You don't have that RAM so So like you can show that you're just serving the same file twice and it and it perfectly works And you have a working if you go on github right now. There is a full working script on there That's what's gonna say you have a you have a working like working attack against a full-size photocopier But like it's real hard to take one of those on a plane so but like big big old things from Well the company you're thinking of Like plug in a plug in this this device, and you can serve it to firmware updates And and one will be signed and the other one will will succeed and you can do whatever you like to it Yeah, so another cool demo that I'm not gonna show Okay, here we'll switch Considering I can't stand still so One of the cool things that my friend Micah did actually if you've seen her proof of concentrate get the fuck out article She actually was able to steal the firmware from Wacom tablets by using glitching attacks on USB Related not driven by phase dancer right now, but totally cool. So you should check it out Once she got those firmware images She found that it was for an architecture that had basically no public tooling the one thing She was able to find was a debugger that would that had a disassembler built in So she had all the program there that would do disassembly of these devices But she would have had to patch the binary if she wanted to start feeding these things in instead what she did was actually take face dancer And actually take great fit by itself before face dancer and modify it so that it said hey I'm a debug dongle. This is what I suspect you're doing. This is what I suspect a real debug dongle will be doing Here's the firmware image. I have this is the current contents of the device memory Would you disassemble it for me and by doing that she was able to actually get a program readout of everything She had stolen from those Wacom tablets Even though she had no vendor supported tools, she didn't have the debug dongle itself, which was unobtainium and It by doing this she was able to actually go and complete that proof-of-concept to get the fuck out article where she is able to take that Wacom tablet and Use it as an RFID reader, which is super cool Yep, so all right USB proxy I write I and some other people write a tool called USB proxy a couple years ago ran on big one blacks or like little embedded Other embedded boards This is now running over anything that supports face dancer to And it's gone from being a couple of thousand lines of C++ to being like a couple hundred lines of Python, which is honestly the pro move and It does things like Log those packets as we're in the middle it modifies them It'll allow us to modify the descriptors it allows to inject packets It doesn't currently work injecting packets, but it will do in the future The idea is like I have a USB device and I want to explore how it handles me screwing around with things spoiler. It doesn't Do you want to try doing the thing? You always try doing a quick proxy. No, you want to play you want to plug in a graph? I'm the host I think the the output is sure whatever I Can figure how to up the size on Yes, this is big enough Okay, so I haven't run a graph. Let's give it a run a graph info so What you can see here is a graph info tells you about the What the hacker f is attached to wow that was smooth You can it tells you which which I'm gonna push it up screen so people look back and say it just shows you which Hacker f is attached to your system. It tells you information. It gives you the firmware version Which in this case I have modified in like three lines of Python on my host system to say hey Hey, you guess you talk on attendee? Which I say I thought was really funny when I wrote it last night. Yeah, you had had a couple of drinks So yeah, you did say that at a time. You said that won't be funny tomorrow morning So what's actually happening here? I don't have a hacker. I've plugged into my machine at all I have there's a hacker up here plugged into Dominic's machine Which is the man in the middle target and then in between us linking our machines is this great fat So right now when I run hacker info, it's proxying all of those commands down to the hacker f One of those commands is hey, give me a string that describes your firmware When it does that it's receiving the actual string that says hey I'm the firmware that's been built from git and it's taking that string replacing it with Dominic's biting wit and Then displaying it on the screen So we've actually been able to both proxy packets back and forth and modify them on the fly which is really cool So we could do this with with any packets we could change the device ID So we could take a keyboard that's not white listed by your device and we could buy your host and we could change it So it is white listed by your so is one that's what this but this thing's now flashing at me because we've gone over time Wait, I can just reset it. There we go. We got 15 minutes I hope you didn't have lunch plans hacks So I don't know how to use a max. I don't know how to get back to the slide deck, but I think Now I understand why people like these things that is nice Okay So so like we could do that obviously like it turns out hacker f is open source So you could modify those things yourself But we could do this To attack systems that we don't have control over Like any of these embedded systems or point of sales a good one There are a bunch of point sale systems that have USB ports of them to have printers come out of them and somewhere in the world There's a regulatory requirement to log that information and again email about once every two weeks saying hey if you built something for us yet like we want to log what's being printed and There was a bug in original USB proxy that Went haywire and crash those systems, which I will happily tell people about later So we've done a man in the middle attack. All right future work We need to we need we want to support anything that has a USB device port. I mean obviously by a great fit, but Anything that has a USB device port would be nice to support So like your phone being able to support face dancer your Your printer you say anything but anything based off the Linux device class So we're not that I mean we want to but yeah, we're not necessarily gonna do it But we want to But like I I've got a printer that's got a host in a device port It'll talk to my PC, but it'll also talk to my digital camera. So like supports hosting device and probably runs Linux I could probably make it. I mean, I don't know how I'm gonna use a giant printer as an attack vector, but like it'd be fun USB USB 3 would be nice. I guess Because that's the new hotness or 3.1 USB C power. I mean USB C currently kills my laptop So like tick job done And then the other thing is like great fed itself has host and device ports on it and so we can Has on the go ports that support both host and device mode So we can use it to pretend to be a host to devices and start looking at weird things that happen with devices What happens when we just send the device way too much data So the original reason that there wasn't a host controller in the face dancer project was because it's easy to do some things From your computer using live USB. So live USB is a great vector for doing some attacks against devices but it relies on all of the reproducible behaviors of your host controller, which means that it's not good for doing things like precisely time glitching attacks It's not good for extracting side channel information Like how long did it take to respond to this particular request? All that kind of stuff can be done if you have complete control over the USB stack. So eventually Eventually hopefully we'll be doing a talk where we demonstrate the host support on that device and demonstrate a lot of things That enables you to do that you can't do on just a PC So right enable things like the glitching attack that Micah did which was capable of stealing firmware from a Whole variety of USB devices, right? It's actually one of those scenarios where like the the OS host stacks Like a to compliant and work properly like we spent all this time saying hey They're horrendous and they do bad things and now what we're saying is actually they kind of get in our way because they like they tell us Oh, you can't do that. That's not with inspect So that's this one issue and the other issue is just that it's really hard to get reproducible timing when you have oh You have 50 USB devices sitting on a you know just inside your machine Yeah, and that bus is shared between all of them So we're not gonna take questions now because I don't know we're way over time Who really knows this clock stopped ages. We will take questions afterwards But if you find us if you walk up here, we'll take my life right. Yeah And that's is that a last slide. That's our last slide. We have no more slides. There you go. You're free to go So enjoy your lunch. Thanks for coming thanks for putting up with us and Those are our Twitter handles if you tweet at us we always respond asterisk we almost always respond asterisk and Yeah, so Yep