 So This is USB USB tinkering for hackers and makers my name is Dominic spill and a Slides change my name is Dominic spill. I am I work for an open-source software and hardware company and We are mostly interested in building packets nippers things like that Bluetooth Devices if anyone's heard of the ubertooth then that's us sorry and This is hacker f1 which software to find radio that we released on Kickstarter last year and finally delivered a year later So some people in the room may have this I don't know anything about this if you've got questions about this Don't ask me because I didn't work on the project and I'm not very good at radio So what we're working on a project called Die show you can't read the slides right we have a bunch of products for Bluetooth sniffing various other things and a couple of years ago we started a project called die show which was started out as a USB to packet sniffer and man in the middle device and through a series of emails between myself and my boss escalated into Large projects with US government funding that's currently like every other government funded project running 18 months behind and But we wrote a USB 3 core for FPGAs in And in verilog and we've open sourced that you can grab that from the die show project now if you are kind of at that end of The USB tinkering and it's a pretty performance compliant In fact, we sent bug reports to the people who make USB 3 compliance device a test equipment because they failed to find They thought we were finding tests that we were really passing so we're more compliant than the compliance applications So that's the for USB 3 but I always wanted to attack USB 2 and things like that on a much cheaper level and as you can tell my emf camp So I'm not going to come to you with a $2,000 piece of hardware or something. I'm mostly using cheaper hardware and We were looking at this from a security standpoint, but This is I'm also talking about it from a building interesting devices standpoint I should also note that I Have cobbled together these slides and I can't entirely remember what order they come in So I'm very sorry So oh and one more thing that I really really really like to pimp every time I talk is I've written a tiny little piece of code called fcc.io. It's a website It's called fcc.io And if you're ever interested and this group may be in looking up internal photos of devices and things like that They have FCC IDs on the back if you go to fcc.io forward slash the FCC ID It will bring up all of the internal photos and test documents and things like that And you've always been able to search on the FCC website But it's almost impossible to find if you go to the github There's also an archive downloading script, which the FCC don't particularly like me for but you give it an FCC ID and it will just suck down everything all the documents if you give it an FCC vendor ID I believe that currently it will suck down all of the documents for that vendor and hammer the FCC's website so go nuts Yeah, about 10 minutes 10 minutes. So I've got I'm on camera. I've got no blame I should also note the FCC while awkward to work with a recently I've been working with off-com on some radio stuff and off-com are an absolutely lovely group of people and They they are incredibly supportive of open-source software and hardware and they allowed me to come in and screw around with Bluetooth and DAB in their office under I'm sure some sort of license But today I'm talking about USB and specifically I Can have a show of hands Everyone knows what a USB devices don't they if you don't know what a USB devices This talk might be slightly over your head They are so in 2008 they were selling at two billion devices a year. I'm pretty sure it's higher than that now I've brought several thousand in the past couple of weeks doing this project I When I say most common device interface I can't think of anything else that is more common on consumer hardware as an interface to plug in except maybe mains power Almost anything any device you buy that you want to communicate between a host and vice or something like that mobile phones anything like that has USB because it's become the standard a Standard interface that you in USB Universal is pretty pretty accurate and It comes in a couple of flavors. Hmm. All right. Yes, three and a half mil headphone jack is Possibly more common, but it is not quite as useful for data transfer of say files or It's a pretty makes a pretty poor webcam That sort of thing So I want to see I want to see yeah, see five giga five gigabit data transfer over 3.5 mil Audio jack at the next DMF camp, please It comes in various different speed flavors there's low speed full speed high speed a super speed and Super super speed. I think is the new one. What's it called super speed plus? That's it and super speed is USB 3 Low and full are USB one and one point one and then USB to which is pretty much what everything supports these days is 480 megabit second and that's what I'm going to be Dealing with but it's backwards compatible with everything below it And I'm going to try and give a little demo with a keyboard which are almost always USB 1.1 devices Um Here we go So has anyone ever built a USB device written firmware for something? Played around with Arduino was one hand going up at the back few okay. I may have pitched this wrong So you have these descriptors which you can read from the device and they tell the host operating system What kind of devices they give it an idea of which driver to use they tell it look there's a device class So for example a keyboard like keyboard like this will act as a human interface device and it will Allow you to bypass and driver requirements on things like things like windows and And a Mac. I have some other things that I've completely lost There are USB my storage stick over there that looks like a little man because it's the only one my code works with Um I'm a professional This is a USB Wi-Fi device. So that will turn up as a network interface and yeah, it's a decapitated little man. That's right And USB mass storage devices And they'll that will appear as another device class and so the kernel in on Linux or any other operating system Will know what to do with that device The other thing they have is in those descriptors. They have a series of IDs So you can specifically identify this this device comes from this manufacturer, and it is device XYZ And the slide you can't see at the moment is about USB IDs and it specifically says they are they're split into two parts There's a vendor ID and a product ID So the vendor ID is unique to the vendor the product ID is unique to the product Hmm in theory in theory and as makers and People who want to build our own devices and maybe build open source devices We don't really have access to these because it's incredibly expensive to get a vendor ID and and be assigned a block of product IDs so Thankfully in recent years open moco when our business and Which is a shame I should say because they're probably some fans of it in here, but They were kind enough to keep hold of their Vendor ID block and start giving away product IDs for free So if you go and look up on Google and find their wiki page about it. They have this large list of product IDs and So if you were to plug in a hacker F right now in it would show up as being an open moco device Because it's much cheaper for us to go and ask them very nicely if we can use one of their IDs And they assign one to us then it is for us to go to the USB Implementers forum and pay them 40 grand to get a vendor ID So I believe that's it's a subscription fee as well So you have to keep paying them to maintain it I don't know how they take it away from you because you've already sold devices, but So if at some point you do decide to take some of my code and play around with things and build your own device Then as long as it's open source project open moco will give you a free Give you one of their IDs, which just makes it easier when it comes to doing things like updating firmware because until I started doing this we and every other open hardware developer was using vendor ID FFF F and Just kind of using one two three four and so on for different revisions of their hardware So you'd plug in an early ubertooth and you could update firmware on it for some completely different device because we were overlapping USB IDs so all the code signing in things we did for the firmware updates was completely pointless because it didn't stop you flashing the wrong thing to the wrong device There's a picture coming up in a minute, which is kind of crucial, but we'll see what happens USB proxy right, so this is the crux of the the talk I Wanted to be able to do interesting things with USB packets without having custom hardware Travis Goodspeed and Sergei Brattus give out these little circuit boards called face dancers, and you have to a be able to solder and Be you have to wait the half hour it takes to do one USB transaction across the SPI bus that runs at ridiculously slow rate and So not only was it slow and people have built fuzzers around it It's got a nice python interface and things, but not only was it slow, but there were a lot of people who are being didn't really want to build the hardware and it was kind of out of reach for people and I like the idea that you might be able to build a device an interesting device Without having to physically build an interesting build the device Because we all got into hardware in some way and some of us got into it through electronics And some of us got into it because the device we wanted didn't exist and we said well What I really want is like this device connected to this device But I've got to go and like design a PCB and learn how to do that and stuff like that Which is how the uber tooth came out came about and now we Build how build this hardware, but it would be nice to be able to just hook a couple of devices up write some code And have it act as a USB device at least a prototype So what USB proxy does is it takes a piece of hardware, which I have here Called the beagle bone black and You feel free to ask me afterwards why it's so much better than the Raspberry Pi and we take a piece of code called USB proxy that we wrote that connects to the device USB port on there and connects to the host USB port and just passes the packets backwards and forwards between the two And it's written in C++ and it relies on something in the Linux kernel called gadget FS Which exposes USB device a file system which thankfully no one in this room ever needs to care about again because we wrote USB proxy to wrap it And it makes life a lot easier It's it's quite hacky and when we mailed the mailing list to tell them that we were using it They said it wasn't necessarily a good idea and There are messages there are comments in the code that are dated say like 2004 saying oh Must remember to come back and fix this and stuff like that So it's probably going away at some point, but it's incredibly useful and flexible for what we need So we're relying on that and then to talk to the host side we just use live USB and So it simplifies all the code because I've just got these two fairly straightforward APIs and I pass packets backwards and forwards between them Something like this. I'm going to jump up on the stage and point to this slide. I'm sorry No, I'll just wave so this box that you can't see here says device Basically, we have a device on one side USB proxy in the middle and a host on the other side and We just have this relay in the middle that Send stuff between proxies on either side and can anyone read this from the back Excellent up here. It says injector and it says filter here and Essentially what we can do is we can hook in filters to screw around with the USB packets as they go across the Across the device and the injector does a very similar thing But instead of just fiddling with the packets that are there. It allows us to inject packets into the stream There are some complexities to do with the fact that USB devices How was it phrased USB devices are like Victorian school children in that they only speak when they're spoken to You cannot just send data from a USB device to a host You can with super speed because it's got a separate pair of pair in the Cable for each direction, but most of them the host has to ask for the data But we get around that with message cues and things like that again, nothing you should ever have to worry about because we've written USB proxy I'll use the bigger one black which I've already said It's because it has on-the-go hardware built in so it has a device port on one side It has a host port on the other and we can just get it to Proxies the traffic backs and forwards the reason I do this on the bigger one black is because it's 35 Pounds something like that and at the time that I started this it was really easy to get hold of it It's not so much anymore and we're investigating alternatives such as the Olimax line board, which is an a little on board that does similar stuff and I'm specifically trying to keep it to open source hardware because that's kind of my thing So this is me gonna attempt to demo USB proxy doing something and for this If anyone in the front row wants to be a willing volunteer, they are welcome to be But don't all rush up at once Yeah, that's fine. It's gonna take me a minute to To read the screen and work out where my mouse is and such like Okay, I Also have to remember because it's been a little while. I can't I can't read my own command. I'm sorry See that doesn't say segfold does it all right? Let's attempt All right That doesn't that's not really what I wanted to do if everyone could just keep chanting the word professional. I May begin to believe it All right Would you like to try typing something on the keyboard and seeing if you can vaguely see it come up on the screen? Excellent, so you can see the cursor moving now. Did you actually type anything? And you so you know what you typed right is that what you typed Exactly anyway, so as My glamorous assistant has already identified and if I could possibly find my cursor to switch back between tabs Come on. Let the Sun go in for just a minute Ready can someone see it All right, if everyone could just There it is there it is got it got it. Thank you. So all right. What you can see is unscrupulous. I hope it's not rude Okay, what you can see on the screen is obviously the the thing that came through from The USB proxy, but if you see on here I see what you did there They write something on the keyboard so what happened there is I Took the big one blank. I plugged a keyboard into one side I plugged it into my PC on the other. I'm just controlling it over SSH, but you don't really need the network connection Not that any of you can see this if I don't say hold it up, but we then Proxied the keyboard traffic and as it was going through I used a filter to dump the keystrokes to screen here on the Beagle bone and Then pass through a rot-13 version and so What I was able to do is just with like 20 lines of code I was able to screw around with the packets going cross I Should mention there's absolutely no error checking in there So if I were to now plug in like a USB mass storage device It would attempt to rot-13 like the 12th bite of every data packet that went across and everything We just fall over and it would be confusing, but You're typing into the same window as the yeah But thank you for trying I'm gonna kill that now Okay, thank you very much All right How what time is it sorry? fun Excellent, I've got a little bit more time. So obviously that's Really useful and everyone wants to rot-13 all the keyboard traffic and pay 35 pounds for the privilege But it's just an example of a very simple Pro's got a thing we can do in between and I could switch back to my slides now Yeah, that's what I'll do Where is my Somewhere well great Thanks, open office All right, so I said I was playing around with mass storage devices and mass storage devices are on USB Are essentially scuzzy devices that get wrapped in a a very simple protocol and so again with a couple of filters I'm able to Play around with the way the way they work And I'm not sure I've got time to grew into huge amounts of depth about this, but essentially the scuzzy Transaction is a three-stage Transaction the host sends a command saying what it wants to do whether it's read write something like that and then the data Is transferred in the middle depending on which direction the data should be going in for read or write or whatever and then at the end the device sends a status message back and So people were talking about the fact that I don't know if anyone it works in the security industry and is on Twitter But if you are you'll know the term bad bios Which was this the idea that there was this piece of malware that was propagating itself Using all sorts of different methods, but one was that it was writing itself to USB mass storage devices as soon as they were plugged in potentially without even the operating systems knowledge so they were doing it at the control level and We started thinking about how could you examine these rights and what's going on and you can go and buy a USB protocol analyzer There's a company called Total face that made one called the Beagle 5000 it's 5000 because it runs at super speed. It's also 5000 because it's about them. That's how much it costs it is an excellent piece of kit and I would absolutely recommend anyone else who can get US government funding to go out and buy one But other than that, it's a bit out of everyone's price range. Well, my price range and the people and I think in this room Most of them So how do we how do we analyze those rights and how do we look at what's going on? So I wrote some filters that did interesting things with USB mass storage rights Now I should say a this is a very experimental B I got these working at 6 o'clock in the morning before my talk at a conference recently so they're very hacky and See for some reason they only work with fat 16 file systems so As long as your USB stick is as old as this USB stick that my girlfriend lent me then it's fine But I had a real panic when I lost this because none of my others worked and until very recently I didn't know it was fat 16. There was the problem and the only reason I found out was because I reformatted this one and It went to fat 32 and everything stopped working and that was an incredibly big moment of panic so this little guy plugs in and What we can do let me see how many more slides I've got on this stuff Oh, this is the three stage send a command send data in one direction send status message and This is what it looks like in wire shark It got into wire shark because USB proxy will dump to wire shark should have mentioned that earlier Sort of forgot so if you want to analyze what your USB device is doing you can dump p-cap files and If you want to stream them over SSH you can take them straight into wire shark And we're currently working with the wire shark developers to allow non Wi-Fi devices to capture directly And USB proxy be one of them over tooth will be one of them and can you radio first off? I'd find radio things will be one of them as will die show It's all our products because we're writing the code for them and other people will obviously be able to add bears But the idea is that why sharks not just about Wi-Fi anymore. It's about anything that's packet based and network traffic and things like that So again, you can see the three stage right there So let's say we want to block these rights. We want to stop this happening We want to stop this malware propagating, but we want to be able to read our our discs So we could try a couple of things and I've got to try to remember what they are subtly reading my slides So we can block the entire transaction, but that's going to tell the The kernel on the host system is going to get confused because it's never going to get a status message So we can just drop all the packets in the middle, but it never gets the status message It thinks the drive has crashed and it just resets the USB port We can convert the right to a read I've forgotten that one We can switch it to the right to a read Because the status messages are identical switch it to the right to a read have them both send data to the man in the middle and compare the data and this is a really fun thing to do except for Going back to the thing about not being about speaking when they're spoken to something needs to elicit the the read and the write from the the read from the USB device and Due to the fact that I chose to write USB proxy in C++ I wasn't able to mangle that in but I came up with a better solution. Don't worry The other option was read a block and just write exactly the same bot back And that's kind of where where the code is at and hopefully the demo is going to work and you'll see how that works but generally the The kernel before it wants to write a block. It's very rare that your host system you plug in a USB stick And it comes up and it lists all the files. So it's read the File table if assuming we're all using fat 16, which we should be It's read the file allocation table and that data has has gone across the bus That means I've got that data on my on my USB device The host is not going to try and write a block of data it writes in 512 byte blocks because that should be enough for anybody and It's not going to try and write to a block if it doesn't know what's there The only time it's going to try and do that is when it's formatting a drive in which case My code will fail or if it knows the drive is completely empty and is trying to write to a completely empty block But if I ever see a write that I've not previously seen a read for then I know it's writing to empty blocks So I know there's no data there So so that's not really a problem either. So what I've done is I've written a piece of code that As the reads come through it caches them on the big one black and Then as the rights come in it compares them against the reads It prints a diff out onto the screen to show you exactly What's changed and then it drops the right and it spoofs Status message back using one of those injectors So what we're able to do is make the host think that the host read the USB disk without any problems Make the host write to the USB disk believe the right happened And then we're also able to analyze exactly the diff that was read that was written and Hopefully this will work right, I need to remember What the command is so? Give me just a minute That didn't work. I clicked somewhere. I will try Could anyone see my mouse pointer? Somebody must be able to say it. Oh, yeah. Thank you I've got it. I've got it. Okay All right now It scrolls past really really quickly so But what you'll see is it's reading because it says the word read and then a large hex digit Hex number here, and that's the block number that it's reading Now I should clarify something what I'm doing here is I'm cashing those in RAM on the Beagle bone For anyone familiar with the Beagle bone black. It has 512 megs of RAM So not only does my code only work with fat 16 file systems It only works with fat 16 file systems that have less than 512 megs of data in them It is incredibly hacked together But if anyone in the room would like to modify it and fix it and make it work. You'd be more than welcome so hopefully Again if I could find my mouse, so there it is Hopefully we should see a one gig volume here that has no data in it because nothing crashed And what I should be able to do now is I should Really hopefully be able to write a file to it unplug the USB device plug it back into my laptop And you see the file never happened the file right never happened and we'll get a diff and at that point I will consider a successful demo and we can all go home happy empty file EMF camp Okay now What the hell happened there? Right, so what I should also know is the diff only looks good if you use my font size But hopefully there should be some somewhere up here Somewhere up here somewhere There should be a section that is colored excellent right And what you can vaguely see if you can see the blue on the background on the dark projector Here is there is a red section and there is a blue section and the red section is where is the old data from the Read and the blue section is the new data and you can see that I wrote a No, no if I stand in front of the projector you can't The Sun is not on my side You may be able to see right here It's not gonna make much difference on this screen Okay, all right Yeah, I can't find my cursor now All right. Oh I'm going the wrong way. Go the wrong way wait wait Keep scrolling keep scrolling is it there can anyone see the word EMF camp in there? Yes. Yes. Thank you Yes, so We have written a file called EMF camp now the next part of the Is ejecting the you and finding my cursor again there it is eject the drive Pull the drive out And everybody cross your fingers Anytime it wants to pop up and tell me Do I have a one gig drive there? There with me So for for the next EMF camp, it would be really nice if we did it in winter or inside All right, there it is there is I'm just going to bring it onto my monitor So that if the file is there I can delete it subtly no the file isn't that there's a completely empty USB drive Which is obviously what I knew would happen Thank you very much. I know some of that was pity applause, but I Will skip through my slides I've got no idea what's going on. Oh So you want to get involved in USB proxy this slides really old because I've written half this stuff already But that's that's even better because now it's much more advanced. You can get involved in other ways USB 3 if we had USB 3 host and device hardware say die show may bug Redskill gadgets Then you might be able to build something on top of that to do this even faster Although we're going to do a lot of that in FPGAs and things like that, but there will be Other other hardware. I'd like to modify this to work another hardware. I Have made it in shared library and it does pass config files I'd like some language bindings It'd be really nice to be able to use all the code people have written for face dancer with USB proxy And I'm sure there are people in the room who've written Python language bindings before so If you have I'd really like to talk to you about the best way to to do that and come and see me at the end That would be great Face balance compatibility because you know screw Travis Thanks to some people am I running over time or am I? Brilliant because there's a whole section of work. I've done since I wrote these slides that actually might be interesting So I should thank asms Stasiak and this one of the great things about working on open source projects is I push my codes to github and He happened to notice it and get in touch and we've been working together on this project for coming up for a year now And I've never met him, but we did send each other Christmas cards this year, which is kind of cool Was that an oh Travis Good's been a Sergey Brattus because They're really nice about the fact that I say mean things about face dancer all the time Michael Osmond because he's my boss. I also met him on the internet and now I work for him and He paid me to do this sort of stuff When I should have been doing things that make us money and I've completely forgotten who David Formby is Oh David for me from Georgia Tech who was working on USB mass storage stuff at the same time as I was And we collaborated on trying to work out why the hell we both only have one USB stick that works And in the end we managed to discover that it was fat 16 and We're both very happy and he's using USB proxy to do nasty things with industrial control systems So there's that I have some other another demo that works But it's just not going to work with this setup. So I happily demonstrated to people offline in a minute But basically what I was trying to explain at the beginning and have completely failed to do so is What I wanted to build was a Wi-Fi card that works across multiple Operating systems. I know this doesn't reference any of the rest of my talk but I wanted to build a Wi-Fi card that works across multiple operating systems and I know Linux has pretty good Wi-Fi card support for doing raw packet raw frame injection and things like that So I picked up a little athros card I picked up a little athros card the USB card And I can plug it into any Linux system and I can run kismet or I can run Wireshark And I can look at analyze traffic, but I can't do that on say my Android phone or a tablet or Windows box And you would not believe how much of the traffic in the kismet IRC channel is why doesn't kismet work on windows and Various things so we decided rather than telling people to go away quite often IRC We would write some software to solve the problem and so Mike Kershaw and I have been working on using USB proxy and a library called Lawcom Which is loss of radio connectivity library That abstracts away the differences between Wi-Fi chipsets to create a generic Wi-Fi device based on the big one black and any USB hardware that you can plug into it and present one generic interface to Windows and OS X and Android and so as of later this year, we should have Kismet and Wireshark both running on Android With generic devices and the only thing you need is a 35 pound piece of hardware to adapt it so hopefully and That demo always seg faults, so I will happily do that later if someone finds me in the bar I will happily try and show people How that works and explain and I would really love for people to be interested in getting involved And if you think outside the box of I'd really love to be able to hook device X up to device Y or do this interesting thing in the Middle Or I'd love to be able to write a really generic USB device using some GPI opens Which the bigger bone black has loads of then? Come and talk to me because it's really really simple now and you can do it You don't have to worry about writing firmware You don't have to worry about making hardware all of that stuff is just abstracted away from you And I'm love for people to start using it and that's it. I will open it up for questions maybe Questions there you go Yeah, that looks really good. I was just wondering if you just wanted to just log data What kind of throughput can you get with it? I get asked that question every time I give a talk about USB proxy and I've never tested it and the reason I've never tested I'm not sure I'm gonna like the results, but I would guess My stock answer is a lot faster than face dancer a Lot slower than professional hardware. I would I would say we're never going to get anywhere near line speed So we're not going to get 480 megabits, but I would say That actually the big limit on this is I've only got 100 megabit ethernet to dump the packets off So you might be able to get a Couple of seconds at close to 480 megabits But you're gonna fill up the RAM on the beagle bone before you get there and things like that So I should test it. I'm aware, but I haven't yet So would the target device just slow down or would it tend to just drop packets and then I Would guess it would slow down. That's a really interesting question. So there's a slightly strange thing with the way Because we're terminating both the USB connection. We're actually turning one USB connection into two So it won't time out even if you've got large latency because We've already act the packet from the other side So we've we've got two separate connections and we're just proxying traffic in between So there's some interesting We get around a lot of problems that other people have with this for example face dancer Has to stall the connection every now and again and say I'm still working on it and and stall the the host Whereas we don't have to do that because The host has already got its answer and then we just go back to it and say actually we've got more data for you and things like that So we could probably slow down the the transaction in the middle if we were logging because we'll just add latency into that We'll add delay on the move in the packet. So we'll probably just slow down the connection But some devices will would probably fall over if you tried to slow down their connection You just being that storage doesn't it doesn't care. It just goes at whatever speed you let it run out I know because my code got into infinite loops and it didn't crash Any other questions? Excellent. Oh, there is one up the back There's another approach to debugging USB connections using also using wireshark, but using a VM to capture the data How does this compare? This is a lot more complicated than using a VM to capture data, but isn't that why it's fun? In in reality, yes using a VM is a great example, but my And it's obviously a lot simpler and you don't have to buy hardware and things like that But my counter example would be if you For example look at I've completely forgotten his name now But the guy who reverse engineered the protocol for the Xbox connect the only device He could connect it to was an Xbox you can't run an Xbox in the VM and look at that traffic in between So you need a hardware device to sit on the line in the middle. So it's things things like that Also USB and virtual machines are absolutely a nightmare in many cases So things happen differently in the VM using USB from the VM than they would Elsewhere because it goes through to USB stacks and it gets really confusing And we know from trying to support people using our hardware in a VM under windows for example That actually things just go wrong that we you can't necessarily predict So I think it's less reliable having said that this was written by me So it's not got a high degree of reliability right now Again, please submit bug reports and patches and just take the project off my hands would be great Any other questions anyone want to volunteer to just write code for me, please Excellent. All right. Thank you very much