100% found this document useful (1 vote)

203 views35 pages

Exploiting Smart-Phone USB Connectivity For Fun and Profit: Angelos Stavrou & Zhaohui Wang!

This document discusses exploiting smart phone USB connectivity for attacks. It outlines several types of attacks that are possible via USB, including phone-to-computer attacks where the phone pretends to be a USB keyboard or mouse to target the computer. Computer-to-phone attacks involve gaining root access on the phone via USB to install malicious payloads. Phone-to-phone attacks are also possible using USB OTG (On-The-Go) connectors to connect two phones together. The document provides background on USB protocols and discusses tools and techniques for USB hacking and reconnaissance.

Uploaded by

Mailiia

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

100% found this document useful (1 vote)

203 views35 pages

Exploiting Smart-Phone USB Connectivity For Fun and Profit: Angelos Stavrou & Zhaohui Wang!

Uploaded by

Mailiia

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 35

Exploiting Smart-Phone USB

Connectivity For Fun And Profit!

Angelos Stavrou & Zhaohui Wang!

Department of Computer Science !
George Mason University!
Talk Outline!

  Background – Why USB a2acks? What’s new here?

  New a2ack vectors, diﬀerent from simple USB storage

  Phone-‐to-‐Computer A2ack

  Computer-‐to-‐Phone A2ack

  Phone-‐to-‐Phone A2ack

  Demo & Discussion Points!

  Defenses & Future Work

USB is Pervasive in Gadgets !

  All Smart-Phone devices use USB!

  Google Android Devices (HTC, Motorola, …)!
  Apple iPhone!
  Blackberry!
  Others !
!

  Multi-purpose Usage!
  Charging the Device Battery!
  Data & Media Transfer!
  Control external Devices (new capability)!

!
USB-borne Threats only focused on Auto-Mounting !
USB-borne Threats are much more complex… !

  USB protocol can be (ab)used to connect any

device to a compuLng plaMorm *without*
authenLcaLon
 Desktops, Laptops, phones, kiosks, tables (ipad)

  USB Storage is just the Lp of the iceberg and it is
usually locked-‐down and scanned by anL-‐virus
and other defenses
  USB Human Interface Devices (HIDs) are one
class of devices that are *much* more appealing
 Keyboard/Mouse/??? on your Android Phone

 Other USB devices?

USB-borne Threats are much more complex… !

Many other devices:

  Ethernet/Wireless Network Adapter

 No password, man in the middle for your network

traﬃc installed as the default “gateway”
  Printer

 Capture all the documents printed

  JoysLc(!)

  Biometric USB Reader

 Brute force your way into a protected system(?)

Phone-to-Computer Attacks!
•  Program the Phone with USB Gadget API for Linux
•  Pretend to be a USB Human Interface Driver,
  Dell USB keyboard, VendorID=413C,ProductID=2105!
  Touchpad or Mouse!

•  Pre-programmed key code.

 User-lever or System-level attacks
  Anything you would imagine

•  Transparent to Victim Machine

  No Human Input or approval

HIDs are recognized automatically…

Phone-to-Computer Attacks (Cont)!
•  Traditional autorun attacks are easy but easily detectable

•  Autorun and autoplay are default since Windows XP SP2

 (MS KB967715) tries to address that

•  Flash Autoplay Content exploitation by re-enumeration

 Exploit different content (PDF, HTML, DOC, MP3)
 ReMount/unmount MMC card controlled by device

• Exploit Autoplay feature of default Media Programs

  Selectively prepare attack payload, i.e. Malicious mp3 files
targeting MacOSX iTunes, pdf targeting unpatched Adobe Reader
  Highly robust exploit, works for for a variety of programs
Computer-to-Phone Attacks!
  Gaining Root Access to the Smart Phone Device!
  Official: simulate screen tap event to the oem unlock menu on
selected devices!
  Universal: linux local root exploit (CVE-2009-1185,
RLIMIT_NPROC exhaustion) send via USB!

  Insert malicious payload!

  Kernel-level: disassemble boot partition !
  Replace kernel zimage with your own!
  Replace Applications !
!
  Remove traces by un-rooting to avoid detection!
  We can quickly cleanup, not need for traces!
  Next reboot, not traces at all!
  Very very difficult to identify, it has to happen before next reboot!
Computer-to-Phone Attacks (Cont.)!

  Kernel manipulation!
  Rootkits!

  Traffic Redirection to a known proxy!

  Data Exfiltration!

  Native ARM ELF binary !

  bypasses Android framework permissions and checks !

  A complete phone provisioning process fully

automated with evil payload!
  No application-level traces!
Phone-to-Phone Attacks - OTG!
USB(Mini) OTG Connector

  USB OTG (On-the-Go) controller !

  Capability to switch the controller and become a host or a gadget!
!
  Smart Phones are shipped with such OTG capable chipset!
  Qualcomm QSD8250, Texas Instruments OMAP 3430!
!
  The 5th pin (ID) pin identifies the function of the controller
host or gadget !
  floating ID denotes gadget, grounded ID denotes host!
Smart Phone as a Host Controller!

  Specially shorted USB mini-B dongle to signal the OTG

controller behave as a host!

  USB transgender or USB micro-A to Standard-A Female

cable.( out-of-box cable is micro-B to Standard-A Male)!
Smart Phone as a Host Controller (Cont.)!

  Power hub, for additional power supply!

  Host side software stack, UHCI/EHCI HCD driver, device

driver, userland programs!
!
USB Hacking 101!

Crucial Steps for USB Hacking:!

  Understand the USB Background (coming up)!
  Low-level “USB Hubs” VS device driver!
  Good tools to help debugging (Demo !
  Some tools are helpful but have flaws as we will show!
  Combination of tools much better!
  (Some) Hardware hacking!
  Craft cables to put the phone in “Master” mode!
  Use the phone to connect and hack Other Phones!
  Patience!!
!
USB Reconnaissance !

OperaLng System FingerprinLng using USB:

  Not all USB implementaLons are the same

  Windows vs Linux vs Mac OSX

  Flavors of Windows

  The protocol is the same but not the

implementaLon
  USB devices in “slave”/ gadget mode can idenLfy
the OS upon connecLon
  Smart (i.e. programmable USB devices) can do so
much more as we will see.
USB Reconnaissance !

Operating System
USB Gadget
Observations

Full function probe

Bare device w/o 6 12 1

configuration retries

Device alive probe

Single adb/umass
interface bus reset
USB Background: Hierarchical Topology!
USB: Series of Events (Overview)!
Interrupt notifying the host that a
device connected

G et D
e
Descr vice
iptor
, The
The host send Get Device
d , V e ndorID l peripheral
Descriptor setup request Spee tID, Seria identifies
c
Produ nufacture itself
a
No., M
G et C The peripheral
The host setup kernel data onfigu supply the
ration
structures of the device configuration, can
descriptor SB be dynamically
-s to ra ge , U changed in smart
Mass her etc.
et gadget
G e t In
te
The host continues enumerate all Descr rface The peripheral
iptor
the interfaces specify interface
, information
fa c e Class
nte r ol
USB I ass, Protoc
Subc l
The host sets up endpoints for
every interface

USB data transfer starts

USB Host USB Peripheral

Standard USB Handshake

USB: Series of Events !
Interrupt notifying the host that a
device connected

G et D
e
Descr vice
iptor
The
peripheral
identifies
itself