Unbridled HIDIOcy - Hack In The Box Security...
Transcript of Unbridled HIDIOcy - Hack In The Box Security...
![Page 1: Unbridled HIDIOcy - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2017ams/materials... · USB Reports • Each device communicates using reports • Device describes](https://reader035.fdocuments.in/reader035/viewer/2022071216/6047fe287373ec354b6c0ad1/html5/thumbnails/1.jpg)
Unbridled HIDIOcy@stevelord, Raw Hex, https://hidiot.com/
![Page 2: Unbridled HIDIOcy - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2017ams/materials... · USB Reports • Each device communicates using reports • Device describes](https://reader035.fdocuments.in/reader035/viewer/2022071216/6047fe287373ec354b6c0ad1/html5/thumbnails/2.jpg)
This Guy
• @stevelord on Twitter and Mastodon
• Raw Hex, 44CON, HIDIOT
• I like breaking and building (the Internet of) things
![Page 3: Unbridled HIDIOcy - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2017ams/materials... · USB Reports • Each device communicates using reports • Device describes](https://reader035.fdocuments.in/reader035/viewer/2022071216/6047fe287373ec354b6c0ad1/html5/thumbnails/3.jpg)
What Is HIDIOT?• Human Interface Device Input/Output Toolkit
• Tool To Teach Hardware Hacking Skills
• uC and host programming
• Circuit design and Soldering
• Bus interfaces and protocols
![Page 4: Unbridled HIDIOcy - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2017ams/materials... · USB Reports • Each device communicates using reports • Device describes](https://reader035.fdocuments.in/reader035/viewer/2022071216/6047fe287373ec354b6c0ad1/html5/thumbnails/4.jpg)
What Is HIDIOT?
• Specific focus: 11-16 year old kids
• Teach kids to: void warranties, do unspeakable things to microcontrollers, save the world
![Page 5: Unbridled HIDIOcy - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2017ams/materials... · USB Reports • Each device communicates using reports • Device describes](https://reader035.fdocuments.in/reader035/viewer/2022071216/6047fe287373ec354b6c0ad1/html5/thumbnails/5.jpg)
What is HIDIOT?
• Alternative focus: Hackers
• Originally built as a tool to explore USB protocols, HID devices for USB/Bluetooth
• Used to simulate USB devices and for rapid prototyping
![Page 6: Unbridled HIDIOcy - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2017ams/materials... · USB Reports • Each device communicates using reports • Device describes](https://reader035.fdocuments.in/reader035/viewer/2022071216/6047fe287373ec354b6c0ad1/html5/thumbnails/6.jpg)
Part 1Using (and abusing) HIDIOT
![Page 7: Unbridled HIDIOcy - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2017ams/materials... · USB Reports • Each device communicates using reports • Device describes](https://reader035.fdocuments.in/reader035/viewer/2022071216/6047fe287373ec354b6c0ad1/html5/thumbnails/7.jpg)
What Does HIDIOT Have?
• USB interface to ATTiny85
• 8k SRAM, 512 bytes RAM, 512 bytes EEPROM
• Almost any bus type thanks to USI
• Soft UART, SPI, I2C, 1-wire buses, USB :)
![Page 8: Unbridled HIDIOcy - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2017ams/materials... · USB Reports • Each device communicates using reports • Device describes](https://reader035.fdocuments.in/reader035/viewer/2022071216/6047fe287373ec354b6c0ad1/html5/thumbnails/8.jpg)
HIDIOT Software Stack
• Arduino IDE with Digispark/Trinket capability
• AVR-GCC for those who like to go manual
• Micronucleus Bootloader
• V-USB for USB management
• Library support for lots of add-ons
![Page 9: Unbridled HIDIOcy - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2017ams/materials... · USB Reports • Each device communicates using reports • Device describes](https://reader035.fdocuments.in/reader035/viewer/2022071216/6047fe287373ec354b6c0ad1/html5/thumbnails/9.jpg)
Physical HIDIOT• Temp Sensor
• Light sensing via LED
• 2x LEDs
• 2x Tact switches
• Breakout area
![Page 10: Unbridled HIDIOcy - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2017ams/materials... · USB Reports • Each device communicates using reports • Device describes](https://reader035.fdocuments.in/reader035/viewer/2022071216/6047fe287373ec354b6c0ad1/html5/thumbnails/10.jpg)
Host Comms With HIDIOT
• USB Generic HID Class/LibUSB
• CDC Serial*
• Keyboard/Mouse/Joystick/MIDI etc.
• Anything you can write reports for
![Page 11: Unbridled HIDIOcy - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2017ams/materials... · USB Reports • Each device communicates using reports • Device describes](https://reader035.fdocuments.in/reader035/viewer/2022071216/6047fe287373ec354b6c0ad1/html5/thumbnails/11.jpg)
Computer Add-on Projects (CAPs)
• Like Shields or HATs
• Interchangeable hardware add-ons
• Ideal for modular HID-based exfil
![Page 12: Unbridled HIDIOcy - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2017ams/materials... · USB Reports • Each device communicates using reports • Device describes](https://reader035.fdocuments.in/reader035/viewer/2022071216/6047fe287373ec354b6c0ad1/html5/thumbnails/12.jpg)
Rapid Prototyping With HIDIOT
• Use breakout to add parts
• Build CAP for components
• Take ATTiny85 off board and add to CAP
• Add Power Source
![Page 13: Unbridled HIDIOcy - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2017ams/materials... · USB Reports • Each device communicates using reports • Device describes](https://reader035.fdocuments.in/reader035/viewer/2022071216/6047fe287373ec354b6c0ad1/html5/thumbnails/13.jpg)
Part 2A High Level Overview of USB 2.0
![Page 14: Unbridled HIDIOcy - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2017ams/materials... · USB Reports • Each device communicates using reports • Device describes](https://reader035.fdocuments.in/reader035/viewer/2022071216/6047fe287373ec354b6c0ad1/html5/thumbnails/14.jpg)
Part 2A High Level Overview of USB 2.0
While I build a HIDIOT live
![Page 15: Unbridled HIDIOcy - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2017ams/materials... · USB Reports • Each device communicates using reports • Device describes](https://reader035.fdocuments.in/reader035/viewer/2022071216/6047fe287373ec354b6c0ad1/html5/thumbnails/15.jpg)
Electrical USB
• 4 Pins - VCC, GND, D-, D+
• Differential Encoding on D-/D+ for noise cancellation
• Pull-up/down resistors for different device/host/hub combinations
![Page 16: Unbridled HIDIOcy - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2017ams/materials... · USB Reports • Each device communicates using reports • Device describes](https://reader035.fdocuments.in/reader035/viewer/2022071216/6047fe287373ec354b6c0ad1/html5/thumbnails/16.jpg)
USB 2.0 Terms• Transfers
• Transactions
• Packets/Phases
• PID
• CRC
![Page 17: Unbridled HIDIOcy - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2017ams/materials... · USB Reports • Each device communicates using reports • Device describes](https://reader035.fdocuments.in/reader035/viewer/2022071216/6047fe287373ec354b6c0ad1/html5/thumbnails/17.jpg)
USB 2.0 Comms
• All transfers/transactions are IN or OUT from the hosts perspective.
• IN - Device to Host
• OUT - Host to Device
![Page 18: Unbridled HIDIOcy - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2017ams/materials... · USB Reports • Each device communicates using reports • Device describes](https://reader035.fdocuments.in/reader035/viewer/2022071216/6047fe287373ec354b6c0ad1/html5/thumbnails/18.jpg)
USB 2.0 Transfer Types
• Control
• Bulk
• Interrupt
• Isochronous
![Page 19: Unbridled HIDIOcy - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2017ams/materials... · USB Reports • Each device communicates using reports • Device describes](https://reader035.fdocuments.in/reader035/viewer/2022071216/6047fe287373ec354b6c0ad1/html5/thumbnails/19.jpg)
USB 2.0 Transactions
• Transfers consist of 1 or more transactions
• Each Transaction consists of two or three packets (stages/phases)
• Packets contain PIDs and other info
![Page 20: Unbridled HIDIOcy - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2017ams/materials... · USB Reports • Each device communicates using reports • Device describes](https://reader035.fdocuments.in/reader035/viewer/2022071216/6047fe287373ec354b6c0ad1/html5/thumbnails/20.jpg)
USB 2.0 Packets
• Token packet (all transactions, contains PID, endpoint and CRC)
• Data packet (contains PID, data and CRC)
• Handshake packet (contains PID)
![Page 21: Unbridled HIDIOcy - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2017ams/materials... · USB Reports • Each device communicates using reports • Device describes](https://reader035.fdocuments.in/reader035/viewer/2022071216/6047fe287373ec354b6c0ad1/html5/thumbnails/21.jpg)
Other Packets
• PING packets
• PRE packets
![Page 22: Unbridled HIDIOcy - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2017ams/materials... · USB Reports • Each device communicates using reports • Device describes](https://reader035.fdocuments.in/reader035/viewer/2022071216/6047fe287373ec354b6c0ad1/html5/thumbnails/22.jpg)
Control Transfers
• 1 Setup stage transaction
• 0 or more data stage transactions
• 1 Status stage transaction (in opposite direction, IN if no data stage sent)
![Page 23: Unbridled HIDIOcy - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2017ams/materials... · USB Reports • Each device communicates using reports • Device describes](https://reader035.fdocuments.in/reader035/viewer/2022071216/6047fe287373ec354b6c0ad1/html5/thumbnails/23.jpg)
Control Transfers
• Each stage has 3 phases (packets)
• Token
• Data
• Handshake
![Page 24: Unbridled HIDIOcy - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2017ams/materials... · USB Reports • Each device communicates using reports • Device describes](https://reader035.fdocuments.in/reader035/viewer/2022071216/6047fe287373ec354b6c0ad1/html5/thumbnails/24.jpg)
Interrupt Transfers
• Low Speed Transfers
• 1 or more IN or OUT transaction
• Same 3 phases as before
![Page 25: Unbridled HIDIOcy - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2017ams/materials... · USB Reports • Each device communicates using reports • Device describes](https://reader035.fdocuments.in/reader035/viewer/2022071216/6047fe287373ec354b6c0ad1/html5/thumbnails/25.jpg)
Lets Get Out Of The Weeds(Thank goodness)
![Page 26: Unbridled HIDIOcy - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2017ams/materials... · USB Reports • Each device communicates using reports • Device describes](https://reader035.fdocuments.in/reader035/viewer/2022071216/6047fe287373ec354b6c0ad1/html5/thumbnails/26.jpg)
USB Device Classes
• Lots of ‘em
• We’re focused on USB HID Device Class
• BONUS: USB HID === Bluetooth HID
![Page 27: Unbridled HIDIOcy - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2017ams/materials... · USB Reports • Each device communicates using reports • Device describes](https://reader035.fdocuments.in/reader035/viewer/2022071216/6047fe287373ec354b6c0ad1/html5/thumbnails/27.jpg)
Common USB HID Class Devices
• Keyboards
• Mice
• Game Controllers
• Generic HID Class*
![Page 28: Unbridled HIDIOcy - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2017ams/materials... · USB Reports • Each device communicates using reports • Device describes](https://reader035.fdocuments.in/reader035/viewer/2022071216/6047fe287373ec354b6c0ad1/html5/thumbnails/28.jpg)
Uncommon USB HID Class Devices
• UPSes
• Software Protection Dongles
• Medical Devices
![Page 29: Unbridled HIDIOcy - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2017ams/materials... · USB Reports • Each device communicates using reports • Device describes](https://reader035.fdocuments.in/reader035/viewer/2022071216/6047fe287373ec354b6c0ad1/html5/thumbnails/29.jpg)
USB Reports• Each device communicates using reports
• Device describes report structure during enumeration
• IN interrupt transfer is minimum required for HID (e.g. keyboard press)
• OUT transfers are optional (e.g. to report keyboard LED status change)
![Page 30: Unbridled HIDIOcy - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2017ams/materials... · USB Reports • Each device communicates using reports • Device describes](https://reader035.fdocuments.in/reader035/viewer/2022071216/6047fe287373ec354b6c0ad1/html5/thumbnails/30.jpg)
How HID Works• Host polls device’s interrupt IN endpoint
• If device has data it will send data in report format
• Common devices use reports compliant with USB-IF standards
• Custom devices require custom drivers
![Page 31: Unbridled HIDIOcy - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2017ams/materials... · USB Reports • Each device communicates using reports • Device describes](https://reader035.fdocuments.in/reader035/viewer/2022071216/6047fe287373ec354b6c0ad1/html5/thumbnails/31.jpg)
Part 3Software Stack
![Page 32: Unbridled HIDIOcy - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2017ams/materials... · USB Reports • Each device communicates using reports • Device describes](https://reader035.fdocuments.in/reader035/viewer/2022071216/6047fe287373ec354b6c0ad1/html5/thumbnails/32.jpg)
Installation
• Install Arduino
• Add Digispark board
• Install Windows USB drivers (optional)
• You can play along.
![Page 33: Unbridled HIDIOcy - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2017ams/materials... · USB Reports • Each device communicates using reports • Device describes](https://reader035.fdocuments.in/reader035/viewer/2022071216/6047fe287373ec354b6c0ad1/html5/thumbnails/33.jpg)
Part 4DEMOS!
![Page 34: Unbridled HIDIOcy - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2017ams/materials... · USB Reports • Each device communicates using reports • Device describes](https://reader035.fdocuments.in/reader035/viewer/2022071216/6047fe287373ec354b6c0ad1/html5/thumbnails/34.jpg)
#1: Morse Code Blinker
![Page 35: Unbridled HIDIOcy - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2017ams/materials... · USB Reports • Each device communicates using reports • Device describes](https://reader035.fdocuments.in/reader035/viewer/2022071216/6047fe287373ec354b6c0ad1/html5/thumbnails/35.jpg)
#2, #3 Keyboard Control
• Hello World
• A Bit More
![Page 36: Unbridled HIDIOcy - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2017ams/materials... · USB Reports • Each device communicates using reports • Device describes](https://reader035.fdocuments.in/reader035/viewer/2022071216/6047fe287373ec354b6c0ad1/html5/thumbnails/36.jpg)
#4 DuckyScript
![Page 37: Unbridled HIDIOcy - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2017ams/materials... · USB Reports • Each device communicates using reports • Device describes](https://reader035.fdocuments.in/reader035/viewer/2022071216/6047fe287373ec354b6c0ad1/html5/thumbnails/37.jpg)
#5 Improving DuckyScript
![Page 38: Unbridled HIDIOcy - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2017ams/materials... · USB Reports • Each device communicates using reports • Device describes](https://reader035.fdocuments.in/reader035/viewer/2022071216/6047fe287373ec354b6c0ad1/html5/thumbnails/38.jpg)
#6 Pi Shutdown
![Page 39: Unbridled HIDIOcy - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2017ams/materials... · USB Reports • Each device communicates using reports • Device describes](https://reader035.fdocuments.in/reader035/viewer/2022071216/6047fe287373ec354b6c0ad1/html5/thumbnails/39.jpg)
#7 Improved Pi Shutdown
![Page 40: Unbridled HIDIOcy - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2017ams/materials... · USB Reports • Each device communicates using reports • Device describes](https://reader035.fdocuments.in/reader035/viewer/2022071216/6047fe287373ec354b6c0ad1/html5/thumbnails/40.jpg)
#8 Randomness
![Page 41: Unbridled HIDIOcy - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2017ams/materials... · USB Reports • Each device communicates using reports • Device describes](https://reader035.fdocuments.in/reader035/viewer/2022071216/6047fe287373ec354b6c0ad1/html5/thumbnails/41.jpg)
#9 Better Randomness
![Page 42: Unbridled HIDIOcy - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2017ams/materials... · USB Reports • Each device communicates using reports • Device describes](https://reader035.fdocuments.in/reader035/viewer/2022071216/6047fe287373ec354b6c0ad1/html5/thumbnails/42.jpg)
#10 Entropy Through WDT Jitter
![Page 43: Unbridled HIDIOcy - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2017ams/materials... · USB Reports • Each device communicates using reports • Device describes](https://reader035.fdocuments.in/reader035/viewer/2022071216/6047fe287373ec354b6c0ad1/html5/thumbnails/43.jpg)
#11 Hardware SSH Key
![Page 44: Unbridled HIDIOcy - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2017ams/materials... · USB Reports • Each device communicates using reports • Device describes](https://reader035.fdocuments.in/reader035/viewer/2022071216/6047fe287373ec354b6c0ad1/html5/thumbnails/44.jpg)
#11 Hardware SSH Key
DENIED!!!
![Page 45: Unbridled HIDIOcy - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2017ams/materials... · USB Reports • Each device communicates using reports • Device describes](https://reader035.fdocuments.in/reader035/viewer/2022071216/6047fe287373ec354b6c0ad1/html5/thumbnails/45.jpg)
#11 Interfacing With Hardware
![Page 46: Unbridled HIDIOcy - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2017ams/materials... · USB Reports • Each device communicates using reports • Device describes](https://reader035.fdocuments.in/reader035/viewer/2022071216/6047fe287373ec354b6c0ad1/html5/thumbnails/46.jpg)
#12 Something Different
![Page 47: Unbridled HIDIOcy - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2017ams/materials... · USB Reports • Each device communicates using reports • Device describes](https://reader035.fdocuments.in/reader035/viewer/2022071216/6047fe287373ec354b6c0ad1/html5/thumbnails/47.jpg)
Part 5Expanding HIDIOT
![Page 48: Unbridled HIDIOcy - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2017ams/materials... · USB Reports • Each device communicates using reports • Device describes](https://reader035.fdocuments.in/reader035/viewer/2022071216/6047fe287373ec354b6c0ad1/html5/thumbnails/48.jpg)
![Page 49: Unbridled HIDIOcy - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2017ams/materials... · USB Reports • Each device communicates using reports • Device describes](https://reader035.fdocuments.in/reader035/viewer/2022071216/6047fe287373ec354b6c0ad1/html5/thumbnails/49.jpg)
![Page 50: Unbridled HIDIOcy - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2017ams/materials... · USB Reports • Each device communicates using reports • Device describes](https://reader035.fdocuments.in/reader035/viewer/2022071216/6047fe287373ec354b6c0ad1/html5/thumbnails/50.jpg)
![Page 51: Unbridled HIDIOcy - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2017ams/materials... · USB Reports • Each device communicates using reports • Device describes](https://reader035.fdocuments.in/reader035/viewer/2022071216/6047fe287373ec354b6c0ad1/html5/thumbnails/51.jpg)
![Page 52: Unbridled HIDIOcy - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2017ams/materials... · USB Reports • Each device communicates using reports • Device describes](https://reader035.fdocuments.in/reader035/viewer/2022071216/6047fe287373ec354b6c0ad1/html5/thumbnails/52.jpg)
![Page 53: Unbridled HIDIOcy - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2017ams/materials... · USB Reports • Each device communicates using reports • Device describes](https://reader035.fdocuments.in/reader035/viewer/2022071216/6047fe287373ec354b6c0ad1/html5/thumbnails/53.jpg)
![Page 54: Unbridled HIDIOcy - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2017ams/materials... · USB Reports • Each device communicates using reports • Device describes](https://reader035.fdocuments.in/reader035/viewer/2022071216/6047fe287373ec354b6c0ad1/html5/thumbnails/54.jpg)
Part 6Things For You To Try
![Page 55: Unbridled HIDIOcy - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2017ams/materials... · USB Reports • Each device communicates using reports • Device describes](https://reader035.fdocuments.in/reader035/viewer/2022071216/6047fe287373ec354b6c0ad1/html5/thumbnails/55.jpg)
Some Ideas To Try• USB Host Fuzzing
• USB Device Fuzzing
• Brute forcing PINs with USB Keyboard
• Visible Light Comms
• Software Defined IR
![Page 56: Unbridled HIDIOcy - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2017ams/materials... · USB Reports • Each device communicates using reports • Device describes](https://reader035.fdocuments.in/reader035/viewer/2022071216/6047fe287373ec354b6c0ad1/html5/thumbnails/56.jpg)
Some Ideas To Try• Portable RF hacking projects
• USB Host power-based side channel attacks
• Fuzzing SPI devices
• Fuzzing I2C devices
• Abusing USB report structure trust
![Page 57: Unbridled HIDIOcy - Hack In The Box Security Conferenceconference.hitb.org/hitbsecconf2017ams/materials... · USB Reports • Each device communicates using reports • Device describes](https://reader035.fdocuments.in/reader035/viewer/2022071216/6047fe287373ec354b6c0ad1/html5/thumbnails/57.jpg)
Some Ideas To Try
• USB Device change detection and alerting
• EFI/SPI/I2C integrity monitoring
• U2F Security Key
• USB RF Bug/Anomaly Detection