29C3: When USB memory sticks lie

USB memory sticks are thought to be among the less exciting hardware components – simple storage media that have many uses and function the same way in almost any hardware environment. That this isn't actually true was demonstrated by Pwnie-winning hacker Travis Goodspeed at the 29th Chaos Communication Congress (29C3) in Hamburg.

"We think of USB memory sticks as block devices, but in reality they are computers that use a network to talk to a host", said Goodspeed. "These devices can send any data they want." Once this perspective is adopted, whole new fields of application become possible, explained the researcher. For example, Goodspeed noted that USB device drivers are often poorly programmed and offer many access points, and that it is possible to modify files while a USB memory stick is connected.

Security researcher Collin Mulliner exploited the misplaced trust in these USB devices to install an unauthorised extension on a Samsung smart TV that allowed him to gain full access to the TV's system because the TV initially checks for authorised extensions on the USB memory stick. For the check, Mulliner presented the TV with an allegedly authorised plug-in. However, during the actual installation process, the researcher planted a totally different file in the system and used it to obtain telnet access. This allowed him to make arbitrary firmware changes, for instance in order to record content from a premium TV channel.

Apparently, this hack is only the beginning. Goodspeed has developed a board called Facedancer11 that can emulate arbitrary USB devices. "This is a development tool", emphasised the researcher. Goodspeed explained that it is, for example, possible to pretend that a smartphone has established a connection to the computer in order to initiate a firmware update. According to the researcher, the data that can be intercepted this way enables potential attackers to find out how exactly the update process works and allows them to save a firmware image for further analysis. Using the board to examine a computer's communications, an attacker can then build USB devices that target specific vulnerabilities in the host computer.

However, emulating a USB memory stick opens up other new possibilities. Through fingerprinting, the USB memory stick can quickly establish what kind of device is trying to communicate with it. For example, Windows PCs access the USB memory stick's MBR a total of nine times, while Linux distributions can be differentiated by their automounters. USB memory sticks can register such behavioural patterns and use them to return the data that the owner wishes to disclose. "When the MBR is read nine times, it's probably not my laptop", said Goodspeed. With the necessary programming, a USB memory stick can, therefore, return different content to a Windows PC than it does to a Linux computer.

Goodspeed says that he can also analyse the accessing user's intention. For example, the researcher explained that, when detecting a USB memory stick, Windows PCs write the access date to the storage device by default. However, if a PC neglects to do this, it is likely that the user is trying to duplicate the USB stick for forensic purposes – leaving a storage device unmodified is one of the top priorities when collecting evidence. Goodspeed said that he can program his USB memory stick in such a way that it will self-destruct when someone tries to create a copy for forensic purposes. "As long as a forensics expert doesn't know that he's dealing with a special USB memory stick, you've won", said the researcher.

(Torsten Kleinz / fab)