HITBSecConf 2016-Create Your Own Bad Usb

IRON-HID:
Create your own bad USB
Seunghun Han

Who am I ?
 Security researcher at NSR
(National Security Research
Institute of South Korea)
 Operating system and firmware
developer
 Author of the book series titled “64-bit multi-
core OS principles and structure, Vol.1 & 2”
 a.k.a kkamagui (crow or raven in English)
- @kkamagui1

 Background and Architecture of
IRON-HID
 Hacking a Portable Charger
 Testing a Vulnerability of
a Smartphones
a POS System and a PC
 Bonus
Contents

 Background and Architecture of
IRON-HID
 Hacking a Portable Charger
the Smartphone
the POS System and the PC
 Bonus

IRON-HID
Human Interface Device
for making your tools
IRON-HID Project?
=

Features
 Custom device + firmware + test agent
program + Android smartphone program
 Various types of system exploitable
 POS (Point-of-Sale), PC, Android, etc.
 Lightweight embedded hardware-based
 “Arduino” and “Teensy”
 Open-source project!
 https://github.com/kkamagui/IRON-HID

Arduino vs Teensy
Arduino Teensy
Arduino Mega
Teensy++ 2.0
Larger
(Palm size)
Smaller
(Paper-clip size)
256KB Flash
(ATmega16U2 + ATmega2560)
128KB Flash
(AT90USB1286)
60 I/O Pins 46 I/O Pins
Arduino Sketch IDE is available!

USB
Proxy DeviceCommander
Targets
Attach
Custom Device
Wireless
Test Agent

Target POS systems, PCs, smartphones
Embedded hardware
(Low-powered hardware)
Wireless module
(WiFi, Bluetooth, Cellular, etc.)
Receive results of commands
Receive status of a proxy device
Execute shell commands
Send keyboard events
Capture screens
Get files
Send commands and events
Install a test agent program
Receive results of commands
(Results of shell, screens, files)
Test agent (TA) program
IRON-HID firmware
(USB functions and a CD-ROM image)
Custom device
(in proxy devices)
: IRON-HID
component
Security inspector’ smartphone
IRON-HID commander program

IRON-HID Firmware
 Emulates keyboard and mass-storage
device
 It has one interrupt type endpoint for
sending and logging keyboard events
 It has two bulk type endpoints for installing
the TA program
 Makes a custom communication channel
 It has one control type endpoint for making
a tunnel between the TA program and the
Commander program

TA program and IRON-HID Commander
 TA program processes requests of
Commander
 Command Executions, Screen Captures,
File Transfers
 Commander is an interface of pen-testers
 It has control tab, command tab, key tab
 Penetration tester uses each tab for testing
security holes

Direction Format Description
Commander 
TA program
C;<command>;
Commander requests that TA program
executes a command and sends result to
Commander
Commander 
TA program
G;<filename>;
Commander requests that TA program sends
a file to Commander
Commander 
TA program
S;;
Commander requests that TA program
captures a screenshot and sends it to
Commander
TA program 
Commander
F;;<64byte data>; TA program sends results to Commander
Commander 
Firmware
<Magic string 1>
Commander changes firmware’s mode to
command transfer mode
Commander 
Firmware
<Magic string 2>
Commander changes firmware’s mode to
keyboard event mode
Commander 
Firmware
<Magic string 3>
Commander requests that firmware installs
TA program into host
Firmware 
Commander
M;;<keyboard event>;
Firmware sends user’s keyboard inputs to
Commander
Firmware 
Commander
D;;<debug message>;
Firmware sends debug messages to
Commander

We are ready to launch!
Choose a target to
attachit

We want a portable charger
 We use the smartphone everywhere!!
 We spend much time with the smartphone
 But, it doesn’t have enough battery
 So, you should bring your charger or …

So many battery rental services…

Hey,
You totally believe
your portable charger?

PowerShock!!
 It is a portable charger, but not normal
 It has IRON-HID inside it
 It can test Android smartphones
 It can test POS(Point-Of-Sale) Systems
 It can test your PC
It is a perfect weapon for
penetration testers

Inside of the portable charger
 It has a very simple architecture
 A charger module and battery cells
 High capacity model  More battery cells!

Cutting off battery cells
 Make some space for IRON-HIDs
 Battery cells are connected in parallel
 Cut off the cell connector carefully

Pin layouts of the charger module
USB Connector
for Input (recharging)
USB Connector
for Output (smartphone)
VCC
Data-
Data+
GND
VCC
Data-
Data+
GND
ID
(No.1)(No.5) (No.1)(No.4)

USB Datasheet
(VCC) (GND)
(VCC) (GND)
(VCC) (GND)
Micro Type A Type
Mini Type

Pin layouts of the IRON-HID
VCC
GND
TX
RX
CTS
RTS
Bluetooth Serial Module
(RN-42 Silver)
Teensy
D2 (RX)
D3 (TX)
GND
5V OUT
Bluetooth
TX
RX
GND
VCC
VCC
Data-
Data+
GND
IDTeensy

You got the power!!
* Rebirth of the Portable Charger *

 It activates the USB host function of
smart-phones
 You can connect various types of USB
peripherals such as a keyboard, a mass-
storage (USB drive), a mouse
USB OTG (On-The-Go)
* The final piece of the puzzle *

… ?! …
Smartphone PowerShockCables

… ?! …
Smartphone PowerShockCables
THIS IS NOT WHAT I WANT
OH…

Making a custom OTG cable
Connect the ID pin with the GND pin

Well-known Smartphone Vulnerability
Do you use
a pattern lock?
Do you set
a backup PIN?
Can you type
backup PINs
unlimitedly?
Yes
Yes
No
No
No Yes
You are in
danger
You are safe
(maybe…)

 Connect PowerShock to a smartphone
with the custom OTG cable and fire!!
 It is really hard to test the vulnerability
with your hands
 The PowerShock tests it instead of you
 It sends PINs quickly and automatically!!
Testing the vulnerability
If someone asks you to charge a phone,
charge it with PowerShock!!

Demo
(Let’s test the Android)

Inside of the POS Systems
Parallel Port USB + LAN
Serial Port PS/2
Many POS systems are PC-based!!
==

If the PowerShock plugs into the POS?
If POS system has a vulnerability,
you can grab card numbers!!
Recharge
Card Num:
XXXX-XXXX
Date:
XX/XXPOS System
PowerShock
USB

Demo
(Let’s test the POS system)

KeyboardShock
Attach IRON-HID onto USB keyboards
and give them to your colleagues

Find the key matrix with multimeter

The example of the keyboard matrix

ReaderShock
Attach IRON-HID onto card readers
and give them also to your colleagues

Then…
You will be the big brother for fun!!
Logging and sending keys
Receiving files and capturing
screenshots
Executing commands
C:> notepad no-mercy.txt
C:> format c: /q

Resources
 http://www.fourwalledcubicle.com
 http://cdemu.blogspot.com
 http://www.usb.org
 https://www.arduino.cc
 https://www.pjrc.com/teensy

I will be waiting for your email
@kkamagui1, hanseunghun@nsr.re.kr
Thank you !

HITBSecConf 2016-Create Your Own Bad Usb

More Related Content

What's hot (20)

Similar to HITBSecConf 2016-Create Your Own Bad Usb (20)

Recently uploaded (20)

HITBSecConf 2016-Create Your Own Bad Usb