Міжнародная канферэнцыя распрацоўнікаў і карыстальнікаў свабодных праграм

USB attacks explained

Krzysztof Opasiak, Warsaw, Poland

LVEE 2017

USB is the most common external interface in the world. Even machines which, for security reasons, are disconnected from the Internet often offer USB connectivity. This creates a new attacks surface for skilled hackers. USB implementation may be exploited on various levels. To effectively protect against such attack, knowledge about already exploited vulnerabilities is required. This paper is a survey of state-of-the-art USB-related attacks.

On a very high level, USB is a communication protocol which allows to provide and use some abstract services (functionalities). Machine which provides some additional functionality is called a USB device and machine which uses this functionality is called a USB host. Typically USB host is a computer, DVD player etc. and USB device is a pendrive, web camera or sound card but it can also be a mobile phone or tablet!
One of very famous USB features is Plug&Play. It means that USB host is able to automatically detect new USB devices and discover functionalities offered by them. Together with automatic support provided by most of host operating systems it makes USB very user-friendly and easy to use. Unfortunately, the same automation may lead to new security threats. . .

USB attacks
Popularity and blind trust in USB security seem to be one of the major reasons why malware started spreading also using this attack vector. From the security perspective we can distinguish three types of attacks toward USB based on their main target:
USB host focused attacks,
USB traffic analysis, modification and injection attacks,
USB device focused attacks.

USB host focused attacks
This type of attacks aims at taking over the control of the USB host machine.
We can distinguish three subgroups of such attacks.
The first group of such attacks uses vulnerabilities in the high level system infrastructure related to support of given USB function. Very good examples of such attacks are Conficker 1 and Stuxnet 2, which used the vulnerabilities in external storage support.
The second group of USB host focused attacks tries to exploit vulnerabilities in USB stack and drivers implementation. This is mainly done by creating malicious devices which sends specially prepared payload to exploit some buffer overflow or other vulnerability. Very good repentant of such attacks is Plug & Root device presented during BlackHat Conference in Las Vegas back in 2005 3.
Thanks to dedicated fuzzers like facedancer 4 and umap 5 and increasing developers’ awareness USB stacks (esp. Linux stack) are getting more and more resistant to this group of attacks.
Finally, the third group of attacks abuses Plug & Play philosophy and blind user trust in harmlessness of USB devices. This group of attacks became famous in 2014 thanks to BlackHat USA presentation – BadUSB 6. This attack simply tries to trick user to connect device which offers different functionality than user may assume based on its physical outfit.

USB traffic analysis, modification and injection attacks
This type of attacks usually aims at discovering some secret information like passwords or at modification of USB traffic to abuse functionality expected by user.
First group of those attacks are passive listeners usually recording HID protocol which is used by for example keyboards. Those devices are relatively cheap and are being found from time to time in public places like libraries 7 or schools 8.
Second group involves not only listening but also modification of USB traffic and injection of additional messages. Recent example of such attacks may be BadUSB 2.0 introduced by David Kierznowski and described in 9.

USB device focused attacks
Third type of attacks is targeted at USB devices. Usually not those simple tiny device lie pendrive because people try to keep them safe but rather those more complicated like mobile phones and tablets. All those devices carry a lot of sensitive user data which can be accessed via USB. It’s worth to mention that the same USB port is often used for both data transfer and battery charging. Short battery life encourages user to connect mobile device to publicly available charging stations.
This leads to hazard of unauthorized access to private data like photos or contacts. More advanced attackers may event try to take over the control of device using for example ADB resource exhaustion attack 10.

USB is a extremely popular external interface. It has been adopted to various use case and incorporated by most devices on the market. Through being extremely usefully, USB should be also considered as a real security thread especially in high security environments.

1 M.Hypponen, “The conficker mystery,” in Black Hat, Las Vegas, NV, USA, July 2009. [Online]. Available: http://www.blackhat.com/presentations/bh-usa-09/HYPPONEN/BHUSA09-Hypponen-ConfickerMystery-PAPER.pdf

2 L. O. M. Nicolas Falliere and E. Chien, “W32.stuxnet dossier,” Feb. 2011. [Online]. Available: https://www.symantec.com/content/en/us/enterprise/media/security response/whitepapers/w32 stuxnet dossier.pdf

3 D. Barral and D. Dewey, “”plug and root,” the usb key to the kingdom,” in Black Hat, Las Vegas, NV, USA, July 2005. [Online]. Available: https://www.blackhat.com/presentations/bh-usa-05/BH US 05-Barrall-Dewey.pdf

4 “Facedancer21 (usb emulator/usb fuzzer).” [Online]. Available: https://int3.cc/products/facedancer21

5 “umap: The usb host security assessment tool.” [Online]. Available:

6 S. K. Karsten Nohl and J. Lell, “Badusb – on accessories that turn evil,” in Black Hat, Las Vegas, NV, USA, July 2014. [Online]. Available: https://srlabs.de/wp-content/uploads/2014/07/SRLabs-BadUSB-BlackHat-v1.pdf

7 “Hardware keyloggers discovered at public libraries.” [Online].
Available: https://nakedsecurity.sophos.com/2011/02/14/hardware-keyloggers-discovered-public-libraries/

8 “Us school expels pupils for using hardware keyloggers to change grades,”
Feb. 2004. [Online]. Available: http://www.techworld.com/news/security/us-school-expels-pupils-for-using-hardware-keyloggers-change-grades-3500558/

9 D. Kierznowski, “BadUSB 2.0: USB man in the middle attacks,” Royal
Holloway University of London, Tech. Rep., 04 2016.

10 T. Vidas, D. Votipka, and N. Christin, “All your droid are belong to
us: A survey of current android attacks,” in Proceedings of the 5th
USENIX Conference on Offensive Technologies, ser. WOOT ́11. Berkeley,
CA, USA: USENIX Association, 2011, pp. 10–10. [Online]. Available:

Abstract licensed under Creative Commons Attribution-ShareAlike 3.0 license