Forensics Impossible: Self-Destructing Thumb Drives BRANDON WILSON

Similar documents
Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Q&A. DEMO Version

Type Message Description Probable Cause Suggested Action. Fan in the system is not functioning or room temperature

Design Considerations for USB Mass Storage

Password Changer for DOS User Guide

DESIGNING SECURE USB-BASED DONGLES

Chapter 8: Installing Linux The Complete Guide To Linux System Administration Modified by M. L. Malone, 11/05

How to design and implement firmware for embedded systems

Android Physical Extraction - FAQ

Industrial Flash Storage Trends in Software and Security

Cautions When Using BitLocker Drive Encryption on PRIMERGY

Technical Note. Micron NAND Flash Controller via Xilinx Spartan -3 FPGA. Overview. TN-29-06: NAND Flash Controller on Spartan-3 Overview

Yun Shield User Manual VERSION: 1.0. Yun Shield User Manual 1 / 22.

IRON-HID: Create your own bad USB. Seunghun Han

AN10860_1. Contact information. NXP Semiconductors. LPC313x NAND flash data and bad block management

Adapting the PowerPC 403 ROM Monitor Software for a 512Kb Flash Device

Fastboot Techniques for x86 Architectures. Marcus Bortel Field Application Engineer QNX Software Systems

Microprocessor & Assembly Language

ThinLinX TLXOS 64-bit Firmware Installation Guide for the Intel NUC Range. Materials Required

Locking down a Hitachi ID Suite server

Traditional IBM Mainframe Operating Principles

That Point of Sale is a PoS

Survey of Filesystems for Embedded Linux. Presented by Gene Sally CELF

USB 2.0 Flash Drive User Manual

PC Notebook Diagnostic Card

USB Thumb Drive. Designer Reference Manual. HCS12 Microcontrollers. freescale.com. DRM061 Rev. 0 9/2004

10 steps to better secure your Mac laptop from physical data theft

Bypassing Local Windows Authentication to Defeat Full Disk Encryption. Ian Haken

CHOOSING THE RIGHT PORTABLE SECURITY DEVICE. A guideline to help your organization chose the Best Secure USB device

Exploiting USB Devices with Arduino. Greg Ose Black Hat USA 2011

Bypassing Endpoint Security for $20 or Less. Philip A. Polstra, ppolstra.blogspot.com

Lesson Objectives. To provide a grand tour of the major operating systems components To provide coverage of basic computer system organization

Introduction to BitLocker FVE

An Introduction To Simple Scheduling (Primarily targeted at Arduino Platform)

DEPARTMENT OF COMPUTER SCIENCE & ENGINEERING Question Bank Subject Name: EC Microprocessor & Microcontroller Year/Sem : II/IV

Overview of Data Security Methods: Passwords, Encryption, and Erase

IBM Rapid Restore PC powered by Xpoint - v2.02 (build 6015a)

Imation LOCK User Manual

HP Compaq dc7800p Business PC with Intel vpro Processor Technology and Virtual Appliances

Advanced x86: BIOS and System Management Mode Internals SPI Flash. Xeno Kovah && Corey Kallenberg LegbaCore, LLC

Intel Solid State Drive Toolbox

SSD Firmware Update Utility Guide

Encrypting with BitLocker for disk volumes under Windows 7

Yun Shield Quick Start Guide VERSION: 1.0 Version Description Date 1.0 Release 2014-Jul-08 Yun Shield Quick Start Guide 1 / 14

Review from last time. CS 537 Lecture 3 OS Structure. OS structure. What you should learn from this lecture

Intel Solid State Drive Toolbox

PACKAGE OUTLINE DALLAS DS2434 DS2434 GND. PR 35 PACKAGE See Mech. Drawings Section

i.mx USB loader A white paper by Tristan Lelong

Bootloader with AES Encryption

In this chapter, we want to make sure that your computer (and you) is ready for the Red Hat Linux installation.

10 Ways to Not Get Caught Hacking On Your Mac

USB FLASH DRIVE. User s Manual. USB 2.0 Compliant. Version A Version A10

Intro to Intel Galileo - IoT Apps GERARDO CARMONA

Intel vpro. Technology-based PCs SETUP & CONFIGURATION GUIDE FOR

NIST Mobile Forensics Workshop and Webcast. Mobile Device Forensics: A Z

HP StorageWorks MSL2024, MSL4048, and MSL8096 Tape Libraries firmware release notes. Firmware version 4.60 (MSL2024), 6.90 (MSL4048), 9.

Retrieving Internet chat history with the same ease as a squirrel cracks nuts

SIMPLE NETWORK MANAGEMENT PROTOCOL (SNMP)

IBM Tivoli Monitoring Version 6.3 Fix Pack 2. Infrastructure Management Dashboards for Servers Reference

VMWare Workstation 11 Installation MICROSOFT WINDOWS SERVER 2008 R2 STANDARD ENTERPRISE ED.

Data Storage on Mobile Devices Introduction to Computer Security Final Project

The Proper Acquisition, Preservation, & Analysis of Computer Evidence: Guidelines & Best-Practices

1. Computer System Structure and Components

Bomgar Corporation. Bomgar Application Security Assessment Summary January 26, This document is the property of Bomgar Corporation.

Agilent Technologies Truevolt Series Digital Multimeters

Exploring the Remote Access Configuration Utility

1.0. User s Guide & Manual USB 2.0 FLASH DRIVE

Network Licensing. White Paper 0-15Apr014ks(WP02_Network) Network Licensing with the CRYPTO-BOX. White Paper

USB Portable Storage Device: Security Problem Definition Summary

Designing VM2 Application Boards

The Fallacy of Software Write Protection in Computer Forensics Mark Menz & Steve Bress Version 2.4 May 2, 2004

EZ DUPE DVD/CD Duplicator

BadUSB On accessories that turn evil

Learning USB by Doing.

ios Testing Tools David Lindner Director of Mobile and IoT Security

Customizing Boot Media for Linux* Direct Boot

MACHINE ARCHITECTURE & LANGUAGE

Installing and Upgrading to Windows 7

ITE RAID Controller USER MANUAL

8-Bit Flash Microcontroller for Smart Cards. AT89SCXXXXA Summary. Features. Description. Complete datasheet available under NDA

VMware vsphere 5 Quick Start Guide

Navigating Endpoint Encryption Technologies

Secure My-d TM and Mifare TM RFID reader system by using a security access module Erich Englbrecht (info@eonline.de) V0.1draft

Firmware security features in HP Compaq business notebooks

User Manual. Copyright Rogev LTD

Security Service tools user IDs and passwords

CS 377: Operating Systems. Outline. A review of what you ve learned, and how it applies to a real operating system. Lecture 25 - Linux Case Study

The PC Boot Process - Windows XP.

APPLICATION NOTE. AT07175: SAM-BA Bootloader for SAM D21. Atmel SAM D21. Introduction. Features

Embedded Operating Systems in a Point of Sale Environment. White Paper

Detecting Hardware Keyloggers. Fabian Mihailowitsch November 26, 2010

Production Flash Programming Best Practices for Kinetis K- and L-series MCUs

Nasir Memon Polytechnic Institute of NYU

Troubleshooting the Firewall Services Module

I/O. Input/Output. Types of devices. Interface. Computer hardware

Infiniium Upgrade and Recovery Guide

UniKey Family 0. UniKey Time

Transcription:

Forensics Impossible: Self-Destructing Thumb Drives BRANDON WILSON

What is a USB flash drive? Answer: a computer Processor RAM Firmware I/O USB controller LED(s) NAND flash chip USB is just the transport mechanism

How does a computer interact with a flash drive? USB Device Descriptor Vendor and Product IDs Device class, subclass, and protocol Configuration Descriptor Interface Descriptor(s) Device class, subclass, and protocol Endpoint Descriptor(s) Control (0) Bulk Interrupt Isochronous

How does a computer interact with a flash drive? USB Mass Storage Device Class Bulk-Only Transport Protocol One incoming bulk endpoint One outgoing bulk endpoint Command Block Wrapper (CBW) Optionally, either: Incoming data, or Outgoing data CBW (Command Block Wrapper) Incoming Data Outgoing Data Command Status Wrapper (CSW) CSW (Command Status Wrapper)

How does a computer interact with a flash drive? USB Floppy Interface (UFI) Protocol SCSI Command Set Inquiry Get Capabilities Request Sense Data Read Sector Write Sector (*) Vendor-Specific Commands (*)

How does the flash drive work? Phison controller:

Can we change the code that executes? Trigger some kind of buffer overflow with the commands? Find the firmware upgrade tools and study them

What do we have to work with? http://usbdev.ru/files/phison Chinese manufacturing/qa tools MPALL UPTool GetInfo Patriot Memory firmware upgrade utility Firmware leaks

How do we see what the tools are doing? Software USB analyzer HHD USB Monitor USBSnoop USBlyzer Fake the device using an Arduino or other USB peripheral Hardware USB analyzer

Analyze the upgrade process

Analyze the upgrade process Get Info 05 00 05 I N F O Transfer Image Send Header: B1 <byte1> 00 00 00 00 00 01 <data> Get Response: B0 00 00 08 For each 512-byte chunk: Send Body: B1 <byte2> AH AL 00 00 BH BL <data> Get Response: B0 00 00 08 Firmware Upgrade Transfer Image (byte1 = 01, byte2 = 00) Unknown: EE 01 00 Transfer Image (byte1 = 03, byte2 = 02) Unknown: EE 01 01 Unknown: EE 00 00 Unknown: EE 00 01

What are the image blocks? Reconstruct from traffic logs into BIN files Fire up IDA Pro? Apparently Intel 8051 compatible chip

Study the 8051 code images

Firmware image layout Page 1 0xEFF F 0x Page 2 Page 3 Page n Page 10 0x4000 0x3FF F Base Page (Page 0) 0x0000

Boot process Boot ROM swapped into address 0x0000 8051 code execution begins at address 0x0000 Read firmware area of NAND Is firmware present? Yes, load first 32KB from special area of NAND to RAM at address 0x0000 and pass control to it No, sit and wait for firmware/flashing code to be sent for execution

Burner image Send command BF (jump to boot ROM) Send 32KB image burner image Send command B3 (jump to RAM) Send 241KB image firmware image Send command B3 (jump to RAM)

Writing new tools Drive communication implemented in Python Windows Linux OS X http://github.com/brandonlw/psychson Send the original firmware Success! But can we modify it and send it? What should we modify?

Patch the firmware and try to flash it What could we change and easily see? Hard-coded strings? Don t see any Cripple functionality? Prevent one or more SCSI commands from working

Recovering from failed flash Read firmware area of NAND Is firmware present? Yes, load first 32KB from special area of NAND to RAM at address 0x0000 and pass control to it No, sit and wait for firmware/flashing code to be sent for execution

Recovering from failed flash Short the NAND data pins

Kinds of patches we can make Create hidden partitions Expose only one half of drive at a time (manipulate LBAs sent to drive) Password protection bypass Send raw NAND chip commands ourselves Get the chip ID Erase blocks Hmm maybe we can do some damage Self-destructing drive patch

Self-destructing drive patch Add concept of a locked vs. unlocked state Drive starts in locked state While locked, the drive reports no media inserted/present No reads/writes/accesses to any data Only special SCSI command can unlock drive When the drive is idle, increment a counter over and over (pseudo-timer) Counter is only reset via special SCSI command Script on PC sends this command over and over, enabling normal use When counter reaches maximum value (several seconds of inactivity): Erase firmware area of NAND Lock up Evil laughter ensues

Self-destructing drive patch Steal some bytes from RAM (*) Locked/Unlocked flag Timer counter Patch initialization routine Reset unlocked flag Reset counter to 0 Patch infinite loop If unlocked, increment counter If counter hit threshold Disable all interrupts Erase firmware area of NAND (*) And anything else we can Patch to add commands: Set unlocked flag Reset counter to 0 Patch request sense command: If locked, return no media present Patch read sector command: If locked, do nothing

Self-destructing drive patch: Stealing bytes from RAM We have no idea what RAM is in use by the firmware But we do know it doesn t modify itself Page 0 runs from 0x0000 0x? Other pages run from 0x4000 0xEFFF It ll probably be okay if we steal a little from ~0x3FF0

Self-destructing drive patch: Patching in calls to subroutines 8051 lcall instruction is 3 bytes lcall opcode + 2 byte address Find a block of code at least 3 bytes long Replace with call to empty area at end of page, where we ll place code we want to run Replace any extra bytes with NOPs In code we want to run, place the instruction(s) we originally replaced

Let s put on our FBI/attacker hat Proper drive behavior is now reliant on the computer script that sends the unlock and (continuous) counter-reset commands yay! But what if the computer script gets leaked to the Police? FBI? CIA? Girlfriend? Bad people? Require a drive-specific passphrase in the counter-reset command, to be checked by the firmware? Vulnerable to USB traffic sniffing, which can even be done in software

Let s put on our FBI/attacker hat What if we scramble the traffic between host and PC? Disney Infinity: Console generated random seed, sent (scrambled) to USB portal Portal descrambled and stored the random seed Portal generated random number and sent (scrambled) back to console Console generated same random number, and if it didn t match portal s, freak out and de-authenticate Prevents USB traffic sniffing As long as peripheral is only one that can descramble

Let s put on our FBI/attacker hat Okay, fine, we won t plug it in Dump the NAND chip Direct access to firmware and the data We ll patch the read/write commands to use encryption The data s now protected, but what about the firmware? Calculate the key based on information sent to drive beforehand Computer script can prompt for password, send that to drive, which then gets used to calculate the key This could go on forever

Demos

Links http://github.com/brandonlw/psychson http://usbdev.ru/files/phison http://github.com/brandonlw/drivecom http://bitbucket.org/flowswitch/phison

In conclusion If you want to preserve the state of a device Don t apply power to it See what you can physically get access to first Be careful Email: brandonlw@gmail.com Web: http://brandonw.net Twitter: @brandonlwilson YouTube: http://youtube.com/ti83programmer

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information