FaceDancer board snatches USB firmware

By

USB protocol riddled with 'absurd design decisions'.

Security researcher Travis Goodspeed has detailed a device which emulates USB device firmware update (DFU) mode to help reverse engineer firmware and deliver exploits.

FaceDancer board snatches USB firmware
USBGeek

Speaking at the BreakPoint conference in Melbourne last week, Goodspeed also revealed plans for a mass storage device capable of evading forensic analysis.

He detailed how the FaceDancer device could be used to intercept USB firmware — its primary use during Goodspeed's work.

“By emulating the USB device firmware update protocol I can pretend to be any version of the device and then catch the update as it is installed,” Goodspeed said. 

FaceDancer. Credit: Goodspeed

“If you have the real hardware, you have one shot in which to sniff [firmware updates] because it will only send firmware across if it’s out of date.”

FaceDancer extended GoodSpeed's GoodFET framework to allow for fast prototyping and fuzzing of USB device drivers.

It also revealed a host of “ugly” bugs within USB protocols which were caused because USB protocols were never designed to withstand attacks.

“When you start interacting with these devices you [see] absurd design decisions because nothing malicious was ever meant to touch the USB," he said.

"These networks are everywhere: SCSI for Ethernet, Firewire, USB and SD card. All of these are great ways to attack the kernel." 

Goodspeed told delegates that looking at USB protocols provides access to an overlooked attack surface which is "a great way of finding mountains of zero-day [flaws]".

One side of FaceDancer allows a USB emulator to be written on a PC using Python and be connected via the opposite side to a target machine which would 'see' the USB device.

That it is written on a PC rather than on a virtualised machine or as a standalone device like previous efforts grants the user more RAM and code storage along with logging.

Goodspeed will also in December release a mass storage emulator which actively detects when it is being forensically analysed “and then fights back”.

“If you ever see a file being read before the metadata describing that data, then you’re being forensically analysed”.

FaceDancer could be purchased online but buyers are warned that Customs has a habit of seizing some shipments.

Got a news tip for our journalists? Share it with us anonymously here.

Copyright © SC Magazine, Australia

Tags:
breakpointreverse engineeringruxconsecurityusb

Sponsored Whitepapers

Datacom + Microsoft Azure: Turn Ideas Into Impact in Just 4 Weeks
Datacom + Microsoft Azure: Turn Ideas Into Impact in Just 4 Weeks
Protect APIs. Protect Your Business.
Protect APIs. Protect Your Business.
KnowBe4 Benchmark Report: Reducing Human Risk & Phishing Vulnerability in ANZ
KnowBe4 Benchmark Report: Reducing Human Risk & Phishing Vulnerability in ANZ
Modern Identity for SAP and Beyond: Replace SAP IDM with Saviynt
Modern Identity for SAP and Beyond: Replace SAP IDM with Saviynt
Saviynt Simplifies GRC and Access Control for SAP and Beyond
Saviynt Simplifies GRC and Access Control for SAP and Beyond

Events

Most Read Articles

Ex-student charged over Western Sydney University cyberattacks

Ex-student charged over Western Sydney University cyberattacks
Home Affairs officer accessed data on "friends and associates"

Home Affairs officer accessed data on "friends and associates"
SA Water plans 'once-in-a-generation' core technology uplift

SA Water plans 'once-in-a-generation' core technology uplift
Sportsbet recruits 'security champions' in shift-left strategy

Sportsbet recruits 'security champions' in shift-left strategy
techpartner.news logo
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
"It's an exciting time to be part of the health and aged care sector"
"It's an exciting time to be part of the health and aged care sector"
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Orro claims Australia first with managed digital asset discovery service
Orro claims Australia first with managed digital asset discovery service

Log In

  |  Forgot your password?