Materials for my "Introduction to USB hacking" talk (slides, video) and a collection of USB hacking–related links.

Snippets for demos shown during the talk are here.

Also see xairy/dma-attacks for my "Introduction to PCIe and DMA attacks" talk.

Demonstrated during the talk.

USB Kill (90$)

Rubber Ducky (45$)

Bash Bunny (100$)

LAN Turtle (55$)

Digispark ATtiny85 (1.3$)

CJMCU BadUSB (10$)

Cactus WHID (16$)

Cactus Micro Rev2 (35$)

Teensy 3.2 (20$)

Facedancer21 (85$)

GreatFET One (110$)

Raspberry Pi Zero (5$)

Raspberry Pi Zero W (10$)

BeagleBone Black (70$)

Nexus 7 2013 (Wi-Fi) tablet (150$)

USB Armory (150$)

EC3380-AB (180$)

OpenVizsla (140$)

AirDrive Keylogger Max (100$)

Maltronics WiFi KeyLogger Internal (45$)

• Follow USB 101

1. Looking at syslog (dmesg) when a new USB device is connected.
2. Checking connected devices and their descriptors with lsusb.
3. Sniffing and decoding USB packets with a logic analyzer.
4. Sniffing USB via usbmon with wireshark.

• Device -> host: electrical, firmware, kernel, logical
• Host -> device: firmware, android, ios
• Host -> device -> host: original BadUSB
• Remote: USB/IP, WebUSB, USBAnywhere

• Linux USB stack
• USB sysfs, usbfs
• libusb, pyusb

• BadUSB: consumer-ready vs self-designed
• BadUSB: microcontroller-based vs Facedancer vs Linux-based

Consumer-ready:

1. Rubber Ducky.
2. Bash Bunny.
3. Lan Turtle.

Microcontroller-based:

1. Teensy 3.2.
2. ATtiny55 board.
3. CJMCU BadUSB.
4. Cactus WHID.

• Facedacer software overview
• Facedancer21 and GreatFET One

1. Emulating USB keyboard with Facedancer.
2. USB reconnaissance with Facedancer.

• Linux USB Gadget subsystem
• Legacy Gadget Modules
• USB Gadget ConfigFS
• GadgetFS
• Raw Gadget

1. Emulating mass storage drive through g_mass_storage.ko on Raspberry Pi Zero.
2. Emulating keyboard with ConfigFS on Raspberry Pi Zero.
3. Emulating keyboard through GadgetFS on Raspberry Pi Zero.
4. Emulating keyboard through Raw Gadget on Raspberry Pi Zero.
5. Emulating keyboard from an Android device.

• Fuzzing, hardware vs virtual
• vUSBf, QEMU and usbredir
• syzkaller, Raw Gadget and dummy_hcd.ko

1. Fuzzing USB with Facedancer.
2. Fuzzing USB with vUSBf.
3. Fuzzing USB with syzkaller.
4. Crashing a Linux machine via a bug in a USB driver.
5. Crashing a Windows machine via a bug in a USB driver.

• Hardware vs software sniffers
• "Low-level" vs "high-level" sniffers
• Beagle analyzers
• USBProxy, USBProxy 'Nouveau'
• OpenVizsla
• Hardware keyloggers (AirDrive, Maltronics)

0. Sniffing with usbmon already demoed in part 1.
1. Sniffing with a logic analyzer already demoed in part 1.
2. Sniffing USB with USBProxy on BeagleBone Black.
3. Sniffing USB with USBProxy 'Nouveau' with Facedancer.
4. Sniffing USB with OpenVizsla.
5. Sniffing keyboard via AirDrive Keylogger.