USB Protocol

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search

Introduction

The USB protocol is a cornerstone of modern computer communication, offering high flexibility and universal compatibility with a wide range of devices. However, this versatility comes with significant security risks. This document provides an overview of the USB protocol, highlighting its key features, such as composite device support and device enumeration. It also explores the associated security threats, including malware transmission, abuse of HID devices, and vulnerabilities due to unencrypted data transmission. By examining these aspects, the document sheds light on the balance between functionality and security in USB technology.

Protocol

The USB protocol is characterized by its high flexibility, particularly in its support for so-called composite devices. Composite devices can contain multiple configurations and interfaces, with each interface functioning as an independent unit. A typical example is a USB headset, which features a configuration that includes four interfaces: a keyboard for volume control, a microphone, and two speakers. This flexibility enables various functions to be combined into a single USB device.

General Class Specifications

Since the introduction of USB 1.0, the concept of "Common Class Specifications" has been established to standardize various types of peripheral devices. A USB class is a group of one or more interfaces that collectively provide enhanced functionality. One of the most well-known classes is the "Human Interface Device" (HID) class, which allows the USB host controller to communicate with input devices such as keyboards and mice. Another significant class is the USB Mass Storage class, which defines how data is transferred between the host and storage devices.

Composite devices combine multiple classes to provide more comprehensive functionality. For example, a USB headset can utilize both the HID class and the Audio class to support input and output functions. While this design principle has increased the flexibility of the USB protocol, it has also introduced security challenges.

USB Device Enumeration

When a USB device is connected to a host system, the USB host controller detects the presence of the device and its transfer speed by monitoring voltage changes on the data pins. This triggers the process known as enumeration, which involves identifying and configuring the device. The process begins with the GetDeviceDescriptors command, where the host queries the device for identification information such as the manufacturer, Vendor ID (VID), Product ID (PID), and serial number.

After querying, the host controller resets the device and assigns it an address for future communication. This is followed by a GetConfigDescriptors request to retrieve all available configurations of the device. USB devices can have one or more configurations, but only one configuration can be active at a time. Each configuration may include one or more interfaces, which are identified through the GetInterfaceDescriptors request. These interfaces represent the essential functional units handled by different drivers within the operating system. After completing these steps, the operating system loads the appropriate drivers, and device-specific subprotocols (e.g., HID, Storage) are activated.

USB enumeration procedure.png

Protocol Vulnerabilites

2014 at the BlackHat conference J. Lell and K. Nohl demonstrated how they reverse engineered USB mass storage devices, turning them into BadUSB. Therefore they highlighted some USB protocol inherent specifications that render it possible for a benign device turning into an attack tool:

  • The host is incapable of knowing how many devices are actually connected to it
  • A device is not limited to a single functional class
  • The USB standard allows devices to change their persona at any time
  • Different devices have different endpoints, which are not limited to a certain set and amount
  • USB devices don't have a unique identifier, they are identified through a serial number without a fix length. Some device classes don't even mandate a serial number.
  • The USB device allows to go through this registration again, at any point in time. For example first, the device acts as CD-Rom drive, from which you first have to install a driver, once driver is active, the device switches over to what it actually is – a 3G modem.
  • Manufacturers do not integrate firmware signing into the hardware

Security threads

USB devices pose a significant security risk because, despite their widespread use, they offer low security. A particular risk with USB devices is USB sticks, which are often used as carriers for malware such as viruses, worms, and Trojans. This malware can spread easily since USB sticks can be quickly exchanged between different computers. A well-known example of a vulnerability is the AutoRun feature in older versions of Windows, especially Windows XP. This feature allowed USB devices to automatically start programs as soon as they were connected to a computer. While this was often used to install drivers, it was also exploited to execute malware unnoticed. In later versions of Windows, this feature was significantly restricted to minimize the risk.

Another serious risk with USB devices is the possibility of abusing HID (Human Interface Device) devices. Since HID devices are considered trustworthy, they can easily be used as an attack vector. For instance, a manipulated USB device can impersonate a keyboard and execute malicious inputs unnoticed to steal data or install malware. Such attacks, like those carried out using the O.MG Cable, exploit the fact that most operating systems trust HID devices and automatically grant them rights for user inputs. These attacks allow adversaries to execute commands undetected and gain access to sensitive data, posing significant security and privacy risks.

Another major problem with USB technology is the lack of encryption for data transmission. The data transferred between USB devices and the host computer is sent in plaintext, making it vulnerable to passive eavesdropping attacks. Attackers can intercept the data traffic on the bus line with relatively simple methods and capture sensitive information. Keyboards are particularly vulnerable since they are often used to input sensitive data, such as passwords.

References

  • Jing Tian, Nolen Scaife, Deepak Kumar, Michael Bailey, Adam Bates, and Kevin Butler. Sok: ”plug pray” today – understanding usb insecurity in versions 1 through c. In 2018 IEEE Symposium on Security and Privacy (SP), pages 1032–1047, 2018.
  • Chengzhi Sun, Jiyu Lu, and Yunqing Liu. Analysis and prevention of information security of usb. In 2021 International Conference on Electronic Information Engineering and Computer Science (EIECS), pages 25–32, 2021.
  • Lell Jakob and Karsten Nohl. BadUSB-On accessories that turn evil. Blackhat Conference USA, 2014, https://www.youtube.com/watch?v=nuruzFqMgIw, accessed on 11 Nov 2024.
  • Nongmeikapam Thoiba Singh, Aditya Shukla, Ajay Nagar, Kartavya Arya,Ashwani Tiwari, and Yash Varun. Keylogger development: Technical aspects, ethical considerations, and mitigation strategies. In 2023 International Conference on Energy, Materials and Communication Engineering (ICEMCE), pages 1-5, 2023.
  • Daniel Noyes, Hong Liu, and Paul Fortier. Security analysis and improvement of usb technology. In 2016 IEEE Symposium on Technologies for Homeland Security (HST), pages 1–3, 2016.
  • Yungroul Lee, Wansoo Kim, Kwangjin Bae, and Kangbin Yim. A solution to protecting usb keyboard data. In 2010 International Conference on Broadband, Wireless Computing, Communication and Applications, pages 108–111, 2010.
Retrieved from "https://wiki.elvis.science/index.php?title=USB_Protocol&oldid=16533"