FaceDancer 2.0: easy USB hacking, sniffing, and spoofing

Presented at Still Hacking Anyway (SHA2017), Aug. 8, 2017, 11:10 a.m. (60 minutes)

USB connectivity has become ubiquitous. The sheer variety of usb-connected devices— ranging from computers and game consoles to resource-constrained embedded systems— has resulted in a wide variety of vendor-specific protocols and custom USB software stacks. Being able to fuzz, monitor, mitm, or emulate USB can often be a foot in the door for working with black box systems; whether your goal is to build tools that work with existing hardware and software, find vendor interfaces or vulnerabilities to execute custom code, or to play NSA. We introduce FaceDancer 2.0, with more supported hardware, higher speeds, and advanced capabilities for monitoring and mitming USB connections. #DeviceSecurity Travis Goodspeed [et al.] changed the USB hacking landscape with the introduction of the original FaceDancer, an inexpensive, python-controlled device capable of emulating low and full speed USB devices and providing a platform for low-level fuzzing of USB hosts. While the FaceDancer provided the community with revolutionary USB capabilities, it had restrictions which do not apply to real world devices, so its ability to emulate them is often limited to the most common device classes. FaceDancer 2 extends this into a generalized solution for USB hacking, supporting a wide range of both off-the-shelf and purpose-built custom hardware to add features like high-speed (USB 2.0) emulation, passive monitoring, and USBProxy-style MITM'ing. The sheer variety of devices that use USB mean that there's a huge number of vendor-specific protocols, many of which are supported by proprietary software stacks. We will give live demonstrations of FaceDancer 2 running on the GreatFET platform, and emulating-or-attacking [insert cool piece of hardware here]

Presenters:

  • ktemkin
    Kyle J. Temkin leads the low-level Computer Architectures group at Assured Information Security, researching a variety of hardware hacking and architectural security topics. Kyle maintains and contributes to a variety of open-source projects, and probably spends way too much time reverse engineering and collecting electronic lab equipment. Kyle J. Temkin leads the low-level Computer Architectures group at Assured Information Security, researching a variety of hardware hacking and architectural security topics. Kyle maintains and contributes to a variety of open-source projects, and probably spends way too much time reverse engineering and collecting electronic lab equipment.
  • Dominic Spill
    Dominic Spill is senior security researcher for Great Scott Gadgets. The US government recently labelled him as "extraordinary". This has gone to his head.

Links: