29C3 Chaos Communication Congress.What do USB memory sticks say?

Pierluigi Paganini January 01, 2013

The Chaos Communication Congress is an annual meeting of international hackers organized by the Chaos Computer Club (CCC), one of the world’s biggest hackers organizations.

The CCC group, that describes itself as

“a galactic community of life forms, independent of age, sex, race or societal orientation, which strives across borders for freedom of information….”,

is known for its effort in the fight for transparency in government operate, freedom of information, and the human right to communication, recognizing a free access to computers and technological infrastructure all over the world.

The congress is always an interesting event, the occasion to meet in person the most eclectic and talented hackers that discuss on technical and political issues.

After this brief introduction, let’s dive into the fray, during this year edition of the congress 29C3, the 29th, the hacker Travis Goodspeed has demonstrated how much powerful could be USB memory sticks, wrongly considered passive devices harmless and dangerous only as a vehicle of infection for malware. Travis is a well know hacker, at last Black Hat information security conference in Las Vegas he won one of the Pwnie Awards, the equivalent of the Oscars for security sector.

Many experts consider these devices simple storage media and are convinced to know everything on their real capabilities, but Travis Goodspeed has demonstrated the contrary.

The hacker explained that USB devices represent an open door in our systems and if opportunely managed they could allow a huge quantity of applications to access to the principal functions of any device, for example it is possible to access to file stored in the host drives while the USB stick is connected.

“We think of USB memory sticks as block devices, but in reality they are computers that use a network to talk to a host”, “These devices can send any data they want.” Goodspeed said.

Goodspeed has designed a development board dubbed Facedancer11 that can be used to emulate any USB device, the author provided the following description:


“The Facedancer11 is the fifteenth hardware revision of the GoodFET, owing its heritage to the GoodFET41 and Facedancer10. Unlike the general-purpose GoodFET boards, the only purpose of this board is to allow USB devices to be written in host-side Python, so that one workstation can fuzz-test the USB device drivers of another host. The board is functionally identical to the Facedancer10, correcting only minor errata.”

An USB memory stick can be used for fingerprinting purpose discovering the category of device is connected and exploiting related vulnerabilities, the researcher reminds that various OSs access with different mode to the USB memory stick’s MBR. An USB memory sticks can be instructed to analyze this way to access to the MBR providing information on OS version to the attacker.

“When the MBR is read nine times [typical behavior for Windows OSs], it’s probably not my laptop”, said Goodspeed.

The board is a precious tool to examine a computer’s communications on USB, an attacker can then build USB devices that target specific vulnerabilities in the host computer.

With the necessary programming, a USB memory stick can, therefore, return different content to a Windows PC than it does to a Linux computer. A further evolution is to program the USB to return different content depending on the OS of host machine, a possibility very useful in hacking context. Let’s image to an USB device that is able to recognize our machine in a meeting and when is passed to another individual’s pc it could retrieve a malware that exploit a zero day vulnerability … cool!

Goodspeed also added that it is able to understand “user’s intention” during the USB connection, the hacker explained that when detecting a USB memory stick, Windows OSs write the access date to the storage device by default. If the PC doesn’t write the access date, it is possible that user’s is trying to duplicate USB memory for forensics purposes, in this cases in fact it’s crucial to leave unmodified the devices storage.

In this specific case, according Goodspeed, it is possible to program an USB memory stick in such a way that it will self-destruct when someone tries to copy it for forensic purposes.

“As long as a forensics expert doesn’t know that he’s dealing with a special USB memory stick, you’ve won”

I’ve found very interesting the observation of the hackers, every object that surround us has infinite potentiality that could be explored and that could be used to discover or to adapt their behaviours in various circumstances.
That’s why I always remind the importance of hacker‘s role in today private business and cyber warfare contexts.

Pierluigi Paganini

you might also like

leave a comment