A little over 5 months ago I took what I think was one of the most interesting classes I’ve ever taken which was Cybersecurity. In that one semester I learned how to examine the fine details of everything computer related and then ways to exploit them. We covered how real world hackers do the things they do and developed a strong intuition for the steps required in attacking any arbitrary computer system. In the end I think it all boiled down to pragmatic information gathering, careful attention to details, destructive creativity, and finally persistence. The class has changed how I program and how I think about computer systems in general. Needless to say I got really into the final project.
For this project, I took on the challenge of following through the steps taken by the BadUSB team to reverse engineer and reflash a USB drive’s controller. Their claim was that computers have an inherent trust in USB device manufacturers which makes preventing attacks from this vector impossible. This trust can be further exploited by the reprogrammability of commodity USB controllers that may be plugged into your computer. My goal was to investigate a number of USB flash drives, select a target, and reverse engineer it such that I can reprogram it. During my investigation, I acquired 16 flash drives and found that many of them simply used a small number of commodity USB flash controllers as highlighted by BadUSB. Their work was focused on Phison, but I had a number of SMI controllers to experiment with so I went ahead and worked with those. You can read about the details in my group’s writeup. Anything I was going to write about here is already written there.
TL;DR I was able to find leaked manufacturer’s USB firmware tools, sniff the custom SCSI commands, replay them with new data, and re-flash the USB controller’s VID and PID. This in effect proves that any kind of white/black listing techniques to mitigate BadUSB attacks are useless.
Github for my proof of concept.