Hubs¶

Overview¶

Hubs are in principle a viable target for BadUSB style attacks. They are required by specification to have EP0/ctrl and EP1/int.

The majority of controllers found in web searches appear not to feature firmware upgradable microcontrollers. This -- and the fact that hubs are not terribly mobile usb devices in general -- make this whole category relatively unexciting for BadUSB.

One interesting point about hubs, however, is that many main boards (and Notebooks) contain a USB hub. If the hub is reprogrammable (which is often the case for USB3.0 hubs), this allows persistent infection of the main board even if the BIOS/UEFI is protected against unauthorized/unsigned upgrades.

Disassembled Hubs¶

ASMedia ASM1074 usb3 hub¶

• Product page: http://www.asmedia.com.tw/eng/e_show_products.php?item=128&cate_index=97
• "8bit risc processor"
• Windows firmware updater .exe blob. does not do much without hardware
• Integrated 8-bit RISC microprocessor => Probably not 8051
• SPI flash support for customized firmware
• Uploadable Firmware & configuration via upstream port: http://www.station-drivers.com/index.php/forum/news/262-firmware-asmedia-asm107x-fw-v130319-033715
• Sometimes used on main boards (e.g. this one), so a persistent infection of a computer, may be possible
• Exe file contains an area with a valid device descriptor, two valid USB configuration descriptors and various string descriptors.
  => Most likely vulnerable.

VIA Labs VL811 usb3 hub¶

• Official firmware upgrade tools available from VIA: http://via-labs.com/en/support/downloads.jsp
• File Usb3HubFWUpgrade_Setup_V0.46_VL811_0972.exe is a windows installer, installation results in a 16 KiB firmware file, which contains 8051 code and USB descriptors
  => Most likely vulnerable

7 Port noname USB2 Hub [Genesys Logic GL850G 4 Port USB2 hub]¶

• Device built from two GL850G hubs, no external Flash/EEPROM chips present
• 8-bit RISC processor with 2K ROM and 64 bytes RAM => Not reprogrammable, very few resources for programming an attack
• External EEPROM for configuration data possible
  => Not vulnerable

GL3520 HUB (No physical device available, found while searching for USB Hub firmwares)¶

• Firmware upgrade tools leaked
• Often used on Motherboards, may allow persistent infection of board even if BIOS/UEFI only accepts signed upgrades
• On-chip 8-bit micro-processor
• RISC-like architecture
• With 256-byte RAM, 16K-byte internal ROM & 16K-byte SRAM
• Support full in-system programming firmware upgrade by SPI-flash
  => Most likely vulnerable, but practical attacks may be difficult due to unknown instruction set

LogiLink UA0091 4-Port USB 3.0 Hub¶

• VIA Labs VL810 with Pm25LD512 SPI Flash (512 Kbit / 64 KiB): http://via-labs.com/en/products/vl810/index.jsp
• The VIA VL810 from VIA Labs is the industry's first fully integrated single chip solution => Very early USB3 hub
• Official firmware upgrade tools available from VIA: http://via-labs.com/en/support/downloads.jsp
• File Usb3HubFWUpgrade_Setup_V0.41_VL810_0960.exe looks like it is an installer
• Installation of update utility results in 20 KiB firmware file, contains 8051 code and USB descriptors
  => Most likely vulnerable

GetDigital 7 Port USB2.0 Hub with switches¶

• Chip label: FE2.1 USB 2.0 HUB LD3E762A2352
• No external flash/eeprom
• Chip: Terminus FE2.1
• Supports configuration data on external EEPROM
  => Most likely not reprogrammable

13 Port USB Hub in lab¶

• Built of 2 7-port HUB chips
• Chip Label: FE2.1 USB 2.0 HUB ... => Terminus FE2.1
• No external flash/eeprom, but footprint available on PCB
• Chip: Terminus FE2.1
• Supports configuration data on external EEPROM
  => Most likely not reprogrammable

Noname 4 Port Wire USB Hub¶

• Chip: Terminus FE1.1s USB 2.0 Hub, no external flash/eeprom
  => Most likely not reprogrammable

Noname 7 Port Wire USB Hub¶

• Chip: Terminus FE2.1 without external flash
  => Most likely not reprogrammable

Cheap 4-Port USB2.0 hub [Genesys Logic GL850G 4 Port USB2 Hub]¶

• , no external Flash/EEPROM chips present
• 8-bit RISC processor with 2K ROM and 64 bytes RAM => Not repgrogrammable, very little resources for programming an attack
• External EEPROM for configuration data possible
  => Not vulnerable

D-Link DUB-H7¶

• 2x GL850Z
• STM8S103\nK3T6C => STM8S103/105 Access line is our standard line of multi-purpose 8-bit microcontrollers => Probably used for charging ports
• 2x Pm25LD512 SPI Flash (64 KiB), wired to GL850Z
• => No information about GL850Z found, other GL850 variants are not reprogrammable, but this one has the 64 KiB flash chip => Could be reprogrammable
• Dexter has read out SPI Flash chip contents, looks like 8051 code
• => Most likely vulnerable