Hubs » History » Version 1
Karsten, 11/11/2014 03:26 PM
| 1 | 1 | Karsten | h1. Hubs |
|---|---|---|---|
| 2 | 1 | Karsten | |
| 3 | 1 | Karsten | h2. Overview |
| 4 | 1 | Karsten | |
| 5 | 1 | Karsten | Hubs are in principle a viable target for BadUSB style attacks. They are required by specification to have EP0/ctrl and EP1/int. |
| 6 | 1 | Karsten | |
| 7 | 1 | Karsten | The majority of controllers found in web searches appear *not* to feature firmware upgradable microcontrollers. This -- and the fact that hubs are not terribly mobile usb devices in general -- make this whole category relatively unexciting for BadUSB. |
| 8 | 1 | Karsten | |
| 9 | 1 | Karsten | One interesting point about hubs, however, is that many main boards (and Notebooks) contain a USB hub. If the hub is reprogrammable (which is often the case for USB3.0 hubs), this allows persistent infection of the main board even if the BIOS/UEFI is protected against unauthorized/unsigned upgrades. |
| 10 | 1 | Karsten | |
| 11 | 1 | Karsten | h2. Disassembled Hubs |
| 12 | 1 | Karsten | |
| 13 | 1 | Karsten | h3. ASMedia ASM1074 usb3 hub |
| 14 | 1 | Karsten | |
| 15 | 1 | Karsten | * Product page: http://www.asmedia.com.tw/eng/e_show_products.php?item=128&cate_index=97 |
| 16 | 1 | Karsten | * "8bit risc processor" |
| 17 | 1 | Karsten | * Windows firmware updater .exe blob. does not do much without hardware |
| 18 | 1 | Karsten | * Integrated 8-bit RISC microprocessor => Probably not 8051 |
| 19 | 1 | Karsten | * SPI flash support for customized firmware |
| 20 | 1 | Karsten | * Uploadable Firmware & configuration via upstream port: http://www.station-drivers.com/index.php/forum/news/262-firmware-asmedia-asm107x-fw-v130319-033715 |
| 21 | 1 | Karsten | * Sometimes used on main boards (e.g. "this one":http://www.hardwareluxx.com/index.php/reviews/hardware/motherboards/26443-test-asus-z87-deluxe.html?start=2), so a persistent infection of a computer, may be possible |
| 22 | 1 | Karsten | * Exe file contains an area with a valid device descriptor, two valid USB configuration descriptors and various string descriptors. |
| 23 | 1 | Karsten | => %{color:red}Most likely vulnerable%. |
| 24 | 1 | Karsten | |
| 25 | 1 | Karsten | h3. VIA Labs VL811 usb3 hub |
| 26 | 1 | Karsten | |
| 27 | 1 | Karsten | * Official firmware upgrade tools available from VIA: http://via-labs.com/en/support/downloads.jsp |
| 28 | 1 | Karsten | * File Usb3HubFWUpgrade_Setup_V0.46_VL811_0972.exe is a windows installer, installation results in a 16 KiB firmware file, which contains 8051 code and USB descriptors |
| 29 | 1 | Karsten | => %{color:red}Most likely vulnerable% |
| 30 | 1 | Karsten | |
| 31 | 1 | Karsten | h3. 7 Port noname USB2 Hub [Genesys Logic GL850G 4 Port USB2 hub] |
| 32 | 1 | Karsten | |
| 33 | 1 | Karsten | * Device built from two GL850G hubs, no external Flash/EEPROM chips present |
| 34 | 1 | Karsten | * 8-bit RISC processor with 2K ROM and 64 bytes RAM => Not reprogrammable, very few resources for programming an attack |
| 35 | 1 | Karsten | * External EEPROM for configuration data possible |
| 36 | 1 | Karsten | => %{color:green}Not vulnerable% |
| 37 | 1 | Karsten | |
| 38 | 1 | Karsten | |
| 39 | 1 | Karsten | h3. GL3520 HUB (No physical device available, found while searching for USB Hub firmwares) |
| 40 | 1 | Karsten | |
| 41 | 1 | Karsten | * Firmware upgrade tools leaked |
| 42 | 1 | Karsten | * Often used on Motherboards, may allow persistent infection of board even if BIOS/UEFI only accepts signed upgrades |
| 43 | 1 | Karsten | * On-chip 8-bit micro-processor |
| 44 | 1 | Karsten | * RISC-like architecture |
| 45 | 1 | Karsten | * With 256-byte RAM, 16K-byte internal ROM & 16K-byte SRAM |
| 46 | 1 | Karsten | * Support full in-system programming firmware upgrade by SPI-flash |
| 47 | 1 | Karsten | => %{color:red}Most likely vulnerable%, but practical attacks may be difficult due to unknown instruction set |
| 48 | 1 | Karsten | |
| 49 | 1 | Karsten | |
| 50 | 1 | Karsten | h3. LogiLink UA0091 4-Port USB 3.0 Hub |
| 51 | 1 | Karsten | |
| 52 | 1 | Karsten | * VIA Labs VL810 with Pm25LD512 SPI Flash (512 Kbit / 64 KiB): http://via-labs.com/en/products/vl810/index.jsp |
| 53 | 1 | Karsten | * The VIA VL810 from VIA Labs is the industry's first fully integrated single chip solution => Very early USB3 hub |
| 54 | 1 | Karsten | * Official firmware upgrade tools available from VIA: http://via-labs.com/en/support/downloads.jsp |
| 55 | 1 | Karsten | * File Usb3HubFWUpgrade_Setup_V0.41_VL810_0960.exe looks like it is an installer |
| 56 | 1 | Karsten | * Installation of update utility results in 20 KiB firmware file, contains 8051 code and USB descriptors |
| 57 | 1 | Karsten | => %{color:red}Most likely vulnerable% |
| 58 | 1 | Karsten | |
| 59 | 1 | Karsten | h3. GetDigital 7 Port USB2.0 Hub with switches |
| 60 | 1 | Karsten | |
| 61 | 1 | Karsten | * Chip label: FE2.1 USB 2.0 HUB LD3E762A2352 |
| 62 | 1 | Karsten | * No external flash/eeprom |
| 63 | 1 | Karsten | * Chip: Terminus FE2.1 |
| 64 | 1 | Karsten | * Supports configuration data on external EEPROM |
| 65 | 1 | Karsten | => %{color:green}Most likely not reprogrammable% |
| 66 | 1 | Karsten | |
| 67 | 1 | Karsten | |
| 68 | 1 | Karsten | h3. 13 Port USB Hub in lab |
| 69 | 1 | Karsten | |
| 70 | 1 | Karsten | * Built of 2 7-port HUB chips |
| 71 | 1 | Karsten | * Chip Label: FE2.1 USB 2.0 HUB ... => Terminus FE2.1 |
| 72 | 1 | Karsten | * No external flash/eeprom, but footprint available on PCB |
| 73 | 1 | Karsten | * Chip: Terminus FE2.1 |
| 74 | 1 | Karsten | * Supports configuration data on external EEPROM |
| 75 | 1 | Karsten | => %{color:green}Most likely not reprogrammable% |
| 76 | 1 | Karsten | |
| 77 | 1 | Karsten | |
| 78 | 1 | Karsten | h3. Noname 4 Port Wire USB Hub |
| 79 | 1 | Karsten | |
| 80 | 1 | Karsten | * Chip: Terminus FE1.1s USB 2.0 Hub, no external flash/eeprom |
| 81 | 1 | Karsten | => %{color:green}Most likely not reprogrammable% |
| 82 | 1 | Karsten | |
| 83 | 1 | Karsten | |
| 84 | 1 | Karsten | h3. Noname 7 Port Wire USB Hub |
| 85 | 1 | Karsten | |
| 86 | 1 | Karsten | * Chip: Terminus FE2.1 without external flash |
| 87 | 1 | Karsten | => %{color:green}Most likely not reprogrammable% |
| 88 | 1 | Karsten | |
| 89 | 1 | Karsten | |
| 90 | 1 | Karsten | h3. Cheap 4-Port USB2.0 hub [Genesys Logic GL850G 4 Port USB2 Hub] |
| 91 | 1 | Karsten | |
| 92 | 1 | Karsten | * , no external Flash/EEPROM chips present |
| 93 | 1 | Karsten | * 8-bit RISC processor with 2K ROM and 64 bytes RAM => Not repgrogrammable, very little resources for programming an attack |
| 94 | 1 | Karsten | * External EEPROM for configuration data possible |
| 95 | 1 | Karsten | => %{color:green}Not vulnerable% |
| 96 | 1 | Karsten | |
| 97 | 1 | Karsten | h3. D-Link DUB-H7 |
| 98 | 1 | Karsten | |
| 99 | 1 | Karsten | * 2x GL850Z |
| 100 | 1 | Karsten | * STM8S103\nK3T6C => STM8S103/105 Access line is our standard line of multi-purpose 8-bit microcontrollers => Probably used for charging ports |
| 101 | 1 | Karsten | * 2x Pm25LD512 SPI Flash (64 KiB), wired to GL850Z |
| 102 | 1 | Karsten | * => No information about GL850Z found, other GL850 variants are not reprogrammable, but this one has the 64 KiB flash chip => Could be reprogrammable |
| 103 | 1 | Karsten | * Dexter has read out SPI Flash chip contents, looks like 8051 code |
| 104 | 1 | Karsten | * => %{color:red}Most likely vulnerable% |