Actions
Hubs¶
Overview¶
Hubs are in principle a viable target for BadUSB style attacks. They are required by specification to have EP0/ctrl and EP1/int.
The majority of controllers found in web searches appear not to feature firmware upgradable microcontrollers. This -- and the fact that hubs are not terribly mobile usb devices in general -- make this whole category relatively unexciting for BadUSB.
One interesting point about hubs, however, is that many main boards (and Notebooks) contain a USB hub. If the hub is reprogrammable (which is often the case for USB3.0 hubs), this allows persistent infection of the main board even if the BIOS/UEFI is protected against unauthorized/unsigned upgrades.
Disassembled Hubs¶
ASMedia ASM1074 usb3 hub¶
- Product page: http://www.asmedia.com.tw/eng/e_show_products.php?item=128&cate_index=97
- "8bit risc processor"
- Windows firmware updater .exe blob. does not do much without hardware
- Integrated 8-bit RISC microprocessor => Probably not 8051
- SPI flash support for customized firmware
- Uploadable Firmware & configuration via upstream port: http://www.station-drivers.com/index.php/forum/news/262-firmware-asmedia-asm107x-fw-v130319-033715
- Sometimes used on main boards (e.g. this one), so a persistent infection of a computer, may be possible
- Exe file contains an area with a valid device descriptor, two valid USB configuration descriptors and various string descriptors.
=> Most likely vulnerable.
VIA Labs VL811 usb3 hub¶
- Official firmware upgrade tools available from VIA: http://via-labs.com/en/support/downloads.jsp
- File Usb3HubFWUpgrade_Setup_V0.46_VL811_0972.exe is a windows installer, installation results in a 16 KiB firmware file, which contains 8051 code and USB descriptors
=> Most likely vulnerable
7 Port noname USB2 Hub [Genesys Logic GL850G 4 Port USB2 hub]¶
- Device built from two GL850G hubs, no external Flash/EEPROM chips present
- 8-bit RISC processor with 2K ROM and 64 bytes RAM => Not reprogrammable, very few resources for programming an attack
- External EEPROM for configuration data possible
=> Not vulnerable
GL3520 HUB (No physical device available, found while searching for USB Hub firmwares)¶
- Firmware upgrade tools leaked
- Often used on Motherboards, may allow persistent infection of board even if BIOS/UEFI only accepts signed upgrades
- On-chip 8-bit micro-processor
- RISC-like architecture
- With 256-byte RAM, 16K-byte internal ROM & 16K-byte SRAM
- Support full in-system programming firmware upgrade by SPI-flash
=> Most likely vulnerable, but practical attacks may be difficult due to unknown instruction set
LogiLink UA0091 4-Port USB 3.0 Hub¶
- VIA Labs VL810 with Pm25LD512 SPI Flash (512 Kbit / 64 KiB): http://via-labs.com/en/products/vl810/index.jsp
- The VIA VL810 from VIA Labs is the industry's first fully integrated single chip solution => Very early USB3 hub
- Official firmware upgrade tools available from VIA: http://via-labs.com/en/support/downloads.jsp
- File Usb3HubFWUpgrade_Setup_V0.41_VL810_0960.exe looks like it is an installer
- Installation of update utility results in 20 KiB firmware file, contains 8051 code and USB descriptors
=> Most likely vulnerable
GetDigital 7 Port USB2.0 Hub with switches¶
- Chip label: FE2.1 USB 2.0 HUB LD3E762A2352
- No external flash/eeprom
- Chip: Terminus FE2.1
- Supports configuration data on external EEPROM
=> Most likely not reprogrammable
13 Port USB Hub in lab¶
- Built of 2 7-port HUB chips
- Chip Label: FE2.1 USB 2.0 HUB ... => Terminus FE2.1
- No external flash/eeprom, but footprint available on PCB
- Chip: Terminus FE2.1
- Supports configuration data on external EEPROM
=> Most likely not reprogrammable
Noname 4 Port Wire USB Hub¶
- Chip: Terminus FE1.1s USB 2.0 Hub, no external flash/eeprom
=> Most likely not reprogrammable
Noname 7 Port Wire USB Hub¶
- Chip: Terminus FE2.1 without external flash
=> Most likely not reprogrammable
Cheap 4-Port USB2.0 hub [Genesys Logic GL850G 4 Port USB2 Hub]¶
- , no external Flash/EEPROM chips present
- 8-bit RISC processor with 2K ROM and 64 bytes RAM => Not repgrogrammable, very little resources for programming an attack
- External EEPROM for configuration data possible
=> Not vulnerable
D-Link DUB-H7¶
- 2x GL850Z
- STM8S103\nK3T6C => STM8S103/105 Access line is our standard line of multi-purpose 8-bit microcontrollers => Probably used for charging ports
- 2x Pm25LD512 SPI Flash (64 KiB), wired to GL850Z
- => No information about GL850Z found, other GL850 variants are not reprogrammable, but this one has the 64 KiB flash chip => Could be reprogrammable
- Dexter has read out SPI Flash chip contents, looks like 8051 code
- => Most likely vulnerable
Updated by Karsten almost 10 years ago · 1 revisions