Project

General

Profile

Actions

Hubs

Overview

Hubs are in principle a viable target for BadUSB style attacks. They are required by specification to have EP0/ctrl and EP1/int.

The majority of controllers found in web searches appear not to feature firmware upgradable microcontrollers. This -- and the fact that hubs are not terribly mobile usb devices in general -- make this whole category relatively unexciting for BadUSB.

One interesting point about hubs, however, is that many main boards (and Notebooks) contain a USB hub. If the hub is reprogrammable (which is often the case for USB3.0 hubs), this allows persistent infection of the main board even if the BIOS/UEFI is protected against unauthorized/unsigned upgrades.

Disassembled Hubs

ASMedia ASM1074 usb3 hub

VIA Labs VL811 usb3 hub

  • Official firmware upgrade tools available from VIA: http://via-labs.com/en/support/downloads.jsp
  • File Usb3HubFWUpgrade_Setup_V0.46_VL811_0972.exe is a windows installer, installation results in a 16 KiB firmware file, which contains 8051 code and USB descriptors
    => Most likely vulnerable

7 Port noname USB2 Hub [Genesys Logic GL850G 4 Port USB2 hub]

  • Device built from two GL850G hubs, no external Flash/EEPROM chips present
  • 8-bit RISC processor with 2K ROM and 64 bytes RAM => Not reprogrammable, very few resources for programming an attack
  • External EEPROM for configuration data possible
    => Not vulnerable

GL3520 HUB (No physical device available, found while searching for USB Hub firmwares)

  • Firmware upgrade tools leaked
  • Often used on Motherboards, may allow persistent infection of board even if BIOS/UEFI only accepts signed upgrades
  • On-chip 8-bit micro-processor
  • RISC-like architecture
  • With 256-byte RAM, 16K-byte internal ROM & 16K-byte SRAM
  • Support full in-system programming firmware upgrade by SPI-flash
    => Most likely vulnerable, but practical attacks may be difficult due to unknown instruction set

LogiLink UA0091 4-Port USB 3.0 Hub

  • VIA Labs VL810 with Pm25LD512 SPI Flash (512 Kbit / 64 KiB): http://via-labs.com/en/products/vl810/index.jsp
  • The VIA VL810 from VIA Labs is the industry's first fully integrated single chip solution => Very early USB3 hub
  • Official firmware upgrade tools available from VIA: http://via-labs.com/en/support/downloads.jsp
  • File Usb3HubFWUpgrade_Setup_V0.41_VL810_0960.exe looks like it is an installer
  • Installation of update utility results in 20 KiB firmware file, contains 8051 code and USB descriptors
    => Most likely vulnerable

GetDigital 7 Port USB2.0 Hub with switches

  • Chip label: FE2.1 USB 2.0 HUB LD3E762A2352
  • No external flash/eeprom
  • Chip: Terminus FE2.1
  • Supports configuration data on external EEPROM
    => Most likely not reprogrammable

13 Port USB Hub in lab

  • Built of 2 7-port HUB chips
  • Chip Label: FE2.1 USB 2.0 HUB ... => Terminus FE2.1
  • No external flash/eeprom, but footprint available on PCB
  • Chip: Terminus FE2.1
  • Supports configuration data on external EEPROM
    => Most likely not reprogrammable

Noname 4 Port Wire USB Hub

  • Chip: Terminus FE1.1s USB 2.0 Hub, no external flash/eeprom
    => Most likely not reprogrammable

Noname 7 Port Wire USB Hub

  • Chip: Terminus FE2.1 without external flash
    => Most likely not reprogrammable

Cheap 4-Port USB2.0 hub [Genesys Logic GL850G 4 Port USB2 Hub]

  • , no external Flash/EEPROM chips present
  • 8-bit RISC processor with 2K ROM and 64 bytes RAM => Not repgrogrammable, very little resources for programming an attack
  • External EEPROM for configuration data possible
    => Not vulnerable

D-Link DUB-H7

  • 2x GL850Z
  • STM8S103\nK3T6C => STM8S103/105 Access line is our standard line of multi-purpose 8-bit microcontrollers => Probably used for charging ports
  • 2x Pm25LD512 SPI Flash (64 KiB), wired to GL850Z
  • => No information about GL850Z found, other GL850 variants are not reprogrammable, but this one has the 64 KiB flash chip => Could be reprogrammable
  • Dexter has read out SPI Flash chip contents, looks like 8051 code
  • => Most likely vulnerable

Updated by Karsten over 9 years ago · 1 revisions