Version 1 - History - Hubs - BadUSB Exposure - SRLabs Open Source Projects

1

Karsten

h1. Hubs

2

3

h2. Overview

4

5

Hubs are in principle a viable target for BadUSB style attacks. They are required by specification to have EP0/ctrl and EP1/int.

6

7

The majority of controllers found in web searches appear *not* to feature firmware upgradable microcontrollers. This -- and the fact that hubs are not terribly mobile usb devices in general -- make this whole category relatively unexciting for BadUSB.

8

9

One interesting point about hubs, however, is that many main boards (and Notebooks) contain a USB hub. If the hub is reprogrammable (which is often the case for USB3.0 hubs), this allows persistent infection of the main board even if the BIOS/UEFI is protected against unauthorized/unsigned upgrades.

10

11

h2. Disassembled Hubs

12

13

h3. ASMedia ASM1074 usb3 hub

14

15

* Product page: http://www.asmedia.com.tw/eng/e_show_products.php?item=128&cate_index=97

16

* "8bit risc processor"

17

* Windows firmware updater .exe blob. does not do much without hardware

18

* Integrated 8-bit RISC microprocessor => Probably not 8051

19

* SPI flash support for customized firmware

20

* Uploadable Firmware & configuration via upstream port: http://www.station-drivers.com/index.php/forum/news/262-firmware-asmedia-asm107x-fw-v130319-033715

21

* Sometimes used on main boards (e.g. "this one":http://www.hardwareluxx.com/index.php/reviews/hardware/motherboards/26443-test-asus-z87-deluxe.html?start=2), so a persistent infection of a computer, may be possible

22

* Exe file contains an area with a valid device descriptor, two valid USB configuration descriptors and various string descriptors.

23

=> %{color:red}Most likely vulnerable%.

24

25

h3. VIA Labs VL811 usb3 hub

26

27

* Official firmware upgrade tools available from VIA: http://via-labs.com/en/support/downloads.jsp

28

* File Usb3HubFWUpgrade_Setup_V0.46_VL811_0972.exe is a windows installer, installation results in a 16 KiB firmware file, which contains 8051 code and USB descriptors

29

=> %{color:red}Most likely vulnerable%

30

31

h3. 7 Port noname USB2 Hub [Genesys Logic GL850G 4 Port USB2 hub]

32

33

* Device built from two GL850G hubs, no external Flash/EEPROM chips present

34

* 8-bit RISC processor with 2K ROM and 64 bytes RAM => Not reprogrammable, very few resources for programming an attack

35

* External EEPROM for configuration data possible

36

=> %{color:green}Not vulnerable%

37

38

39

h3. GL3520 HUB (No physical device available, found while searching for USB Hub firmwares)

40

41

* Firmware upgrade tools leaked

42

* Often used on Motherboards, may allow persistent infection of board even if BIOS/UEFI only accepts signed upgrades

43

* On-chip 8-bit micro-processor

44

* RISC-like architecture

45

* With 256-byte RAM, 16K-byte internal ROM & 16K-byte SRAM

46

* Support full in-system programming firmware upgrade by SPI-flash

47

=> %{color:red}Most likely vulnerable%, but practical attacks may be difficult due to unknown instruction set

48

49

50

h3. LogiLink UA0091 4-Port USB 3.0 Hub

51

52

* VIA Labs VL810 with Pm25LD512 SPI Flash (512 Kbit / 64 KiB): http://via-labs.com/en/products/vl810/index.jsp

53

* The VIA VL810 from VIA Labs is the industry's first fully integrated single chip solution => Very early USB3 hub

54

* Official firmware upgrade tools available from VIA: http://via-labs.com/en/support/downloads.jsp

55

* File Usb3HubFWUpgrade_Setup_V0.41_VL810_0960.exe looks like it is an installer

56

* Installation of update utility results in 20 KiB firmware file, contains 8051 code and USB descriptors

57

=> %{color:red}Most likely vulnerable%

58

59

h3. GetDigital 7 Port USB2.0 Hub with switches

60

61

* Chip label: FE2.1 USB 2.0 HUB LD3E762A2352

62

* No external flash/eeprom

63

* Chip: Terminus FE2.1

64

* Supports configuration data on external EEPROM

65

=> %{color:green}Most likely not reprogrammable%

66

67

68

h3. 13 Port USB Hub in lab

69

70

* Built of 2 7-port HUB chips

71

* Chip Label: FE2.1 USB 2.0 HUB ... => Terminus FE2.1

72

* No external flash/eeprom, but footprint available on PCB

73

* Chip: Terminus FE2.1

74

* Supports configuration data on external EEPROM

75

=> %{color:green}Most likely not reprogrammable%

76

77

78

h3. Noname 4 Port Wire USB Hub

79

80

* Chip: Terminus FE1.1s USB 2.0 Hub, no external flash/eeprom

81

=> %{color:green}Most likely not reprogrammable%

82

83

84

h3. Noname 7 Port Wire USB Hub

85

86

* Chip: Terminus FE2.1 without external flash

87

=> %{color:green}Most likely not reprogrammable%

88

89

90

h3. Cheap 4-Port USB2.0 hub [Genesys Logic GL850G 4 Port USB2 Hub]

91

92

* , no external Flash/EEPROM chips present

93

* 8-bit RISC processor with 2K ROM and 64 bytes RAM => Not repgrogrammable, very little resources for programming an attack

94

* External EEPROM for configuration data possible

95

=> %{color:green}Not vulnerable%

96

97

h3. D-Link DUB-H7

98

99

* 2x GL850Z

100

* STM8S103\nK3T6C => STM8S103/105 Access line is our standard line of multi-purpose 8-bit microcontrollers => Probably used for charging ports

101

* 2x Pm25LD512 SPI Flash (64 KiB), wired to GL850Z

102

* => No information about GL850Z found, other GL850 variants are not reprogrammable, but this one has the 64 KiB flash chip => Could be reprogrammable

103

* Dexter has read out SPI Flash chip contents, looks like 8051 code

104

* => %{color:red}Most likely vulnerable%

Project

General

Profile

BadUSB Exposure

Hubs » History » Version 1