Citation Context

... Meta-Device in that it does not require the presence of a vulnerable driver on the network endpoint. There are risks associated with the consented use of USB [10] where legitimate users allow a foreign USB device to connect to the network endpoint, either voluntarily or because they have been duped [2]. In fact, Endpoint Security Solutions have been developed to mitigate this risk. Our approach differs in that it can still be used in the presence of Endpoint Security Solutions, as those generally do not regulate Human Interface Devices. The idea of a Keyboard Jitterbug was introduced in 2006 [11]. Such a device can be inserted between a keyboard and a network endpoint and act as a keylogger. This work is interesting in that it demonstrates that a device that provides keyboard functionality can also be used to exfiltrate data from a network endpoint. However, it is different from our approach because it requires that the network endpoint maintain an interactive session through the Internet. Our Hardware Trojan Horse device is able to exfiltrate information from a network endpoint without having to rely on the network. Finally, while there is no known research into unintended USB channe...

Citation Context

... unintended USB channels, but the following bear some relevance on our research. Because the USB protocol relies on devices to properly identify themselves during enumeration, a USB MetaDevice could be programmed to identify itself as any USB device [9]. In this way, the USB Meta-Device could be configured to represent itself as a device associated with a vulnerable driver loaded on the network endpoint. Our approach differs from the USB Meta-Device in that it does not require the presence of a vulnerable driver on the network endpoint. There are risks associated with the consented use of USB [10] where legitimate users allow a foreign USB device to connect to the network endpoint, either voluntarily or because they have been duped [2]. In fact, Endpoint Security Solutions have been developed to mitigate this risk. Our approach differs in that it can still be used in the presence of Endpoint Security Solutions, as those generally do not regulate Human Interface Devices. The idea of a Keyboard Jitterbug was introduced in 2006 [11]. Such a device can be inserted between a keyboard and a network endpoint and act as a keylogger. This work is interesting in that it demonstrates that a devic...

Citation Context

...identiality, as is the case when using USB storage devices to exfiltrate large amounts of data from a network endpoint. However, USB can also affect the integrity of information on the network endpoint. Attackers have exploited Plug and Play, USB Flash Drives and other 1. We use the term network endpoint to refer to production workstations attached to the corporate LAN. The USB specifications describe a similar term device endpoint which refers to the source or sink of data on a USB device. usability features (such as AutoRun and AutoPlay) to inject Software Trojan Horses in network endpoints [2], [3]. Endpoint Security Solutions have been introduced to help protect contemporary computer systems from the risks of such intended USB communication. Endpoint Security Solutions work by extending an access control list to certain classes of devices such as mass storage devices, imaging devices, PDAs, printers and communication ports. The Endpoint Security Solutions examined in this research did not generally regulate Human Interface Devices such as mice, keyboards and speakers [4], [5], [6], [7]. Our work demonstrates that an attacker can make use of certain USB devices, not controlled by E...

Citation Context

...e. usability features (such as AutoRun and AutoPlay) to inject Software Trojan Horses in network endpoints [2], [3]. Endpoint Security Solutions have been introduced to help protect contemporary computer systems from the risks of such intended USB communication. Endpoint Security Solutions work by extending an access control list to certain classes of devices such as mass storage devices, imaging devices, PDAs, printers and communication ports. The Endpoint Security Solutions examined in this research did not generally regulate Human Interface Devices such as mice, keyboards and speakers [4], [5], [6], [7]. Our work demonstrates that an attacker can make use of certain USB devices, not controlled by Endpoint Security Solutions, to create a Hardware Trojan Horse device. The Hardware Trojan Horse device can be attached to a target network endpoint as a replacement for the existing keyboard. Providing keyboard functionality allows the Hardware Trojan Horse to keylog user credentials as well as to upload and cause the execution of arbitrary code. Such arbitrary code leaves the network endpoint vulnerable to a wide range of known malicious attacks. More importantly, the ability to execute ...

Citation Context

...ty features (such as AutoRun and AutoPlay) to inject Software Trojan Horses in network endpoints [2], [3]. Endpoint Security Solutions have been introduced to help protect contemporary computer systems from the risks of such intended USB communication. Endpoint Security Solutions work by extending an access control list to certain classes of devices such as mass storage devices, imaging devices, PDAs, printers and communication ports. The Endpoint Security Solutions examined in this research did not generally regulate Human Interface Devices such as mice, keyboards and speakers [4], [5], [6], [7]. Our work demonstrates that an attacker can make use of certain USB devices, not controlled by Endpoint Security Solutions, to create a Hardware Trojan Horse device. The Hardware Trojan Horse device can be attached to a target network endpoint as a replacement for the existing keyboard. Providing keyboard functionality allows the Hardware Trojan Horse to keylog user credentials as well as to upload and cause the execution of arbitrary code. Such arbitrary code leaves the network endpoint vulnerable to a wide range of known malicious attacks. More importantly, the ability to execute arbitrary ...

Citation Context

...ndpoint. The work was validated through the design and implementation of a proof of concept Hardware Trojan Horse device that uses two such unintended USB channels to successfully interact with a target network endpoint to compromise and exfiltrate data from it. 1. Introduction The USB protocol is ubiquitously on modern computer systems such as servers and network endpoints1. USB peripherals offer network endpoints a wide variety of functionality, from storage to Human Interface Devices. The USB Specification defines a single physical interface and base protocol to be used for all USB devices [1]. USB devices are Plug and Play, meaning that a contemporary computer system contains the driver software necessary to configure a newly attached USB device without user or system administrator intervention. The very properties that make USB attractive to users (dynamic attachment, automatic configuration and the use of a single bus for a wide range of devices) can also turn USB into a viable attack vector into a network endpoint. Even when used as intended, USB can pose significant risks to confidentiality, as is the case when using USB storage devices to exfiltrate large amounts of data from...

Citation Context

...device. usability features (such as AutoRun and AutoPlay) to inject Software Trojan Horses in network endpoints [2], [3]. Endpoint Security Solutions have been introduced to help protect contemporary computer systems from the risks of such intended USB communication. Endpoint Security Solutions work by extending an access control list to certain classes of devices such as mass storage devices, imaging devices, PDAs, printers and communication ports. The Endpoint Security Solutions examined in this research did not generally regulate Human Interface Devices such as mice, keyboards and speakers [4], [5], [6], [7]. Our work demonstrates that an attacker can make use of certain USB devices, not controlled by Endpoint Security Solutions, to create a Hardware Trojan Horse device. The Hardware Trojan Horse device can be attached to a target network endpoint as a replacement for the existing keyboard. Providing keyboard functionality allows the Hardware Trojan Horse to keylog user credentials as well as to upload and cause the execution of arbitrary code. Such arbitrary code leaves the network endpoint vulnerable to a wide range of known malicious attacks. More importantly, the ability to exe...

Citation Context

...ability features (such as AutoRun and AutoPlay) to inject Software Trojan Horses in network endpoints [2], [3]. Endpoint Security Solutions have been introduced to help protect contemporary computer systems from the risks of such intended USB communication. Endpoint Security Solutions work by extending an access control list to certain classes of devices such as mass storage devices, imaging devices, PDAs, printers and communication ports. The Endpoint Security Solutions examined in this research did not generally regulate Human Interface Devices such as mice, keyboards and speakers [4], [5], [6], [7]. Our work demonstrates that an attacker can make use of certain USB devices, not controlled by Endpoint Security Solutions, to create a Hardware Trojan Horse device. The Hardware Trojan Horse device can be attached to a target network endpoint as a replacement for the existing keyboard. Providing keyboard functionality allows the Hardware Trojan Horse to keylog user credentials as well as to upload and cause the execution of arbitrary code. Such arbitrary code leaves the network endpoint vulnerable to a wide range of known malicious attacks. More importantly, the ability to execute arbit...

Citation Context

... a network endpoint. However, it is different from our approach because it requires that the network endpoint maintain an interactive session through the Internet. Our Hardware Trojan Horse device is able to exfiltrate information from a network endpoint without having to rely on the network. Finally, while there is no known research into unintended USB channels, there is extant covert channel research. A covert channel can be defined as “an enforced, illicit signalling channel that allows a user to surreptitiously contravene the security policy and unobservability requirements of the system” [12]. As our unintended USB channels can be used to exfiltrate data from the network endpoint, they are similar to covert channels, even if we do not stress their unobservability. We use throughput to characterize the seriousness of the risk associated with unintended USB channels, because it is a recognized characteristic of such channels. The remainder of this document is separated in three main sections. Section 2 will discuss two unintended USB channels, models of their throughput and the experiments we conducted to verify those models. Section 3 will discuss the validation of our research aim...

Citation Context

...ting system. 2.1. Keyboard LED Channel USB keyboards are Low-Speed Human Interface Devices that use two intended USB channels to communicate with a network endpoint: one based on Interrupt Transfers and one based on Control Transfers. The Interrupt Transfer endpoint is unidirectional, with data flowing into the network endpoint, whereas the Control Transfer endpoint is bidirectional, making it a good candidate for the exfiltration of data from a network endpoint to a device identifying as a USB keyboard. The USB Specification [1] and the USB Device Class Definition for Human Interface Devices [14] describe the format of data packets used for Control Transfers between a network endpoint and a USB keyboard. In particular, a Keyboard Output Report is described, which allows the manipulation of 3 bits mapped to the state of Caps Lock, Scroll Lock or Num Lock modifiers. A Keyboard Output Report is generated by a network endpoint every time a keyboard transmits that a modifier key such as the Caps Lock, Scroll Lock or Num Lock key has been pressed. The network endpoint toggles the appropriate bit(s) in the Keyboard Output Report to represent the change, and transmits the report to all attach...

Citation Context

...ient to allow us to precisely compute the throughput for the Keyboard LED Channel. Therefore, a series of experiments were designed and conducted to determine a representative response time for a device to handle Control Transfers with a Data Stage. We created a VBScript file containing key press information to generate Keyboard Output Reports while imposing a delay between report generation. The imposed delay varied between 25 msec and 150 msec for each trial. The VBScript was executed on a target network endpoint and Keyboard Output Reports were observed using HHD’s USB Monitor Professional [15]. The results of these initial experiments allowed us to determine that a delay of 109.5 msec between the generation of Keyboard Output Reports allowed for successful reception by the USB keyboard interface. When the delay was less than 109.5 msec, some of the Keyboard Output Reports were not received by the USB interface, a situation we called deletion error. The frequency of deletion errors increased as the delay between Keyboard Output Reports was shortened. We also observed another condition where Keyboard Output Reports that were not generated by the network endpoint were observed at the ...

Citation Context

...e a stream of data from a network endpoint. The Isochronous Endpoint is unidirectional, with data flowing out from the network endpoint. The USB Specification describes the maximum Isochronous Transfer data packet size for a Full-Speed devices as 1023 bytes. It also specifies that a Full-Speed device, using Isochronous Transfers to communicate, can receive a data packet every frame, or every 1 msec. An unintended USB channel based on the Isochronous Transfers of 1023 bytes every 1 msec yields a Theoretical Throughput of 1023 kilobytes/sec. The USB Device Class Definition for Audio Devices 2.0 [16] generally describes how a network endpoint marshals data to be sent to an audio device into structured blocks. The size of the block, BSize, is a product of the audio file’s coded sample resolution, in bytes/sample, and of the number of channels. BSize = Number of Channels ∗ Sample Resolution (2) The WAVEFORMATEXTESNIBLE [17] audio format was chosen for this work, allowing for sample resolutions of 3 bytes/sample and four channels. This provided a BlockSize of 12 bytes. The number of blocks (NumBlocks) that are inserted into one Isochronous Transfer data packet also depends on the Sample Rate...

Citation Context

...rs to communicate, can receive a data packet every frame, or every 1 msec. An unintended USB channel based on the Isochronous Transfers of 1023 bytes every 1 msec yields a Theoretical Throughput of 1023 kilobytes/sec. The USB Device Class Definition for Audio Devices 2.0 [16] generally describes how a network endpoint marshals data to be sent to an audio device into structured blocks. The size of the block, BSize, is a product of the audio file’s coded sample resolution, in bytes/sample, and of the number of channels. BSize = Number of Channels ∗ Sample Resolution (2) The WAVEFORMATEXTESNIBLE [17] audio format was chosen for this work, allowing for sample resolutions of 3 bytes/sample and four channels. This provided a BlockSize of 12 bytes. The number of blocks (NumBlocks) that are inserted into one Isochronous Transfer data packet also depends on the Sample Rate of the audio file. The WAVEFORMATEXTESNIBLE audio format allowed for a Sample Rate of 85 000 samples/sec for each channel, or 85 blocks of BSize per data packet transmitted every 1 msec. Thus, using the characteristics for an audio file described 4 above, we obtained a data packet size of: Audio Data Packet = 85 ∗ 12 (3) = 10...

Citation Context

... Monitor Professional. Two observations were made following these experiments: there was more data transmitted than was expected and there was some variability in the data transmitted. The additional data observed was digital silence (0x00 or 0xFF) appended to the end of the data stream representing the encoded audio file. The size of the additional data was between 30 and 40 full packets. The variability in the amount of additional data, termed End Stuffing, was determined to be due to the network endpoint’s operating system’s buffering policy for audio data used to prevent device starvation [18]. An expression was developed to express End-Stuffing in terms of packets: End Stuffing [packets] = (5) 30 + 10 ∗ (⌈ NumBlocks 850 ⌉ − NumBlocks 850 ) The data encoded in the audio file was occasionally modified in transmission, where characters received were - 0x01 of the encoded hexadecimal value in the audio file’s Data SubChunk. We observed that this variability occurred infrequently, but we made no attempts to analyze its source, or its frequency of occurrence. Because of the end stuffing of digital silence and the variability in the data transmitted, we chose a coding scheme that saw upp...