USB interface, that small, useful, hard to protect multifunctional port in your PC, phone, digibox etc. device.
In this article I don’t try to crash my system or get inside to the OS, I just want to protect my Linux devices against unwanted USB devices. This blog post can be divined in the three part.
- Limit type of devices what can be connected in the box.
- Remove all devices which are not connected in the box during boot time.
- Combination of both.
This method is tested in Debian and RedHat/CentOS setup. There is a little difference between those two distributions.
First what you need is Facedancer21 USB device emulator hardware (you can order it here: https://store.hackaday.com/products/facedancer21)
Second you need Linux (or Mac OS X, I use both) and python version 3 installed on it.
Third you need to download NCC Groups USB host security assessment tool. I recommended that you use both tool:
Original umap: https://github.com/nccgroup/umap
Version 2 umap: https://github.com/nccgroup/umap2
What I have noticed that they works with different scenarios and version 2 is still limited (eg. missing printer and OS detection support), but version 2 is more accurate when you are testing audio based usb devices. In version 1 is feature called “Start network server”, but it’s not working for me.
Fourth you need target. In this picture it’s raspberry pi and raspbian (ok I had too much time in the hotel room).
Facedancer21 setup. Laptop, facedancer21 and target.
You can use -h option when you start your umap.py python script. It shows umap help options.
NCC umap.py options.
As you can see there is lot’s of options also in fuzzing, but that’s another story.
Connect your facedancer21 to the victims usb-port and run command “sudo python3 umap -P /dev/tty.usbserial-AH039TWN -O”. Check your logs what is correct device, my was tty.usbserial-AH039TWN. Option -O scans your target and gives best gues for operating system.
It maybe won’t recognise all embedded TV’s etc. but it is still quite good feature, if you don’t know what OS your target is running.
Next we need to figure out what USB-devices your target support. Run command“sudo python3 umap -P /dev/tty.usbserial-AH039TWN -i”. Option -i scans your target and lists all supported USB-devices. You should do this also in umap2, run command “umap2scan -P fd:/dev/ttyUSB0”, in my Kali FD2 is ttyUSB0.
Scan made by umap.
As you can see there is lot’s of supported USB devices in the default settings.
Scan made by umap2.
NCC umap2 version looks more beautiful, but seems to find also same devices.
Next we try to make some hardening, so that we can limit number of device types what we can connect to USB port. Try to run command “lsmod” and see what kernel modules are installed after first scan.
Output for lsmod.
As you can see there is lot’s of stuff loaded.
Go to /etc/modprobe.d directory and create new file. Now, in debian based you must put values this way:
And in RedHat/CentOS in this way
install usb-storage /bin/true
in that file. You can use also command “lsusb -t” to find loaded drivers. After this reboot your system and run umap scan again.
Scan for original umap.
Scan for umap2.
As you can see original umap gives that audio is still supported, but version 2 tells that it is not supported. Actually OS cannot load correct drivers, but detects that some one is trying to connect headset in the USB port.
Now we know how-to filter USB devices. What if we need to filter all devices off. This is quite easy, but there is downside. When you need to connect devices in the USB port, you need boot the device every time.
In debian based distributions open file /etc/rc.local and put line “echo 0 > /sys/bus/usb/devices/usb1/authorized_default” before line exit 0. You can check how many USB HUB is in your system to make “ls -l” in /sys/bus/usb/devices/ directory.
In RedHat/CentOS based system create file called eg. lockusb.sh and put it in the /etc directory. Edit file and put this information on it:
# USB lock
# Ville Leinonen/Atea Finland
echo 0 > /sys/bus/usb/devices/usb1/authorized_default
echo 0 > /sys/bus/usb/devices/usb2/authorized_default
echo 0 > /sys/bus/usb/devices/usb3/authorized_default
echo 0 > /sys/bus/usb/devices/usb4/authorized_default
Remeber check the directory. Now create systemd file called eg. lockusb.service and put it in /etc/systemd/system/ directory. Chmod +x it and edit file:
# Location /etc/systemd/system/lockusb.service
# Ville Leinonen/Atea Finland Oy
Description=Lock USB in the boot
Remember to enable script in the when system starts.
Now remove all the devices and reboot the system and scan it again.
Original umap scan.
Original umap2 scan.
Now you see that there is any supported USB devices anymore.
Now you need to connect eg. memory stick on the device. Insert USB-memory stick in the port and run command “lsusb -t”.
Command lsusb -t output.
As you can see there is no mass-storage device in the list. Now reboot the device.
Command lsusb -t output.
After boot you see that usb-storage driver is loaded. Now if you run umap scan, you can see that mass-storage is not supported again.
Scan after mass-storage instert and boot.
Now if you remove mass-storage and insert it again, it wont work. So you are still protected against unwanted USB-devices.
If you need to scan some specific USB-class then you can use -c option eg. “sudo python3 umap.py -P /dev/tty.usbserial-AH039TWN -c 08:06:50″, this will scan only mass-storage class.
That’s all for this time. C’ya in next month.