Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Unbridled HIDIOcy@stevelord, Raw Hex, https://hidiot.com/
This Guy
• @stevelord on Twitter and Mastodon
• Raw Hex, 44CON, HIDIOT
• I like breaking and building (the Internet of) things
What Is HIDIOT?• Human Interface Device Input/Output Toolkit
• Tool To Teach Hardware Hacking Skills
• uC and host programming
• Circuit design and Soldering
• Bus interfaces and protocols
What Is HIDIOT?
• Specific focus: 11-16 year old kids
• Teach kids to: void warranties, do unspeakable things to microcontrollers, save the world
What is HIDIOT?
• Alternative focus: Hackers
• Originally built as a tool to explore USB protocols, HID devices for USB/Bluetooth
• Used to simulate USB devices and for rapid prototyping
Part 1Using (and abusing) HIDIOT
What Does HIDIOT Have?
• USB interface to ATTiny85
• 8k SRAM, 512 bytes RAM, 512 bytes EEPROM
• Almost any bus type thanks to USI
• Soft UART, SPI, I2C, 1-wire buses, USB :)
HIDIOT Software Stack
• Arduino IDE with Digispark/Trinket capability
• AVR-GCC for those who like to go manual
• Micronucleus Bootloader
• V-USB for USB management
• Library support for lots of add-ons
Physical HIDIOT• Temp Sensor
• Light sensing via LED
• 2x LEDs
• 2x Tact switches
• Breakout area
Host Comms With HIDIOT
• USB Generic HID Class/LibUSB
• CDC Serial*
• Keyboard/Mouse/Joystick/MIDI etc.
• Anything you can write reports for
Computer Add-on Projects (CAPs)
• Like Shields or HATs
• Interchangeable hardware add-ons
• Ideal for modular HID-based exfil
Rapid Prototyping With HIDIOT
• Use breakout to add parts
• Build CAP for components
• Take ATTiny85 off board and add to CAP
• Add Power Source
Part 2A High Level Overview of USB 2.0
Part 2A High Level Overview of USB 2.0
While I build a HIDIOT live
Electrical USB
• 4 Pins - VCC, GND, D-, D+
• Differential Encoding on D-/D+ for noise cancellation
• Pull-up/down resistors for different device/host/hub combinations
USB 2.0 Terms• Transfers
• Transactions
• Packets/Phases
• PID
• CRC
USB 2.0 Comms
• All transfers/transactions are IN or OUT from the hosts perspective.
• IN - Device to Host
• OUT - Host to Device
USB 2.0 Transfer Types
• Control
• Bulk
• Interrupt
• Isochronous
USB 2.0 Transactions
• Transfers consist of 1 or more transactions
• Each Transaction consists of two or three packets (stages/phases)
• Packets contain PIDs and other info
USB 2.0 Packets
• Token packet (all transactions, contains PID, endpoint and CRC)
• Data packet (contains PID, data and CRC)
• Handshake packet (contains PID)
Other Packets
• PING packets
• PRE packets
Control Transfers
• 1 Setup stage transaction
• 0 or more data stage transactions
• 1 Status stage transaction (in opposite direction, IN if no data stage sent)
Control Transfers
• Each stage has 3 phases (packets)
• Token
• Data
• Handshake
Interrupt Transfers
• Low Speed Transfers
• 1 or more IN or OUT transaction
• Same 3 phases as before
Lets Get Out Of The Weeds(Thank goodness)
USB Device Classes
• Lots of ‘em
• We’re focused on USB HID Device Class
• BONUS: USB HID === Bluetooth HID
Common USB HID Class Devices
• Keyboards
• Mice
• Game Controllers
• Generic HID Class*
Uncommon USB HID Class Devices
• UPSes
• Software Protection Dongles
• Medical Devices
USB Reports• Each device communicates using reports
• Device describes report structure during enumeration
• IN interrupt transfer is minimum required for HID (e.g. keyboard press)
• OUT transfers are optional (e.g. to report keyboard LED status change)
How HID Works• Host polls device’s interrupt IN endpoint
• If device has data it will send data in report format
• Common devices use reports compliant with USB-IF standards
• Custom devices require custom drivers
Part 3Software Stack
Installation
• Install Arduino
• Add Digispark board
• Install Windows USB drivers (optional)
• You can play along.
Part 4DEMOS!
#1: Morse Code Blinker
#2, #3 Keyboard Control
• Hello World
• A Bit More
#4 DuckyScript
#5 Improving DuckyScript
#6 Pi Shutdown
#7 Improved Pi Shutdown
#8 Randomness
#9 Better Randomness
#10 Entropy Through WDT Jitter
#11 Hardware SSH Key
#11 Hardware SSH Key
DENIED!!!
#11 Interfacing With Hardware
#12 Something Different
Part 5Expanding HIDIOT
Part 6Things For You To Try
Some Ideas To Try• USB Host Fuzzing
• USB Device Fuzzing
• Brute forcing PINs with USB Keyboard
• Visible Light Comms
• Software Defined IR
Some Ideas To Try• Portable RF hacking projects
• USB Host power-based side channel attacks
• Fuzzing SPI devices
• Fuzzing I2C devices
• Abusing USB report structure trust
Some Ideas To Try
• USB Device change detection and alerting
• EFI/SPI/I2C integrity monitoring
• U2F Security Key
• USB RF Bug/Anomaly Detection