pts2024

Thiébaud Fuchs (R&D engineer, Quarkslab)

I'm a security researcher at Quarkslab.


Sessions

07-04
15:25
35min
Hydradancer, using USB3 to improve USB hacking with Facedancer
Thiébaud Fuchs (R&D engineer, Quarkslab)

USB (Universal Serial Bus) is the current standard for connecting peripherals to devices. USB is used to connect keyboards, mouses, printers, music instruments, storage, cameras and pretty much everything to a device. This makes it the perfect target for security researchers with physical access to a USB port. A small USB primer at the start of this talk should give you a broad idea of how USB2 works and some improvements USB3 brings.

While exchanging with USB peripherals can be done in Python with PyUSB1 on any PC, creating custom USB peripherals for security assessment and testing (e.g., attack surface analysis, scanning, fuzzing) of USB hosts can be more challenging as it requires specific hardware. That's where Facedancer2 came in 12 years ago : Facedancer is a Python library from Great Scott Gadgets that interacts with a dedicated hardware capable of creating USB devices, allowing you to create and modify a USB2 peripheral in seconds.

However, the flexibility of Facedancer comes with a cost: data has to go from the target host to the controlling PC, then back to the target host using a much longer path than a regular USB device would use. The current implementation of Facedancer is based on backends, which support different hardwares: Facedancer213/Raspdancer4/BeagleDancer5, GreatFET One6 and the Moondancer backend for the upcoming Cynthion board7. While Moondancer should bring USB2 High-speed support (480Mb/s), Facedancer is currently stuck to USB2 Full-speed (1.5Mb/s) with instability issues.

With the open-source project Hydradancer8, we bring a USB2 High-speed backend to Facedancer using the USB3 capabilities of HydraUSB3, a platform based on the RISC-V WCH569 chip. While emulating USB3 peripherals is still out of the question with the current delays, Hydradancer brings improved speeds and stability for USB2 peripheral emulation. As the WCH569 lacks documentation for USB3 and a proper SDK, a lot of testing was required to get the USB3 connection working and we will present the different challenges that we encountered while making wch-ch56x-lib, a support library for WCH569 with tested USB2/USB3/HSPI(High-speed Parallel Interface)/SerDes(Serializer/Deserializer) drivers.

As we needed to measure the improvements of Hydradancer over existing backends, we will present our benchmarks that compare Hydradancer with the existing Facedancer21 and GreatFET boards. Our results showed 447 times faster average write transfers for USB2 Full-speed transmission compared with Facedancer21 and 10 times faster compared with GreatFET One.

Then, we will demonstrate the use of Facedancer for security research and compare Hydradancer with the existing Facedancer21 and GreatFET One boards for this usage.

As Facedancer is not the only option when it comes to creating USB peripherals, we will compare it with raw-gadget9, a low-level interface for the Linux Gadget USB subsystem and learn how Hydradancer and raw-gadget can complement each other.

Finally, we will talk about the current limitations of USB emulation and what the future might look like, especially for USB3 peripheral creation.

NOTE : We will release wch-ch56x-lib, a support library for the WCH569 chip, the code used for our benchmarks along with the firmware and backend for Hydradancer in April 2024. Benjamin Vernoux, the creator of HydraUSB3, is currently working on making the Hydradancer hardware available to the public and it should be ready for the talk or soon after. We started by working on a dual HydraUSB3 setup, Hydradancer will be a single smaller board and the talk will be based on a development version of this new board.

Hardware & low level
Amphitheater