Attacking Via the USB

 
 
By Peter-Michael Ziegler  |  Posted 2002-06-03 Print this article Print
 
 
 
 
 
 
 


Port"> Taking account of security concerns is not a forte of the protocol of the USB, the Universal Serial Bus. It allows users to swap devices hooked up to a computer while the computer is running; thereby, giving potential assailants something of a break: It allows them to exchange the biometric scanner for a deceptive device of their own and play back to the computer data gathered while eavesdropping on a login event. The simplest eavesdropping tool is a filter driver like USB Snoop for Windows. USB Snoop interposes itself between the driver of the USB adapter and the actual device driver. After being presented by Windows with all the data exchanged between the USB and the device driver, USB Snoop then writes these into a log file of its own. These data the snooping party can then analyze at its leisure. Filter drivers are quite easy to detect though and in addition require administrator rights to be installed under Windows 2000 and Windows XP. Nevertheless, they would permit studies of a biometric scanner of the same kind as the one to be tricked to be undertaken at ones own PC. On the other hand, the workings of a hardware analyzer like the USB Agent by Hitex (see page 69), which eavesdrops on the USB cable directly, are virtually invisible. A USB Agent latched on to the cable records all transmitted data, transferring these to a foreign PC. An assailant can then with the aid of the software that goes with the device analyze on the foreign PC the protocols used by the target PC and filter out the relevant data packages. After exporting the data to a text file it is then possible to generate within it the data required to accomplish a login.
With regard to the ID Mouse by Siemens we were able with the aid of USB data packets and a few lines of Perl script to reconstruct the image of a fingerprint. All one requires to replay the data gathered by eavesdropping is a micro controller with USB support and some storage capacity. Together these then constitute a device capable of impersonating towards the target PC the previously removed biometric scanner. The firmware required to do so is fairly easy to program: The device, upon configuration requests, simply needs to respond with answers identical to those of the actual scanner and then at the right moment play back the stored biometric data.
The way to foil attacks of this kind with certainty would be to use so-called challenge-response procedures in the course of which the biometric scanner and the application mutually authenticate one another and thereafter communicate with one another exclusively in an encrypted fashion. (hes) Translated by Robert W. Smith


 
 
 
 
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel