USB is the most prevalent peripheral interface in modern computer systems and
its inherent insecurities make it an appealing attack vector. A well-known
limitation of USB is that traffic is not encrypted. This allows on-path
adversaries to trivially perform man-in-the-middle attacks. Off-path attacks
that compromise the confidentiality of communications have also been shown to
be possible. However, so far no off-path attacks that breach USB communications
integrity have been demonstrated.
In this work we show that the integrity of USB communications is not
guaranteed even against off-path attackers.Specifically, we design and build
malicious devices that, even when placed outside of the path between a victim
device and the host, can inject data to that path. Using our developed
injectors we can falsify the provenance of data input as interpreted by a host
computer system. By injecting on behalf of trusted victim devices we can
circumvent any software-based authorisation policy defences that computer
systems employ against common USB attacks. We demonstrate two concrete attacks.
The first injects keystrokes allowing an attacker to execute commands. The
second demonstrates file-contents replacement including during system install
from a USB disk. We test the attacks on 29 USB 2.0 and USB 3.x hubs and find 14
of them to be vulnerable.Comment: To appear in USENIX Security 202