int3.cc

The FaceDancer21: IMHO a simple example of our community at its best...

A few years back at a conference in Singapore that we were both speaking at, I talked to Travis Goodspeed about his GoodFET and a bit about his future plans for a device that would become the FaceDancer. At the time I'd done very little hardware work (other than some consulting one-offs: like kernel vulnerability research on a popular game console).

Fast-forward a few years and I'd found myself focusing more and more on "hardware enhanced" attack vectors against software having now done this work for a number of manufacturers. I'd also taken to designing my own hardware product on the side.

 

 

If I'd told my past-self that this would be the case, I'd have laughed it off as an impossibility. But the fact that I (a not particularly astounding reverser, coder, or exploitation guy) have been able to learn so much in so little time is a testimony to how easily our skills as even average reverse engineers, exploit developers, and coders lend themselves to hardware and how fruitful a few hardware tricks can be. (I talked a little bit about this a few years back when I was just getting started messing around with hardware.) Now that things are shifting to mobile and embedded devices, this even more so. (We discuss this in great detail in the upcoming Android Hacker's Handbook.)

 

Travis Goodspeed and Dr. Sergey Bratus's work had always been an inspiration to me (amid all its eccentricity ;-), especially when I was "looking for something new" and fascinating to play with. About a year ago while consulting with a large "Point Of Sales" software/hardware manufacturer, the opportunity to poke deeply into into USB implementations arose. We (at Xipiter) bought up a bunch of the TotalPhase hardware devices, some indispensable books, and got up-to-date on all the "USB hacking" prior art out on the web. We were amazed at how complex USB implementations could be, and again surprised at how fruitful some simple hardware tricks coupled with software reverse engineering and exploitation could yield some amazing results. 

 

The FaceDancer (at the time) required assembly. So we built a few by hand to accompany our research. After a few months of reversing and exploit development (which dove-tailed nicely with our ARM exploitation work), the customer was so impressed with our capability that they asked us to build some for their engineers to perform future security research with. It was then that we decided to use the factory that was helping us with our other side project to sell fully assembled FaceDancer21s to the broader security research community (basically at cost to us).

 

How could we not do this for such an awesome and unique tool that clearly filled a tools gap? 

 

Fast forward about a half a year and we've sold hundreds of these all over the world...people are releasing complete software packages for it, building 3D-printed enclosures, and realizing that the FaceDancer21 is completely unique USB analysis tool. They are realizing the fragility of USB implementations as they accidentally stumble upon 0-Day....

This morning I realized (as I looked at 3D-printed cases much better than my poorly designed ones) that amid all the divisiveness, competition, and drama in the InfoSec community, the FaceDancer21 is simple example of how we as security researchers still really feed off of one another in positive ways.  

Many of us were eager to ostentatiously add "researcher" to our titles to legitimize what began (for most of us) as a silly hobby...but our community really does have an ever-evolving set of capabilities, techniques, and skills much like any other field of research.

No matter how ridiculous you may think it is, our community really does maintain it's own "body of knowledge" with capabilities and core-competencies scattered throughout this weird little cottage industry. The FaceDancer21 no matter how niche, kinda exemplifies this. How?

  1. Travis Goodspeed designed the FaceDancer11 and the FaceDancer20 and completely open-sourced it.
  2. Ryan Speers improved it and his input became the FaceDancer21
  3. I was amazed that nothing like the FaceDancer already existed and started manufacturing it (at cost to me, no profit).
  4. NCC Group's Andy Davis (a veteran of USB research) released a fully functional tool.
  5. People are designing cases for it and realizing that this thing accidentally stumbles upon potentially useful bugs.

 

This (to me) is the infosec research community at its best. The best folks in our community often can't and don't share techniques publicly (and for good reason). But amid all that, the FaceDancer21 is (to me) a cute example of a simple tool that shows that even though we are all growing up and have companies to run, bills to pay, families to feed, and IP to protect, we still all have a little bit of that original spark in us... So to me it's kinda a testimony to the cool stuff we can still accomplish collaboratively by just shaving a few hours a week off our schedules.

 

Written by Stephen Ridley — November 11, 2013

Why pricing things is hard...

Many people skip the INT3 "About" page and formulate opinions without understanding what is going on here. Please read that to understand why just because a project is "Open Source hardware" doesn't mean...

Learn to reverse engineer and exploit mobiles, IoT, and Embedded systems. (Public Trainings Announced)

We've announced our public EU and US trainings for 2015. Sign up today!  

Using the Shikra to Attack Embedded Systems: Getting Started

The blog system on this e-commerce platform is awful. This blogpost has been prettified and moved to Xipiter's main blog here:  http://www.xipiter.com/musings/using-the-shikra-to-attack-embedded-systems-getting-started