Debunking fake USB flash drives

Debunking fake USB flash drives By Renaud Lifchitz (@nono2357) PlopSec
– May 2020

Renaud Lifchitz - Debunking fake USB flash drives 2 What
is advertised Nice and slim USB flash drive, very large capacity, very cheap price, latest USB 3 technology...

Renaud Lifchitz - Debunking fake USB flash drives 3 Inserting
the flash drive… (1/2) $ dmesg [616145.561710] usb 3-9: new high-speed USB device number 32 using xhci_hcd [616145.587871] usb 3-9: New USB device found, idVendor=048d, idProduct=1234, bcdDevice= 2.00 [616145.587875] usb 3-9: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [616145.587878] usb 3-9: Product: Disk 3.0 [616145.587880] usb 3-9: Manufacturer: USB [616145.587881] usb 3-9: SerialNumber: 7431301101907252614 [616145.588512] usb-storage 3-9:1.0: USB Mass Storage device detected [616145.588706] scsi host10: usb-storage 3-9:1.0 [616146.606295] scsi 10:0:0:0: Direct-Access VendorCo ProductCode 2.00 PQ: 0 ANSI: 4 [616146.606779] sd 10:0:0:0: Attached scsi generic sg2 type 0 [616146.606958] sd 10:0:0:0: [sdc] 4095997952 512-byte logical blocks: (2.10 TB/1.91 TiB) [616146.607080] sd 10:0:0:0: [sdc] Write Protect is off [616146.607083] sd 10:0:0:0: [sdc] Mode Sense: 03 00 00 00 [616146.607213] sd 10:0:0:0: [sdc] No Caching mode page found [616146.607218] sd 10:0:0:0: [sdc] Assuming drive cache: write through [616146.609090] sdc: sdc1 [616146.610656] sd 10:0:0:0: [sdc] Attached SCSI removable disk Ok, large capacity advertised to the OS

Renaud Lifchitz - Debunking fake USB flash drives 4 Inserting
the flash drive… (2/2) $ dmesg [616145.561710] usb 3-9: new high-speed USB device number 32 using xhci_hcd [616145.587871] usb 3-9: New USB device found, idVendor=048d, idProduct=1234, bcdDevice= 2.00 [616145.587875] usb 3-9: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [616145.587878] usb 3-9: Product: Disk 3.0 [616145.587880] usb 3-9: Manufacturer: USB [616145.587881] usb 3-9: SerialNumber: 7431301101907252614 [616145.588512] usb-storage 3-9:1.0: USB Mass Storage device detected [616145.588706] scsi host10: usb-storage 3-9:1.0 [616146.606295] scsi 10:0:0:0: Direct-Access VendorCo ProductCode 2.00 PQ: 0 ANSI: 4 [616146.606779] sd 10:0:0:0: Attached scsi generic sg2 type 0 [616146.606958] sd 10:0:0:0: [sdc] 4095997952 512-byte logical blocks: (2.10 TB/1.91 TiB) [616146.607080] sd 10:0:0:0: [sdc] Write Protect is off [616146.607083] sd 10:0:0:0: [sdc] Mode Sense: 03 00 00 00 [616146.607213] sd 10:0:0:0: [sdc] No Caching mode page found [616146.607218] sd 10:0:0:0: [sdc] Assuming drive cache: write through [616146.609090] sdc: sdc1 [616146.610656] sd 10:0:0:0: [sdc] Attached SCSI removable disk … but strange USB Product ID (another model has idVendor=0000, idProduct=7777)

Renaud Lifchitz - Debunking fake USB flash drives 5 Testing
USB 3 claims Flash drive is already formatted in exFAT, let’s test its speed by writing « zeroed » files: $ for i in `seq 1 40`; do echo $i; dd if=/dev/zero of=f$i bs=1M count=1024; done 1 1024+0 records in 1024+0 records out 1073741824 bytes (1.1 GB, 1.0 GiB) copied, 1.34213 s, 800 MB/s 2 1024+0 records in 1024+0 records out 1073741824 bytes (1.1 GB, 1.0 GiB) copied, 3.06786 s, 350 MB/s 3 1024+0 records in 1024+0 records out 1073741824 bytes (1.1 GB, 1.0 GiB) copied, 98.9574 s, 10.9 MB/s 4 1024+0 records in 1024+0 records out 1073741824 bytes (1.1 GB, 1.0 GiB) copied, 119.99 s, 8.9 MB/s Write speed quickly drops to ~9 MB/s, USB 3 really?

storage capacity claim (1/2) A bit more difficult, have a look at our files headers: $ for i in `seq 1 2048`; do file f$i; done f1: data f2: data f3: data f4: data (...) f29: data f30: data f31: ISO-8859 text, with very long lines, with no line terminators f32: ISO-8859 text, with very long lines, with no line terminators f33: ISO-8859 text, with very long lines, with no line terminators f34: ISO-8859 text, with very long lines, with no line terminators f35: ISO-8859 text, with very long lines, with no line terminators (...) Curiously, something happens between f30 and f31...

storage capacity claim (2/2) $ xxd f30 | head 00000000: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000010: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000030: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000040: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000050: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000060: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000070: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000080: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000090: 0000 0000 0000 0000 0000 0000 0000 0000 ................ $ xxd f31 | head 00000000: ffff ffff ffff ffff ffff ffff ffff ffff ................ 00000010: ffff ffff ffff ffff ffff ffff ffff ffff ................ 00000020: ffff ffff ffff ffff ffff ffff ffff ffff ................ 00000030: ffff ffff ffff ffff ffff ffff ffff ffff ................ 00000040: ffff ffff ffff ffff ffff ffff ffff ffff ................ 00000050: ffff ffff ffff ffff ffff ffff ffff ffff ................ 00000060: ffff ffff ffff ffff ffff ffff ffff ffff ................ 00000070: ffff ffff ffff ffff ffff ffff ffff ffff ................ 00000080: ffff ffff ffff ffff ffff ffff ffff ffff ................ 00000090: ffff ffff ffff ffff ffff ffff ffff ffff ................ f30 is filled with zeros as expected, but not the following files, do you start to understand?

Renaud Lifchitz - Debunking fake USB flash drives 8 Fake
USB flash drives storage layout Real capacity (30 GB here) Emulated storage layout that supports writing but always returns « FF» bytes (nearly 2 TB) 0

Renaud Lifchitz - Debunking fake USB flash drives 9 Experimenting
with EXT4 Results with EXT2 & EXT3 are similar Positions are big, these filesystems will likely fail $ dd if=/dev/zero of=zero.bin bs=4096 count=100k 2>/dev/null && sudo mkfs.ext4 /dev/loop59 && ./findlastbyte.py mke2fs 1.44.1 (24-Mar-2018) Discarding device blocks: done Creating filesystem with 409100 1k blocks and 102400 inodes Filesystem UUID: 4c0959db-c3a8-4f8e-9617-ddf30b97b236 Superblock backups stored on blocks: 8193, 24577, 40961, 57345, 73729, 204801, 221185, 401409 Allocating group tables: done Writing inode tables: done Creating journal (8192 blocks): done Writing superblocks and filesystem accounting information: done Last non-null byte position: 411047033 0x18801479

Renaud Lifchitz - Debunking fake USB flash drives 10 Experimenting
with FAT & exFAT Positions are small, these filesystems will likely work! $ dd if=/dev/zero of=zero.bin bs=4096 count=100k 2>/dev/null && sudo mkfs.vfat /dev/loop59 & & ./findlastbyte.py mkfs.fat 4.1 (2017-01-24) Last non-null byte position: 114691 0x1c003 dd if=/dev/zero of=zero.bin bs=4096 count=100k 2>/dev/null && sudo mkfs.exfat /dev/loop59 && ./findlastbyte.py mkexfatfs 1.2.8 Creating... done. Flushing... done. File system created successfully. Last non-null byte position: 196697 0x30059

Renaud Lifchitz - Debunking fake USB flash drives 11 Consequences
on filesystems • On fake USB flash drives: – FAT and exFAT are well supported – EXT2/EXT3/EXT4: default formatting use superblock backups across all storage layout, these filesystems will be detected as corrupted

Renaud Lifchitz - Debunking fake USB flash drives 12 What
finally happened with my last purchase... • I made a complaint through Paypal • Vendor denied and asked for proofs, that’s why I writed this presentation  • Was refunded because of no answer from the seller after my full report to Paypal

Renaud Lifchitz - Debunking fake USB flash drives 13 How
to avoid buying a fake one • Avoid chinese websites • Look for real/fake reviews • Used USB cases are always the same four or five ones! Train yourself to recognize them... • Prefer buying with Paypal who offers to reimburse you if the product doesn’t comply with its description • In case of doubt, test your key using my procedure!

Renaud Lifchitz - Debunking fake USB flash drives 14 Questions?
Follow me on Twitter: @nono2357

Debunking fake USB flash drives

Debunking fake USB flash drives

Renaud Lifchitz

More Decks by Renaud Lifchitz

Other Decks in Research

Featured

Transcript

Debunking fake USB flash drives By Renaud Lifchitz (@nono2357) PlopSec

Renaud Lifchitz - Debunking fake USB flash drives 2 What

Renaud Lifchitz - Debunking fake USB flash drives 3 Inserting

Renaud Lifchitz - Debunking fake USB flash drives 4 Inserting

Renaud Lifchitz - Debunking fake USB flash drives 5 Testing

Renaud Lifchitz - Debunking fake USB flash drives 6 Testing

Renaud Lifchitz - Debunking fake USB flash drives 7 Testing

Renaud Lifchitz - Debunking fake USB flash drives 8 Fake

Renaud Lifchitz - Debunking fake USB flash drives 9 Experimenting

Renaud Lifchitz - Debunking fake USB flash drives 10 Experimenting

Renaud Lifchitz - Debunking fake USB flash drives 11 Consequences

Renaud Lifchitz - Debunking fake USB flash drives 12 What

Renaud Lifchitz - Debunking fake USB flash drives 13 How

Renaud Lifchitz - Debunking fake USB flash drives 14 Questions?