Debunking fake USB flash drives

Transcript

1. Debunking fake USB flash drives By Renaud Lifchitz (@nono2357) PlopSec

   – May 2020

2. Renaud Lifchitz - Debunking fake USB flash drives 2 What

   is advertised Nice and slim USB flash drive, very large capacity, very cheap price, latest USB 3 technology...

3. Renaud Lifchitz - Debunking fake USB flash drives 3 Inserting

   the flash drive… (1/2) $ dmesg [616145.561710] usb 3-9: new high-speed USB device number 32 using xhci_hcd [616145.587871] usb 3-9: New USB device found, idVendor=048d, idProduct=1234, bcdDevice= 2.00 [616145.587875] usb 3-9: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [616145.587878] usb 3-9: Product: Disk 3.0 [616145.587880] usb 3-9: Manufacturer: USB [616145.587881] usb 3-9: SerialNumber: 7431301101907252614 [616145.588512] usb-storage 3-9:1.0: USB Mass Storage device detected [616145.588706] scsi host10: usb-storage 3-9:1.0 [616146.606295] scsi 10:0:0:0: Direct-Access VendorCo ProductCode 2.00 PQ: 0 ANSI: 4 [616146.606779] sd 10:0:0:0: Attached scsi generic sg2 type 0 [616146.606958] sd 10:0:0:0: [sdc] 4095997952 512-byte logical blocks: (2.10 TB/1.91 TiB) [616146.607080] sd 10:0:0:0: [sdc] Write Protect is off [616146.607083] sd 10:0:0:0: [sdc] Mode Sense: 03 00 00 00 [616146.607213] sd 10:0:0:0: [sdc] No Caching mode page found [616146.607218] sd 10:0:0:0: [sdc] Assuming drive cache: write through [616146.609090] sdc: sdc1 [616146.610656] sd 10:0:0:0: [sdc] Attached SCSI removable disk Ok, large capacity advertised to the OS

4. Renaud Lifchitz - Debunking fake USB flash drives 4 Inserting

   the flash drive… (2/2) $ dmesg [616145.561710] usb 3-9: new high-speed USB device number 32 using xhci_hcd [616145.587871] usb 3-9: New USB device found, idVendor=048d, idProduct=1234, bcdDevice= 2.00 [616145.587875] usb 3-9: New USB device strings: Mfr=1, Product=2, SerialNumber=3 [616145.587878] usb 3-9: Product: Disk 3.0 [616145.587880] usb 3-9: Manufacturer: USB [616145.587881] usb 3-9: SerialNumber: 7431301101907252614 [616145.588512] usb-storage 3-9:1.0: USB Mass Storage device detected [616145.588706] scsi host10: usb-storage 3-9:1.0 [616146.606295] scsi 10:0:0:0: Direct-Access VendorCo ProductCode 2.00 PQ: 0 ANSI: 4 [616146.606779] sd 10:0:0:0: Attached scsi generic sg2 type 0 [616146.606958] sd 10:0:0:0: [sdc] 4095997952 512-byte logical blocks: (2.10 TB/1.91 TiB) [616146.607080] sd 10:0:0:0: [sdc] Write Protect is off [616146.607083] sd 10:0:0:0: [sdc] Mode Sense: 03 00 00 00 [616146.607213] sd 10:0:0:0: [sdc] No Caching mode page found [616146.607218] sd 10:0:0:0: [sdc] Assuming drive cache: write through [616146.609090] sdc: sdc1 [616146.610656] sd 10:0:0:0: [sdc] Attached SCSI removable disk … but strange USB Product ID (another model has idVendor=0000, idProduct=7777)

5. Renaud Lifchitz - Debunking fake USB flash drives 5 Testing

   USB 3 claims Flash drive is already formatted in exFAT, let’s test its speed by writing « zeroed » files: $ for i in `seq 1 40`; do echo $i; dd if=/dev/zero of=f$i bs=1M count=1024; done 1 1024+0 records in 1024+0 records out 1073741824 bytes (1.1 GB, 1.0 GiB) copied, 1.34213 s, 800 MB/s 2 1024+0 records in 1024+0 records out 1073741824 bytes (1.1 GB, 1.0 GiB) copied, 3.06786 s, 350 MB/s 3 1024+0 records in 1024+0 records out 1073741824 bytes (1.1 GB, 1.0 GiB) copied, 98.9574 s, 10.9 MB/s 4 1024+0 records in 1024+0 records out 1073741824 bytes (1.1 GB, 1.0 GiB) copied, 119.99 s, 8.9 MB/s Write speed quickly drops to ~9 MB/s, USB 3 really?

6. Renaud Lifchitz - Debunking fake USB flash drives 6 Testing

   storage capacity claim (1/2) A bit more difficult, have a look at our files headers: $ for i in `seq 1 2048`; do file f$i; done f1: data f2: data f3: data f4: data (...) f29: data f30: data f31: ISO-8859 text, with very long lines, with no line terminators f32: ISO-8859 text, with very long lines, with no line terminators f33: ISO-8859 text, with very long lines, with no line terminators f34: ISO-8859 text, with very long lines, with no line terminators f35: ISO-8859 text, with very long lines, with no line terminators (...) Curiously, something happens between f30 and f31...

7. Renaud Lifchitz - Debunking fake USB flash drives 7 Testing

   storage capacity claim (2/2) $ xxd f30 | head 00000000: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000010: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000020: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000030: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000040: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000050: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000060: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000070: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000080: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000090: 0000 0000 0000 0000 0000 0000 0000 0000 ................ $ xxd f31 | head 00000000: ffff ffff ffff ffff ffff ffff ffff ffff ................ 00000010: ffff ffff ffff ffff ffff ffff ffff ffff ................ 00000020: ffff ffff ffff ffff ffff ffff ffff ffff ................ 00000030: ffff ffff ffff ffff ffff ffff ffff ffff ................ 00000040: ffff ffff ffff ffff ffff ffff ffff ffff ................ 00000050: ffff ffff ffff ffff ffff ffff ffff ffff ................ 00000060: ffff ffff ffff ffff ffff ffff ffff ffff ................ 00000070: ffff ffff ffff ffff ffff ffff ffff ffff ................ 00000080: ffff ffff ffff ffff ffff ffff ffff ffff ................ 00000090: ffff ffff ffff ffff ffff ffff ffff ffff ................ f30 is filled with zeros as expected, but not the following files, do you start to understand?

8. Renaud Lifchitz - Debunking fake USB flash drives 8 Fake

   USB flash drives storage layout Real capacity (30 GB here) Emulated storage layout that supports writing but always returns « FF» bytes (nearly 2 TB) 0

9. Renaud Lifchitz - Debunking fake USB flash drives 9 Experimenting

   with EXT4 Results with EXT2 & EXT3 are similar Positions are big, these filesystems will likely fail $ dd if=/dev/zero of=zero.bin bs=4096 count=100k 2>/dev/null && sudo mkfs.ext4 /dev/loop59 && ./findlastbyte.py mke2fs 1.44.1 (24-Mar-2018) Discarding device blocks: done Creating filesystem with 409100 1k blocks and 102400 inodes Filesystem UUID: 4c0959db-c3a8-4f8e-9617-ddf30b97b236 Superblock backups stored on blocks: 8193, 24577, 40961, 57345, 73729, 204801, 221185, 401409 Allocating group tables: done Writing inode tables: done Creating journal (8192 blocks): done Writing superblocks and filesystem accounting information: done Last non-null byte position: 411047033 0x18801479

10. Renaud Lifchitz - Debunking fake USB flash drives 10 Experimenting

    with FAT & exFAT Positions are small, these filesystems will likely work! $ dd if=/dev/zero of=zero.bin bs=4096 count=100k 2>/dev/null && sudo mkfs.vfat /dev/loop59 & & ./findlastbyte.py mkfs.fat 4.1 (2017-01-24) Last non-null byte position: 114691 0x1c003 dd if=/dev/zero of=zero.bin bs=4096 count=100k 2>/dev/null && sudo mkfs.exfat /dev/loop59 && ./findlastbyte.py mkexfatfs 1.2.8 Creating... done. Flushing... done. File system created successfully. Last non-null byte position: 196697 0x30059

11. Renaud Lifchitz - Debunking fake USB flash drives 11 Consequences

    on filesystems • On fake USB flash drives: – FAT and exFAT are well supported – EXT2/EXT3/EXT4: default formatting use superblock backups across all storage layout, these filesystems will be detected as corrupted

12. Renaud Lifchitz - Debunking fake USB flash drives 12 What

    finally happened with my last purchase... • I made a complaint through Paypal • Vendor denied and asked for proofs, that’s why I writed this presentation  • Was refunded because of no answer from the seller after my full report to Paypal

13. Renaud Lifchitz - Debunking fake USB flash drives 13 How

    to avoid buying a fake one • Avoid chinese websites • Look for real/fake reviews • Used USB cases are always the same four or five ones! Train yourself to recognize them... • Prefer buying with Paypal who offers to reimburse you if the product doesn’t comply with its description • In case of doubt, test your key using my procedure!

14. Renaud Lifchitz - Debunking fake USB flash drives 14 Questions?

    Follow me on Twitter: @nono2357