2

It is probably common enough knowledge now that you should not plug into your computer any device that an attacker has had physical access to. Especially USB devices.

Thanks to the many tutorials on how to make your own RubberDucky/BadUSB, it is very easy and simple for any malicious actor to make one especially using an Arduino Leonardo-based board.

Consider the case of ordering an Arduino Leonardo online. If before delivery it should get compromised, evil-made style or intercepted during delivery, is there any way to detect it? Are there any telltale signs I can look for in the output of dmesg?

If I were reasonably sure that the device is 100% an Arduino Leonardo that may have simply have been compromised, would clearing it by uploading a new sketch from a Live OS be enough to make it safe for use?

To be clear, the threat model I'm assuming is an adversary that can execute an evil-maid level attack but not one that can probably manufacture their own Arduino clones.

user942937
  • 983
  • 8
  • 14

1 Answers1

4

The USB driver code in an Arduino Leonardo just lives in the writable area of the ATmega32U4. If you're worried it's been compromised, you can reflash it via ISP (in-system programming):

[this] happens thanks to a special piece of code that is executed at every reset of the microcontroller and that looks for a sketch to be uploaded from the serial/USB port using a specific protocol and speed. If no connection is detected, the execution is passed to the code of your sketch.

You will need another known good Arduino for that. You flash the good one with the programmer, and use it to program the unknown Arduino. Unlike uploading a sketch normally, this doesn't require connecting the Arduino directly to your USB port, is unaffected by the (possibly malicious) bootloader, and results in a known-good bootloader being installed. If the Arduino were compromised and you plugged it in via USB anyway, it would appear with extra VID/PIDs in dmesg, but by then it may be too late to avoid taking over your system.

ThoriumBR
  • 50,648
  • 13
  • 127
  • 142
Joseph Sible-Reinstate Monica
  • 7,110
  • 3
  • 21
  • 35
  • Hi. Thanks for answering. What's the difference between reflashing via ISP and uploading a Sketch? – user942937 Sep 24 '19 at 04:42
  • @user942937 Answer updated to explain that. – Joseph Sible-Reinstate Monica Sep 24 '19 at 12:16
  • Does reflashing via ISP simply clear out any sketches uploaded? – user942937 Sep 25 '19 at 00:34
  • 1
    @user942937 ISP supports erasing the whole chip, but I'm not sure whether Arduino's bootloader flash routine does that or not. If you're concerned, you should use something like `avrdude` to erase everything first (make sure you don't mess up the fuses though!), then reflash the bootloader. – Joseph Sible-Reinstate Monica Sep 25 '19 at 01:07
  • @ThoriumBR The quote you provided, despite being from a page about ISP, was actually describing the "normal" way to upload a new sketch, which is exactly what the OP *doesn't* want to use. – Joseph Sible-Reinstate Monica Sep 25 '21 at 05:55
  • @JosephSible-ReinstateMonica it may look like this, but the page explains how to use an Arduino to flash another Arduino. OP will need a known good Arduino first, flash it with the programmer, and then use his Arduino to flash the unknown one. – ThoriumBR Sep 26 '21 at 00:39