Extracting data with USB HID

Recently while working on a project I had the task of configuring a USB device using software on a client machine. The problem being that the USB device was basically nothing more than a USB HID keyboard. The configuration required sending at a minimum several hundred bytes from the PC to the device. 

In my research I found two methods to make it work. The first method used a Morse code bit level style of flashing Caps, Scroll, and Num lock. Since any keyboard attached to the PC is able to see the output reports generated by the PC it is one method of sending data out to a keyboard as covered in this article ‘Leaking data using DIY USB HID device‘. The title of the article accurately describes how quickly data can be moved in this method. Which is approximately “1.24 effective bytes per second”. This equates to about 1024 bytes in a little under 14 minutes.

A second method involves using a USB HID’s feature reports to transfer bytes directly over the HID protocol.  Thomas Cannon spoke about using this method in 2010, in his article ‘Data Leak Prevention Bypass‘. While this second method would be much faster than the first Thomas never actually releases any software or proof of concept. In the end the decision was easy, I went with the second method. After getting it working so that I could quickly and easily update my device it occurred to me that what I learned could easily be adapted to transfer data off a secured PC without so much as raising an eyebrow.