I'm looking into the feasibility of a project to develop a USB-over-RF device for physical penetration testing engagements. The idea is that our tester could connect a device to a USB port on a machine within the test environment, then leave the building and plug in arbitrary USB devices remotely.
The requirements are as follows:
- USB 1.1 support at minimum, but USB2.0 support would be greatly beneficial even if speed is heavily degraded.
- Ability to plug in arbitrary devices is mandatory. Keyboard, mouse and USB storage are our primary goals.
- Cannot load any form of special software or driver onto the target machine. Client transceiver has to work "out of the box" on a system we've got no access to.
- Host transceiver would preferably be nothing more than a box full of electronics that we plug a USB hub into.
- Enough speed and integrity to run a USB VGA adapter would be amazing, but we're realistic about this being potentially impossible.
- Can be powered from a socket if necessary, but running from host power would be better.
- Needs a strong enough signal to go through at least one external wall.
I have a few ideas in my head about what kinds of technologies could be used, e.g. Arduino Mega + USB host shield + XBee for the host transceiver, and a similar setup (with USB client rather than host) for the client transceiver. We also considered TCP/IP over 3G as a potential transmission medium, though I fear it may be too latent / slow.
Do you think this could be achieved with the kind of technology I've mentioned? What issues am I likely to run into with sending USB over a latent connection like this? Is there an easier solution that I've missed?
To clarify, consider our task equivalent to sneaking into a building and installing a device into a computer, similar to the scene at the start of Sneakers. The restriction is due to the fact that the machine will likely be locked or shut down, so we cannot expect to have any interaction with the system beyond plugging in a USB device. We'll often have less than 30 seconds alone with the machine, too. This rules out installing drivers / software, bluetooth pairing, etc.
Best Answer
Having looked at this, I think it's worth looking at Wireless USB "wire adapters": http://www.usb.org/developers/wusb/docs/presentations/2006/Taipei06_RI_Wire_Adapter_Model.pdf (lots of detail)
However, I don't think those are transparent. If you can't find a transparent one, and it's an absolute requirement, I think you'll have to settle for proxying. Plug in a device on one side, have a "host" read its descriptor and pass it over the wireless, have the proxy present that descriptor on the other side. Store and forward requests; do link-level acknowledgement on the proxy. This should work for HID devices and you can probably make it work for mass storage devices. You will probably have to do special interpretation of some types of message, so build that into your software from the start. This is basically Anindo's solution. I'd estimate it as a good few weeks of software development; once you have the basic XBee devices working you might get better answers on the software stackexchange.
Normal USB hubs are non-buffering and have a very small latency limit of a few 12MHz ticks.