Several security experts have built a malicious version of a USB charging cable, one that can compromise a computer in just a few seconds. Once plugged in, it turns into a peripheral device capable of typing and launching commands.
USBHarpoon, as its makers call it, relies on the BadUSB research from Karsten Nohl and his team at Security Research Labs. Their work showed that an attacker can reprogram the controller chip of a USB drive and make it appear to the computer as a human interface device (HID).
The type of HID can be anything from an input device like a keyboard that issues a rapid succession of commands, to a network card that modifies the system’s DNS settings to redirect traffic.
With USBHarpoon, security experts replaced the USB drive with a charging cable, something that is as ubiquitous, but less likely for users to be cautious of.
The cable comes with modified connectors that allow both data and power to pass through so it will fulfill the expected function. This feature enables it to be accompanied by any type of device that powers through USB (fans, dongles distributed at conferences), without raising suspicions about plugging the cable.
Idea has been implemented before
Behind the USBHarpoon project are Olaf Tan and Dennis Goh of RFID Research Group, Vincent Yiu of SYON Security, and Kevin Mitnick, who catalyzed the entire collaboration.
Yiu, who works on the design and weaponization of the cable, says that he talked to multiple fellow researchers from different labs who tried to build a project like USBHarpoon, but they “were not able to make the cable charge for whatever reason.”“My team of friends has managed to weaponize this capability to make a fully working USB cable also a compatible HID device,” he added in a blog post.
It turns out that a weaponized charging USB cable already existed and was developed by a security researcher using the Twitter handle MG. As shown in the two videos below from January 2018, MG was able to create USB cables that could perform HID attacks when plugged into a computer's USB port.
HID attacks via USB drives have become too suspicious. What about embedding the attack inside a USB cable?
— MG (@_MG_) January 1, 2018
Just a quick test for a few things I'm hoping to make over the next month. pic.twitter.com/3iNjLqXloW
BadUSB Cable #2. HID attack through an Apple MacBook USB-C charger. Great for shared workspaces!
— MG (@_MG_) January 6, 2018
Build info coming this month. Still working out some things. These cables work on just about any device with a USB port (Mac/Win/Linux, phones too) pic.twitter.com/b6254FvpLY
MG also showed that the attack, which he calls BadUSB cable, would work with a USB-C connector, used in MacBook chargers, informing that it “work on just about any device with a USB port,” including phones.
Mitnick told Bleeping Computer that he asked MG to build a cable for him to use in a keynote speech to demonstrate new attack methods, but he did not receive it in time for the presentation. For the cable to function as intended, it needed a payload, which MG told BleepingComputer that he did not get from Mitnick soon enough to complete the project. In a Twitter thread on the matter, Mitnick said that the reason for not providing the code was his busy schedule.
After not receiving the cable, Mitnick says that he did not give up on the idea of having a malicious USB cable and contacted Dennis Goh with the proposition to build one. Goh accepted the challenge and together with Olaf Tan finished the job in a few days as a favor for Mitnick, but the value for the security sector, especially in penetration testing, is huge.
After seeing USBHarpoon, MG commented that the cable looked very similar, if not the same, as the one he created for his videos and shared internal images of with Mitnick.
Heh, looks like the same boots I showed Kevin earlier this year, but with tape holding together? Just use some potting compound to seal it!
— MG (@_MG_) August 20, 2018
Hey @vysecurity did you do anything besides adding 2 resistors for charge pass through? That seems to work fine. Data passthrough though... pic.twitter.com/69slNg2U0O
Yiu said he had never heard of MG's research when working on USBHarpoon, but credited the original work from MG once he learned about it.
Hiding the attack, defending against it
The USBHarpoon / BadUSB cable attack is successful on unlocked machines, where it can launch commands that download and execute a payload. On Windows, the commands can run directly from the Run prompt; on Mac and Linux it could launch a terminal and work from there.
This activity is visible on the screen, so the attacker has to come up with a method to hide it. Yiu says the team is currently exploring methods to trigger the attack when the victim is not around.
Delaying the action is one avenue they study, but there are other channels they consider for getting the desired response. Bluetooth and radio signals could be part of the solution.
Protecting against attacks that rely on a USB connection is not easy. A potential answer is to use a data-blocking device, also known as USB condom. An electronic accessory like this blocks the data pins on a USB cable and allows only power to go through.
But MG proves a valid point in a video where he shows that USB condoms can be infected just as well, and you cannot trust them unless you have a way to audit them before use.
#3 - BadUSB Cables wouldn't be complete without BadUSB Condoms.
— MG (@_MG_) January 13, 2018
Tempted to get a run of these made for the vendor area at the next security con. pic.twitter.com/Iq8HHSV7qG
“The problems behind BadUSB were never addressed. This research is a timely reminder that anything USB can be turned malicious, even a simple charging cable,” Karsten Nohl, the original BadUSB researcher told Bleeping Computer.
Although the idea behind USBHarpoon is not new, it may have the advantage of having been refined by several security experts. Mitnick said that the cable his team built was indistinguishable from what you see on the shelf. Even if there are differences, it is very likely that the victim does not notice them.
To demonstrate the functionality of USBHarpoon, Yiu published a short video where a drone connects to a Windows PC and sends it commands to list content in a folder on the system drive.
Updated 8/21/18: 3:50 PM EST: Added new information from MG to reflect the reason Kevin Mitnick did not receive the cable in time for presentation. MG's original BadUSB cable from January 2018 could already trigger a payload while charging.
Comments
the_moss_666 - 5 years ago
“The problems behind BadUSB were never addressed..." Well, the problem behind it is the letter "U" - universal. Only defence I can think of is USB condom build in OS or hardware (although both can be exploitable) and carefuly choosing cable manufacturer and seller.
rp88 - 5 years ago
Would there be an operating system setting that one could change to prevent this? Could a fix at the operating system level be developed? Or is this something that can sneak under any OS and must be fixed at the hardware level?
JohnnyJammer - 5 years ago
You sort of can by only allowing drivers to be installed by their GUID. a GPO with Computer\admin template\System\Driver instalation\, then you can use the option to allow non admins to install drivers for printers etc.
Here are some of mine i have listed.
{4d36e96f-e325-11ce-bfc1-08002be10318}
{4d36e96b-e325-11ce-bfc1-08002be10318}
{4d36e96e-e325-11ce-bfc1-08002be10318}
{745a17a0-74d3-11d0-b6fe-00a0c90f57da}
{4d36e972-e325-11ce-bfc1-08002be10318}
{4d36e96c-e325-11ce-bfc1-08002be10318}
{4d36e968-e325-11ce-bfc1-08002be10318}
{4d36e978-e325-11ce-bfc1-08002be10318}
{745a17a0-74d3-11d0-b6fe-00a0c90f57da}
{4d36e967-e325-11ce-bfc1-08002be10318}
{7240100f-6512-4548-8418-9ebb5c6a1a94}
{72631e54-78a4-11d0-bcf7-00aa00b7b32a}
EricDKnapp - 5 years ago
Wow - I've been preaching about USB security for a while now and I'm excited to see the topic is going mainstream.
I'm part of a team that's been working towards making USB safe again, and there is hope. There's a blog about it at https://www.linkedin.com/pulse/dont-worry-usb-happy-eric-knapp/ but the short version is that there is work being done to solve this problem.
PS - I'd love to get my hands on a USB harpoon cable to see it in action... if anyone is interested in contributing/collaborating just let me know
Bahaa_Noseir - 5 years ago
everything in this digital war-led hurts my mind ,, your mobile phone receive and send its data on carrier frequency with full needed data to determine every thing just encoded data and it re-transfer it several times and it just need brainy guys to decode its built-in info as an example but nor all " digital signatures for nearest transferable three or more antennas , imei for each sim card , time, pre signal strength test to determine average time for send and receive plus additional supposed moving factors , encoded transferable data , balance encoded symbols , average location or distance to save power for the next supposed antennas ,, many factors but need a cracked head programmer or programmers or even dictator gov to intercept ,,, there is no security in this war-led ,, just one of three things ,,, you are not needed right now for them ,,they did not detect you yet but willing to do ,, or you dig them and got your own way to hide for just period of time no longer than their efforts .. sorry I could not comment in positive way help the issue sender ,, you can just imagine about other things you may ignored ,, no way ,,
Cough - 5 years ago
Or just lock the screen with something like penteract's keyboard detector...
jamiezoe - 4 years ago
This is why we need experts like Kevin Mitnick in the industry!