Pages:
Author

Topic: anyone make their own USB cables from scratch? (Read 633 times)

staff
Activity: 3304
Merit: 4115
Absolutely! State-level stuff can just have malicious USB sockets installed by the contractors when the facility is built / renovated. That way there's not much risk involved. You can argue that they might also simply use those acquired USB exploits by plugging in your device when you pass the x-ray.

However, this 'juice jacking' [1] attack is pretty well researched and there have been warnings by the FBI [2], but I'm not aware of research about the deployments 'in the field'.
I do agree, you're speaking to someone who has degoogled their phone, uses Qubes OS, and is generally very paranoid Tongue. I've never had to use a USB socket at an airport, I tend to go for phones with bigger batteries.

Although, as much as we try to avoid it, if they go to this extent, they've probably already infiltrated most of the phone manufacturers themselves. It's generally why it's said that you can't really escape state level spying, whereas you can at least keep your privacy intact from non state level spying.

I'll take a look at the juice jacking in a bit more detail. I'm quite fascinated, since I knew of USB exploits being plugged into a computer (hence why I like the idea of a disposable sys-usb on Qubes OS), and obviously phones, but I never really considered it with the USB sockets themselves.
hero member
Activity: 882
Merit: 5834
not your keys, not your coins!
Yeah, wouldn't this be more state level spying rather than independent malicious actors? First, to tamper with a USB socket in plain sight in public seems rather high risk, for relatively low reward?
Absolutely! State-level stuff can just have malicious USB sockets installed by the contractors when the facility is built / renovated. That way there's not much risk involved. You can argue that they might also simply use those acquired USB exploits by plugging in your device when you pass the x-ray.

However, this 'juice jacking' [1] attack is pretty well researched and there have been warnings by the FBI [2], but I'm not aware of research about the deployments 'in the field'.

Size limits: Lithium metal (non-rechargeable) batteries are limited to 2 grams of lithium per battery. Lithium ion (rechargeable) batteries are limited to a rating of 100 watt hours (Wh) per battery. These limits allow for nearly all types of lithium batteries used by the average person in their electronic devices.
So, it's not specifically the volume of the battery pack, but the rating of watt hours per battery, then you're limited to two. I know I've looked this up before due to going off the grid for a few weeks. For example, when going to Nepal I had to enquire, and see if I could get written permission for boarding with a higher value, which they never got back to me. So, I ended up bringing two around the 24/26kmah.

Though, from what I checked this rule of thumb (100 watt hours) is generally universal in the aviation industry.
That's good to know!

On the other hand, if you have the capacity and remember to bring a voltage checker, why don't you just bring a 5V brick?
Depends on the length of travel. At some point that brick is going to need charging.
I mean just a 5V charger / transformer from 110 / 220V.

[1] https://en.wikipedia.org/wiki/Juice_jacking
[2] https://news.softpedia.com/news/fbi-warns-against-wireless-keystroke-loggers-disguised-as-usb-chargers-504435.shtml
staff
Activity: 3304
Merit: 4115
From both my gut feeling, news stories and professional experience, I can say that USB exploits are not uncommon, but pretty sought after by companies in the exploit buying / selling business, as well as the people and organizations they sell them to. In my opinion, the highest risk of finding malicious USB ports will be in airports / border controls. There are known cases of some countries' border patrol (hidden or even openly - if I recall correctly) jailbreaking / rooting people's phones to track and spy on them. I expect this risk to be much lower in generic hotel room equipment.
Yeah, wouldn't this be more state level spying rather than independent malicious actors? First, to tamper with a USB socket in plain sight in public seems rather high risk, for relatively low reward? At least, you don't hear of it too often. I mean, there's plenty of better places to do it than a airport with all the cameras, and security walking about. However, you typical cheap hotel probably isn't going to have this sophisticated attacks, they'd be much more likely to do identity theft with the documents you provide or alternatively run off with your credit card.

I'm not sure about that, but I've definitely lived off a single (large) power bank for a 7-day week and I believe that was still plane legal.
I have a 50,000mah one which I know wasn't allowed, which I admit is significantly larger than your usual power bank. I believe the limit is in the 20kmah mark, and you're allowed two of them, which have to be carried in your hand luggage due to risk of the lithium battery catching fire.

Here you go:

On the other hand, if you have the capacity and remember to bring a voltage checker, why don't you just bring a 5V brick?
Depends on the length of travel. At some point that brick is going to need charging.
hero member
Activity: 882
Merit: 5834
not your keys, not your coins!
Fair play, I thought I was security conscious, but I'll be honest I've never even thought about the possibility of a socket being compromised. I mean, even now that I've been made more aware that these things do happen, I imagine they're slim chanced. Would be interested seeing when, and where this happened, and to what extent they gained access to someone's device. I do use Qubes OS with a sys-usb for unknown usb devices, but never really thought about it with charging the phone. Although, my Bitcoin hasn't ever touched my phone, so not that I have to worry about that.
From both my gut feeling, news stories and professional experience, I can say that USB exploits are not uncommon, but pretty sought after by companies in the exploit buying / selling business, as well as the people and organizations they sell them to. In my opinion, the highest risk of finding malicious USB ports will be in airports / border controls. There are known cases of some countries' border patrol (hidden or even openly - if I recall correctly) jailbreaking / rooting people's phones to track and spy on them. I expect this risk to be much lower in generic hotel room equipment.

Aren't you limited by what you can carry with battery banks anyhow. I always thought there was a maximum of two at a certain volume. Otherwise, I'd be bringing more of them on my travels.
I'm not sure about that, but I've definitely lived off a single (large) power bank for a 7-day week and I believe that was still plane legal.

For that you could bring a voltage checker. They're cheap, and if you've done any electricity work in the house you've probably already got one.
On the other hand, if you have the capacity and remember to bring a voltage checker, why don't you just bring a 5V brick?
staff
Activity: 3304
Merit: 4115
thats why when i travel i never use usb charge sockets in airports and hotel rooms. i bring several usb battery banks for my phones and ebook reader for on the go recharging. in hotel rooms i always bring my own powered hubs.. like the ones that plug into conventional wall power and can charge 10+ usb items and such. plus spare hubs and cables so when one craps out i have spares. no need to by crap stuff cuz youre out.
Fair play, I thought I was security conscious, but I'll be honest I've never even thought about the possibility of a socket being compromised. I mean, even now that I've been made more aware that these things do happen, I imagine they're slim chanced. Would be interested seeing when, and where this happened, and to what extent they gained access to someone's device. I do use Qubes OS with a sys-usb for unknown usb devices, but never really thought about it with charging the phone. Although, my Bitcoin hasn't ever touched my phone, so not that I have to worry about that.

Aren't you limited by what you can carry with battery banks anyhow. I always thought there was a maximum of two at a certain volume. Otherwise, I'd be bringing more of them on my travels.

another thing i worry about in hotels that have those usb sockets mounted in multipurpose wall sockets (ie 2 x 120/240v outlets and 2+ usb sockets) and found in stuff like nightstand etc with built in usb plugs is you have no idea how good the power supply in them is. while some may be fine as far as voltage regulation etc im sure there is some absolute trash electronics in some of them that supplying lord knows what as far as the powers purity. sure in theory there may be some protection (?)  on the device  but why chance it.

much prefer to plug my $1k plus phones etc into a known good usb supply that i bring.
For that you could bring a voltage checker. They're cheap, and if you've done any electricity work in the house you've probably already got one.
legendary
Activity: 4354
Merit: 3614
what is this "brake pedal" you speak of?
Connecting your device to a standard electricity wall socket via your own cable and adapter plug is fine. Connecting your device directly to USB socket on the wall via your own cable is not (unless the cable is power only) - you have absolutely no idea what could be hiding on the other side of that USB socket. The risk of doing this is akin to the risk of picking up a random USB drive you find lying in the street and plugging it in to your device.

another thing i worry about in hotels that have those usb sockets mounted in multipurpose wall sockets (ie 2 x 120/240v outlets and 2+ usb sockets) and found in stuff like nightstand etc with built in usb plugs is you have no idea how good the power supply in them is. while some may be fine as far as voltage regulation etc im sure there is some absolute trash electronics in some of them that supplying lord knows what as far as the powers purity. sure in theory there may be some protection (?)  on the device  but why chance it.

much prefer to plug my $1k plus phones etc into a known good usb supply that i bring.

so a couple good reason to never trust strange usb sockets in the wild.

legendary
Activity: 2268
Merit: 18711
Why not strip the wire instead and cut the two lines the data+(green wire) and the data-(White wire) then two negative(Black) and positive(Red) should remain then use heat shrink to cover it back.
You don't even need to strip it - a pair of needle nosed pliers and you can reach in there and just yank out the two middle pins. Not the most high tech solution, but it does the job.

I don't see the problem in connecting devices for charging in wall power socket, you can always bring adapter with you, but it's different thing connecting it with other devices.
Connecting your device to a standard electricity wall socket via your own cable and adapter plug is fine. Connecting your device directly to USB socket on the wall via your own cable is not (unless the cable is power only) - you have absolutely no idea what could be hiding on the other side of that USB socket. The risk of doing this is akin to the risk of picking up a random USB drive you find lying in the street and plugging it in to your device.
JL0
full member
Activity: 817
Merit: 158
Bitcoin the Digital Gold
How about PortaPow?




legendary
Activity: 4354
Merit: 3614
what is this "brake pedal" you speak of?
Another search term for these devices would be 'USB sock' or 'USB condom'. They even exist for USB-C (since we talked about it before). Downside is that they're easy to lose.

That's why I currently only use QR codes (like @dkbit98 mentioned) - don't have to worry about all this nonsense anymore at all.

[1] https://github.com/trezor/trezor-firmware/search?q=key+agreement
[2] https://www.adafruit.com/product/708
[3] https://github.com/matlo/serialusb

nice. thanks for the links. will check into them.
hero member
Activity: 882
Merit: 5834
not your keys, not your coins!
But if hardware wallets encrypt all data being transmitted from the device to the PC with an AES key [hardcoded in both hardware device and software library], then wouldn't a malicious cable only be able to read gibberish anyway?
A malicious cable could still inject and run arbitrary code on the computer you are connecting the hardware wallet to, and steal your unencrypted public keys or addresses from there. So although a good hardware wallet should protect you from any direct security risks associated with a malicious cable, as n0nce says there is still a privacy risk.
I believe interception would be much easier to do and it would work across operating systems and OS versions, so it's much more likely. Also I don't know how you would set up shared symmetric keys between device and software, without the key being leaked. It should be trivial to extract it from the binaries, so a hardcoded key is out of the question. There would need to be a key agreement setup phase the first time you connect the wallet to the software, which I've never heard of being used in hardware wallet software.
A quick GitHub search on Trezor's firmware repo [1] yields nothing regarding key agreement or public keys to protect the USB connection, but it might be worth analyzing the traffic - especially on closed-source devices - using a device such as Adafruit Beagle USB 12 [2]. Low-cost DIY solutions also exist which may be enough for hardware wallet USB communication [3].
Anything such a USB hardware sniffer can extract, can also be extracted by a malicious cable and either stored locally[on the cable] to later be extracted by the attacker, sent over WiFi or maybe by injecting a process on the host which has network connectivity.

thats why when i travel i never use usb charge sockets in airports and hotel rooms.
~snip~
You can also buy small adapters which connect to regular USB cables and only attach to the power pins, leaving the data pins disconnected - search for USB defender or USB blocker.
Another search term for these devices would be 'USB sock' or 'USB condom'. They even exist for USB-C (since we talked about it before). Downside is that they're easy to lose.

this is another very good way. except. im lazy af  Grin
That's why I currently only use QR codes (like @dkbit98 mentioned) - don't have to worry about all this nonsense anymore at all.

[1] https://github.com/trezor/trezor-firmware/search?q=key+agreement
[2] https://www.adafruit.com/product/708
[3] https://github.com/matlo/serialusb
legendary
Activity: 4354
Merit: 3614
what is this "brake pedal" you speak of?
You can also buy small adapters which connect to regular USB cables and only attach to the power pins, leaving the data pins disconnected - search for USB defender or USB blocker.

sweet. gonna grab me some pronto.

Why not strip the wire instead and cut the two lines the data+(green wire) and the data-(White wire) then two negative(Black) and positive(Red) should remain then use heat shrink to cover it back. If you need the cable for other things to transfer data make sure it's not related to your wallet or any important data then you can strip it again and connect those two cut lines.

Or buy an adapter like this below then put a tape on the two pins in the middle



this is another very good way. except. im lazy af  Grin

once i took a dremel with a diamond bit and ground out the two data traces in the plug on a couple cables i had. works but messy.. i just sprayed the crap out with contact cleaner after.

@dkbit98  at this point in this timeline i have a baseball cap with silver foil liner. that  way i get the sunviser too.
legendary
Activity: 2212
Merit: 7064
thats why when i travel i never use usb charge sockets in airports and hotel rooms. i bring several usb battery banks for my phones and ebook reader for on the go recharging. in hotel rooms i always bring my own powered hubs.. like the ones that plug into conventional wall power and can charge 10+ usb items and such. plus spare hubs and cables so when one craps out i have spares. no need to by crap stuff cuz youre out.


Are you always bringing tin foil hat with you on your travels? Cheesy
I don't see the problem in connecting devices for charging in wall power socket, you can always bring adapter with you, but it's different thing connecting it with other devices.
Best thing about airgapped hardware wallets is the fact they don't need any cables for connection with computer and other devices, and they are even safer if they don't have bluetooth and wireless conenction.
legendary
Activity: 3374
Merit: 3095
Playbet.io - Crypto Casino and Sportsbook
You can also buy small adapters which connect to regular USB cables and only attach to the power pins, leaving the data pins disconnected - search for USB defender or USB blocker.

sweet. gonna grab me some pronto.

Why not strip the wire instead and cut the two lines the data+(green wire) and the data-(White wire) then two negative(Black) and positive(Red) should remain then use heat shrink to cover it back. If you need the cable for other things to transfer data make sure it's not related to your wallet or any important data then you can strip it again and connect those two cut lines.

Or buy an adapter like this below then put a tape on the two pins in the middle

legendary
Activity: 4354
Merit: 3614
what is this "brake pedal" you speak of?
You can also buy small adapters which connect to regular USB cables and only attach to the power pins, leaving the data pins disconnected - search for USB defender or USB blocker.

sweet. gonna grab me some pronto.
legendary
Activity: 2268
Merit: 18711
But if hardware wallets encrypt all data being transmitted from the device to the PC with an AES key [hardcoded in both hardware device and software library], then wouldn't a malicious cable only be able to read gibberish anyway?
A malicious cable could still inject and run arbitrary code on the computer you are connecting the hardware wallet to, and steal your unencrypted public keys or addresses from there. So although a good hardware wallet should protect you from any direct security risks associated with a malicious cable, as n0nce says there is still a privacy risk.

thats why when i travel i never use usb charge sockets in airports and hotel rooms. i bring several usb battery banks for my phones and ebook reader for on the go recharging. in hotel rooms i always bring my own powered hubs.. like the ones that plug into conventional wall power and can charge 10+ usb items and such. plus spare hubs and cables so when one craps out i have spares. no need to by crap stuff cuz youre out.
Go one step further, and make sure all the cables you are carrying with you are power only cables (except maybe one data cable if you need to connect up your hardware wallet/phone/tablet/laptop to each other). That way, you can use public charging points or hotel charging points without risk of transmitting any data to or from your devices. You can buy such cables or make them yourself as I described above. You can also buy small adapters which connect to regular USB cables and only attach to the power pins, leaving the data pins disconnected - search for USB defender or USB blocker.

legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
But if hardware wallets encrypt all data being transmitted from the device to the PC with an AES key [hardcoded in both hardware device and software library], then wouldn't a malicious cable only be able to read gibberish anyway?

After all, it's not like they can get an Ethernet interface or WiFi interface inside it and relay the gibberish to some remote server to attempt to brute-force the key. Or try to do it themselves by putting a mini-ASIC of some sort.
legendary
Activity: 4354
Merit: 3614
what is this "brake pedal" you speak of?
USB attacks in the wild also happen in airports or other public places where there are free phone charging spots. You connect the phone to a bad USB socket or cable and get infected with some malware / virus / tracker. Speaking of airports: border security of some nations intentionally infects devices of visitors to spy on them.

thats why when i travel i never use usb charge sockets in airports and hotel rooms. i bring several usb battery banks for my phones and ebook reader for on the go recharging. in hotel rooms i always bring my own powered hubs.. like the ones that plug into conventional wall power and can charge 10+ usb items and such. plus spare hubs and cables so when one craps out i have spares. no need to by crap stuff cuz youre out.
hero member
Activity: 882
Merit: 5834
not your keys, not your coins!
The most that a compromised cable could do would be to change the transaction between you clicking to sign it on your computer and it showing up on the screen of your hardware device.
I think it would also be possible for a badUSB cable to intercept the xpub or individual public keys that are sent from device to host and then send those to a server for deanonymization, wouldn't it?

Any cases where there is malware/virus from buying cables on ebay or amazon?
Should be highly unlikely since the cables in question are much more expensive than regular USB cables so they cannot be sold for like $10 without taking a loss. They are just used for targeted attacks. For instance, someone handing you such a cable, or distributing them in the office.

USB attacks in the wild also happen in airports or other public places where there are free phone charging spots. You connect the phone to a bad USB socket or cable and get infected with some malware / virus / tracker. Speaking of airports: border security of some nations intentionally infects devices of visitors to spy on them.
legendary
Activity: 2730
Merit: 7065
Any cases where there is malware/virus from buying cables on ebay or amazon?
I cant remember a particular case where i have read of an infected series of cables being distributed over Ebay/Amazon but it is possible, why not. A malicious person could infect at least a few devices before negative comments start to flow in. After that the users would become cautious and ebay/amazon could delete the sales threads.
full member
Activity: 1750
Merit: 186
Any cases where there is malware/virus from buying cables on ebay or amazon?
Pages:
Jump to: