Pages:
Author

Topic: USBHarpoon - a charging cable that can hack your computer - page 2. (Read 648 times)

legendary
Activity: 2730
Merit: 7065
New business model. USB cables with clear plastic so you can see everything inside.
Sure, why not. If you know how the inside of a standard USB cable should look like. Many people don't and those people who fall victims to phishing sites aren't cautious enough and wouldn't notice anything wrong with their cable.   
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
The above article says that the cable creates a wireless hotspot which means that the hacker would need to be close to the victim to take advantage of the vulnerability. It is still a scary thought if the person who sells it to you knows where you live or where you will be using it.

It's a bit more worrying for the "captive audience" type. Get them into the hotel gift shop or cruise ship or the store at the train station and you know more or less where many of your victims will be.

New business model. USB cables with clear plastic so you can see everything inside.

-Dave
legendary
Activity: 2730
Merit: 7065
The above article says that the cable creates a wireless hotspot which means that the hacker would need to be close to the victim to take advantage of the vulnerability. It is still a scary thought if the person who sells it to you knows where you live or where you will be using it.
copper member
Activity: 2940
Merit: 1280
https://linktr.ee/crwthopia
An Update.

Recently came across this article: https://www.vice.com/en_us/article/3kx5nk/fake-apple-lightning-cable-hacks-your-computer-omg-cable-mass-produced-sold

It's said there that it's going to be mass-produced and a factory has accepted it also, further Quality Analysis and Testing will be done on the product. Pretty much the same with the articles above but I think knowing that it is possible that it's on-going production already, you can encounter this kind of device. Better safe than sorry, make sure to have a legitimate and certified product.
legendary
Activity: 1624
Merit: 2481
And I can expect that the cables for data transfer between PC and Android will try to infect only the PC?

No, it can compromise any device which is connected to it.
Obviously it has to be configured to do so. The device (mobile/desktop) and the OS doesn't play a huge role. It just has to be configured to infect that specific device/OS.



I go by the initial assumption that one has such a cable at home. If he uses it as data cable he will enable data transfer. Will Android run that if I don't install it? I hope not.

It depends on your settings.
I believe that the standard settings are to not accept input devices via USB. But you can turn this on/off in your settings, allowing you to use a keyboard/mouse on your mobile.

If your device restricts keyboard/mouse via USB, nothing will happen.
copper member
Activity: 2940
Merit: 1280
https://linktr.ee/crwthopia
Because most devices have a single multi purpose port now. Any USB cable with data pins, even if you think it is just for charging, can send or receive data from your device too. You don't know what's inside the charging adapter. It could quite easily be hiding a few microchips ready to send malware to any device which connects.
This article by the verge is quite recent and it's a good read too. This shows that a cable looks and functions like a normal lightning cable but it has an additional feature where it has a wireless point (additional hardware) making it a remote hacking device. It's definitely a scary place we live in now, everything can be remotely hijacked. And guess what, it says "it's nothing new". It has been going around and I have no idea until recently.  Huh

Good. Paranoid is good. Yoy shouldn't be plugging any unknown USB cables, drives, or devices in to your device.
Or never borrow from someone you don't know. #neveragain #officialproductsonly LOL.

Absolutely. There is a public charging station at my nearest airport with about 20 cables of various sizes. Every time I am there, they are almost all being used. That's hundreds of devices each day.
It's better to use a normal socket using your charging cable and adapter instead. This is what I usually do in an airport.
legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
And I can expect that the cables for data transfer between PC and Android will try to infect only the PC?

I go by the initial assumption that one has such a cable at home. If he uses it as data cable he will enable data transfer. Will Android run that if I don't install it? I hope not.
legendary
Activity: 2268
Merit: 18771
However, more important, since I am completely newbie on that field: are Android devices safe from such attacks? (With or without AV)
For several versions now, devices running Android software treat any connected USB as a charger only and display a prompt on the device before enabling data capabilities. As long as you have a recent version, and don't accept the prompt, then you are theoretically safe. There is always the possibility somebody finds a new method, hack, vulnerability, or similar, which allows them to bypass this prompt and transmit data. The safest method remains to not use public charging ports, or at least bring your own power-only USB cable with the data pins removed. There are also many tiny adapters on the market for a few bucks which you can connect between your phone and the USB cable which block all data transfer.
legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
antivirus normally don't question or block user's input from HID (keyboard, mouse, etc.). But Antivirus might block the downloaded malware or malicious script from the USB cable.

That's what I would also expect on Windows. And, interestingly, there are still many people around here that question the use of antivirus software...
However, more important, since I am completely newbie on that field: are Android devices safe from such attacks? (With or without AV)
legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
This story makes me paranoid and makes me want my files to be secure.
Good. Paranoid is good. Yoy shouldn't be plugging any unknown USB cables, drives, or devices in to your device.

OK, but antiviruses and such don't "see" this threat? I mean, those cables can be easily in your house without knowing it.
legendary
Activity: 2268
Merit: 18771
I don't know how they would be able to get my data because I just stuck it in the charging adaptor.
Because most devices have a single multi purpose port now. Any USB cable with data pins, even if you think it is just for charging, can send or receive data from your device too. You don't know what's inside the charging adapter. It could quite easily be hiding a few microchips ready to send malware to any device which connects.

This story makes me paranoid and makes me want my files to be secure.
Good. Paranoid is good. Yoy shouldn't be plugging any unknown USB cables, drives, or devices in to your device.

@o_e_l_e_o Is it really going to be effective to hack someone or infect a virus when you just use a public charging station? Infecting the one you are charging?
Absolutely. There is a public charging station at my nearest airport with about 20 cables of various sizes. Every time I am there, they are almost all being used. That's hundreds of devices each day.
copper member
Activity: 2940
Merit: 1280
https://linktr.ee/crwthopia
I didn't know that this exists already. Thanks for sharing this. It's definitely scary to use cheap stuff that might compromise your status. I do have a cheap cable for charging (it's an L-type of cord, so I could play while charging), I don't know how they would be able to get my data because I just stuck it in the charging adaptor.

Anyways, this reminded me of a story by my boss at his previous work that he knows someone that is a good programmer and he created a flash drive that once you stuck it in your computer, it's going to get your files in the background while it's still inserted. This story makes me paranoid and makes me want my files to be secure.

So basically, this is a warning for everyone to NEVER use cheap cords and plug it in your computer. Now I'm more paranoid



@o_e_l_e_o Is it really going to be effective to hack someone or infect a virus when you just use a public charging station? Infecting the one you are charging?

So you could say that your smartphone would be getting HIV.
legendary
Activity: 3668
Merit: 6382
Looking for campaign manager? Contact icopress!
There are 100s of Chinese shops at AliExpress selling USB charging cables, many under 1$ a piece, shipping included.

Can anybody say they are legit? No.
Do they sell 1000s of cables? Yes.
Is there a chance known electronic shops resell such cables? Yes.

Sorry my friend, but imho there's no certainty the cable is good, no matter where you buy it from an at what price. Of course, unless you buy it together with a branded device.
legendary
Activity: 2730
Merit: 7065
If an attacker sets up a public charging station somewhere, they could infect hundreds of users.
That is exactly what he does at the end of the 2nd video in the original article. If you rewind to 0:50 you can see that he plugs in the USB cable as a charger in a conference room somewhere. And the trap is set!
legendary
Activity: 2268
Merit: 18771
Here is one better, plug in a cable, get owned
This sounds pretty much identical to USBNinja. This is essentially a cable which works just like a normal USB, but can be remotely triggered via either a bluetooth transmitter or bluetooth app to change to a HID and deliver any desired input to the device it is connected to. You can buy one of these kits for 100 bucks, and it even comes with information and examples on how to design your own payload. There are also devices like Rubber Ducky for half that price which will perform the same keystroke attack whilst being disguised as a regular USB flash drive.
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
Too bad there's no information whether it works without superuser, admin or root-level user
The USBharpoon attack revolves around fooling the computer in to thinking the USB cable connected is a human interface device, which it will then accept inputs from. Anything a standard user can do, this USB cable can do as well, including downloading and executing some specific malware.

Anything the logged in user can do. It's creating keyboard / mouse commands so if you are admin / root and plug one of these in it is running with full privileges.

Here is one better, plug in a cable, get owned:

https://www.theverge.com/2019/8/15/20807854/apple-mac-lightning-cable-hack-mike-grover-mg-omg-cables-defcon-cybersecurity

From the article:
Quote
MG tells The Verge that his cables look and function like the standard Lightning cable you get with your iPhone. But MG hid software and hardware, including a wireless access point, inside its USB connector. When the cable is plugged into a computer, it can be triggered remotely to attempt to steal a user’s login credentials or install malicious software.

-Dave
legendary
Activity: 2268
Merit: 18771
I was just talking about this issue in another thread in Beginners and Help with another user who did not believe such an attack was possible.

You should obviously only be buying electronics from reputable sources, but I think the main vector of attack here is the use of public or shared cables rather than selling hacked cables. Selling a hacked cable is likely to only infect one user. If an attacker sets up a public charging station somewhere, they could infect hundreds of users. The solution is simple - never use public or shared charging stations or cables.

Too bad there's no information whether it works without superuser, admin or root-level user
The USBharpoon attack revolves around fooling the computer in to thinking the USB cable connected is a human interface device, which it will then accept inputs from. Anything a standard user can do, this USB cable can do as well, including downloading and executing some specific malware.
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
This can somehow be related to Hardware wallets OLED Display Vulnerability, and Trezor has solved this problem with new firmware, but we still wait for the new firmware from Ledger.

I'm not sure what the danger is for hardware wallets with USBHarpoon (if at all there is a danger), but cheap USB cables should not be used because they obviously pose a security risk. There is no doubt that all equipment should be purchased from trusted dealers, the time of buying this kind of stuff through eBay has obviously become too risky.
legendary
Activity: 2730
Merit: 7065
Did a quick search and couldn't find any threads talking about this.

I saw a link about this in our local forum so credits go to the OP sbogovac
Source: https://bitcointalksearch.org/topic/m.52525034
Original article: https://latesthackingnews.com/2018/08/27/usbharpoon-a-charging-cable-that-hacks-your-computer/

This was published last year and I think it fits in this section since it can be used to compromise both Windows and Macbooks via a compromised USB cable, similar to those we use with hardware wallets or mobile phones.

Two developers created a USB charging cable that they named USBharpoon that can be used "to compromise a computer in just a few seconds".



Quote
The cable was modified by researchers to transfer both data and power which makes it difficult to notice any abnormal behaviour from the user.

Once the cable is plugged in it can download and execute a malicious code on the PC and it works both on Windows and Mac. There are example videos on the link.

Source: 
https://latesthackingnews.com/2018/08/27/usbharpoon-a-charging-cable-that-hacks-your-computer/

The lesson here is: Always buy hardware from official sources. Don't go for the cheap variant to save a few bucks if what you are protecting is worth a lot more.
Pages:
Jump to: