Topic: USBHarpoon - a charging cable that can hack your computer (Read 599 times)
Bump
~snip~
Hello old friend..
What if your computer is locked on windows? I assume that doesn't do anything right?
Whether the computer is locked, doesn't matter.
Windows is shitty enough that the "lock" simply means you can't move your mouse etc. without entering the password.
Inserting an USB device which executes malicious code is still doable.
Now if your computer isn't turned on... i assume no issue?
If it is not turned on, how is it supposed to execute code?
If the CPU is turned off, it can't do anything.
What if you use veracrypt or bitlocker on it? I assume as long as you aren't logged in your computer, the usb charging cable can't do anything?
Full disk encryption? And turned off?
Same as above.. if the PC is not turned on, it can not execute code.
What if your computer is locked on windows? I assume that doesn't do anything right?
Now if your computer isn't turned on... i assume no issue?
What if you use veracrypt or bitlocker on it? I assume as long as you aren't logged in your computer, the usb charging cable can't do anything?
Now if your computer isn't turned on... i assume no issue?
What if you use veracrypt or bitlocker on it? I assume as long as you aren't logged in your computer, the usb charging cable can't do anything?
When was the last time you looked at the USB plug where your keyboard is plugged into:
https://hackerwarehouse.com/product/keygrabber/
What do you know about your network switch:
https://www.amazon.com/Dualcomm-DCSW-1005PT-Ethernet-Network-Pass-Through/dp/B003PCHAC6
Or how about your network cable:
https://greatscottgadgets.com/throwingstar/
Yeah, all of the above require access to you PC / home / office as opposed to just buying a wonky cable. Not going to dispute that.
But, most people are not even aware that things like this exist so it's probably good to put it out there.
-Dave
https://hackerwarehouse.com/product/keygrabber/
What do you know about your network switch:
https://www.amazon.com/Dualcomm-DCSW-1005PT-Ethernet-Network-Pass-Through/dp/B003PCHAC6
Or how about your network cable:
https://greatscottgadgets.com/throwingstar/
Yeah, all of the above require access to you PC / home / office as opposed to just buying a wonky cable. Not going to dispute that.
But, most people are not even aware that things like this exist so it's probably good to put it out there.
-Dave
Has anyone here had a case like this though? Again cables seem very scary because of this.
What about cables on amazon though?
Probably safe. Maybe not, though.Amazon sell items from a huge number of different retailers. It is impossible for them to vouch for/verify every single one of them. Even items sold directly by Amazon, or even produced by Amazon such as the AmazonBasics range, could be subject to attack. What if a rogue employee on the production line started slipping chips in to their cables? How many do you think would get out before someone else picked it up in quality control? Impossible to know.
The only way you could be 100% safe is if you build your own cable from scratch. There was a recent topic started about this here: https://bitcointalksearch.org/topic/anyone-make-their-own-usb-cables-from-scratch-5218898. You have to consider, though, that if you are this concerned about a supply chain attack on a USB cable, what about the same attack on any of the hardware inside your computer or your phone?
What about cables on amazon though?
The above article says that the cable creates a wireless hotspot which means that the hacker would need to be close to the victim to take advantage of the vulnerability. It is still a scary thought if the person who sells it to you knows where you live or where you will be using it.
I think it's best to use air-gapped hardware wallets. They don't have any physical points of attack. All transactions happen through a QR code. snip
Arguably that USBharpoon should be easy to spot by testing the cable's wiring for continuity with ordinary multimeter. Opposite to original USB cable, touching the data wires of the same color on the opposite sides of "harpoon" should result in non zero readings.
If our smartphones could have an instant multimeter, that would be awesome. I wouldn't want to bring a multimeter anywhere I go. Great tip btw. To be clear, it's the resistance readings, right? Yeah, test for continuity in electrical wire means measuring its resistance, so to do it you need to select pertaining mode for multimiter. You can also use continuity tester to check whether USB cable is "harpooned" or not. In this case two central pins on one side of the cable must be shorted together when probe and the second end of the tester touch central pins on the opposite cable side.
I didn't know you could actually DIY a cable.
Take any standard USB cable with a male USB A end (the normal PC/laptop connector). If you look in the end of it you will see 4 metal pins embedded in the white plastic part, inside the outer metal casing. The two outer pins transmit power, the two inner pins transmit data. If you cover or remove the two inner pins, then you have made yourself a power only cable.This is fairly easily done, in one of two ways. You can simply cut a piece of tape to size and cover the two inner pins to make a reversible power only cable, but be absolutely sure you have entirely covered the pins, as if any connection remains (however small) data can still be transmitted. More securely, but irreversibly, you can remove the two pins without much hassle. You don't need to open the casing at all - simply use a small flat-head screwdriver or similar to prise the two middle pins up, and a pair of pliers to pull them out.
You can even make one yourself by removing the data pins from an existing cable, and you can find instructions online to show you how to do this.
I didn't know you could actually DIY a cable. I wouldn't prefer to do that because I don't think I would be successful in the first few tries that I would do. That's not to say malicious power banks don't also exist, and an attacker could very well open one up and hide a microchip or two inside.
Maybe creating one is more complicated than just using a malicious wire or something. If someone is to create it, it's just a waste of resources, like the weights/batteries inside of it, it's not gonna do anything or would just add to the data powerline and make charging slow. Or something like that.Arguably that USBharpoon should be easy to spot by testing the cable's wiring for continuity with ordinary multimeter. Opposite to original USB cable, touching the data wires of the same color on the opposite sides of "harpoon" should result in non zero readings.
If our smartphones could have an instant multimeter, that would be awesome. I wouldn't want to bring a multimeter anywhere I go. Great tip btw. To be clear, it's the resistance readings, right? snip
Arguably that USBharpoon should be easy to spot by testing the cable's wiring for continuity with ordinary multimeter. Opposite to original USB cable, touching the data wires of the same color on the opposite sides of "harpoon" should result in non zero readings.
Well, there's another solution to that where you would use a Non-Data transferring cable.
Yeah, I mentioned those in a previous post. You can buy them fairly cheaply, or buy a small adapter to plug on to the end of an existing USB cable which will prevent data transfer. You can even make one yourself by removing the data pins from an existing cable, and you can find instructions online to show you how to do this.I agree with the fact that you could still use a compromised socket with the charging of a power bank then charging your phone from the power bank.
A power bank is just a battery. As far as I'm aware, they don't contain any hardware with the capability to store malware, so connecting one to a malicious charger is safe as any malware can't copy itself to the power bank. That's not to say malicious power banks don't also exist, and an attacker could very well open one up and hide a microchip or two inside. Using your own cable is not enough. Plugging a cable from your device in to a public socket, charger, power point, etc. could still compromise your device. Your cable will happily transmit anything it is told to, including any malware from chips hidden inside the socket or charger unit you just connected to.
Well, there's another solution to that where you would use a Non-Data transferring cable. I think that's how they could get your data but when it's just power, it's okay, no data transferring. The only way to be completely safe is to bring your own charger plug as well as USB cable, or use your own portable power packs instead.
I agree with the fact that you could still use a compromised socket with the charging of a power bank then charging your phone from the power bank. Just like in the video. I think it's an okay thing. Why you should use your own cable
Using your own cable is not enough. Plugging a cable from your device in to a public socket, charger, power point, etc. could still compromise your device. Your cable will happily transmit anything it is told to, including any malware from chips hidden inside the socket or charger unit you just connected to.The only way to be completely safe is to bring your own charger plug as well as USB cable, or use your own portable power packs instead.
Valid points but the problem is if something is free people will use it!
If something is free, you are the product, as the saying goes. This is equally true of free samples in supermarkets enticing you to spend money, as it is of Facebook and Google mining and selling all your data. Valid points but the problem is if something is free people will use it!
I think you could call that taking advantage of opportunities. 
BUT you will never know what comes after. Like why is it going to be free? Almost everything now has a pricetag and you should be careful with the ones which are free, you will never know. If you offer free refreshments to people on a busy street most of them will drink it not even thinking about what it is they are drinking. Even those who are not thirsty will take some just because it is free. It could be an interesting social experiment to conduct.
It depends on where the experiment happens because most of the time, there are free tastes in supermarkets that let you try the product for free. I love those kinds of marketing tactics though. If it's not in a supermarket and it's on a busy street, it's going to be a different issue. Let's be vigilant with regard to those kinds of things. Growing paranoid in the right amount is good for us, I think. Lol.
Snip
Valid points but the problem is if something is free people will use it!If you offer free refreshments to people on a busy street most of them will drink it not even thinking about what it is they are drinking. Even those who are not thirsty will take some just because it is free. It could be an interesting social experiment to conduct.
I recently watched this YouTube video by BRIGHT SIDE - Why No One Should Use Airport USB Charging Stations: https://www.youtube.com/watch?v=4gJlkS_WxZA
It's all the reasons why you shouldn't use Airport USB Charging Stations. It covers these areas in the video.
I think these points could cover most of the video. It's very informative and I think that everyone deserves to know this, especially frequent travelers.
It's all the reasons why you shouldn't use Airport USB Charging Stations. It covers these areas in the video.
- What could happen to your smartphone if you insert directly in the USB Port
- Video-Jacking
- Why you should use your own cable
- Updated Firmwares of Smartphones (Android and iOS)
- What you could do when you need to charge
- Protecting your sensitive data
I think these points could cover most of the video. It's very informative and I think that everyone deserves to know this, especially frequent travelers.
@o_e_l_e_o Is it really going to be effective to hack someone or infect a virus when you just use a public charging station? Infecting the one you are charging?
Absolutely. There is a public charging station at my nearest airport with about 20 cables of various sizes. Every time I am there, they are almost all being used. That's hundreds of devices each day.
i never use airport, hotel, or any other public charging ports or cables for any device i own. i always have my own usb chargers and cables when i have AC outlets available, and several powerbanks (and assorted cables for them also) for when out and about. powerbanks are a lifesaver at airports and such when your phone is more or less indispensable (as they can have tickets, itinerary, tsa and airline apps etc loaded on them and constantly in use).
usb powerbanks come in so many sizes and capacities its foolish not to have some. some are solar powered, so can be charged even when no power is available.
EDIT you can also build your own powerbanks if you are so inclined and just want to be sure its not hiding any funny stuff.. just search for "diy usb power bank" in your favorite search engine.
The above article says that the cable creates a wireless hotspot which means that the hacker would need to be close to the victim to take advantage of the vulnerability. It is still a scary thought if the person who sells it to you knows where you live or where you will be using it.
It's a bit more worrying for the "captive audience" type. Get them into the hotel gift shop or cruise ship or the store at the train station and you know more or less where many of your victims will be.
Lots of Uber/Lyft passengers use driver-provided chargers. It's a really common amenity. I guess it could be a dangerous attack vector now. A phone or tablet innocently placed in the car could be running malicious scripts on any passenger who plugs in. Crazy stuff!
New business model. USB cables with clear plastic so you can see everything inside.
Sure, why not. If you know how the inside of a standard USB cable should look like. Many people don't and those people who fall victims to phishing sites aren't cautious enough and wouldn't notice anything wrong with their cable. The above article says that the cable creates a wireless hotspot which means that the hacker would need to be close to the victim to take advantage of the vulnerability. It is still a scary thought if the person who sells it to you knows where you live or where you will be using it.
It's a bit more worrying for the "captive audience" type. Get them into the hotel gift shop or cruise ship or the store at the train station and you know more or less where many of your victims will be.
New business model. USB cables with clear plastic so you can see everything inside.
-Dave
The above article says that the cable creates a wireless hotspot which means that the hacker would need to be close to the victim to take advantage of the vulnerability. It is still a scary thought if the person who sells it to you knows where you live or where you will be using it.
An Update.
Recently came across this article: https://www.vice.com/en_us/article/3kx5nk/fake-apple-lightning-cable-hacks-your-computer-omg-cable-mass-produced-sold
It's said there that it's going to be mass-produced and a factory has accepted it also, further Quality Analysis and Testing will be done on the product. Pretty much the same with the articles above but I think knowing that it is possible that it's on-going production already, you can encounter this kind of device. Better safe than sorry, make sure to have a legitimate and certified product.
Recently came across this article: https://www.vice.com/en_us/article/3kx5nk/fake-apple-lightning-cable-hacks-your-computer-omg-cable-mass-produced-sold
It's said there that it's going to be mass-produced and a factory has accepted it also, further Quality Analysis and Testing will be done on the product. Pretty much the same with the articles above but I think knowing that it is possible that it's on-going production already, you can encounter this kind of device. Better safe than sorry, make sure to have a legitimate and certified product.
And I can expect that the cables for data transfer between PC and Android will try to infect only the PC?
No, it can compromise any device which is connected to it.
Obviously it has to be configured to do so. The device (mobile/desktop) and the OS doesn't play a huge role. It just has to be configured to infect that specific device/OS.
I go by the initial assumption that one has such a cable at home. If he uses it as data cable he will enable data transfer. Will Android run that if I don't install it? I hope not.
It depends on your settings.
I believe that the standard settings are to not accept input devices via USB. But you can turn this on/off in your settings, allowing you to use a keyboard/mouse on your mobile.
If your device restricts keyboard/mouse via USB, nothing will happen.
Because most devices have a single multi purpose port now. Any USB cable with data pins, even if you think it is just for charging, can send or receive data from your device too. You don't know what's inside the charging adapter. It could quite easily be hiding a few microchips ready to send malware to any device which connects.
This article by the verge is quite recent and it's a good read too. This shows that a cable looks and functions like a normal lightning cable but it has an additional feature where it has a wireless point (additional hardware) making it a remote hacking device. It's definitely a scary place we live in now, everything can be remotely hijacked. And guess what, it says "it's nothing new". It has been going around and I have no idea until recently. 
Good. Paranoid is good. Yoy shouldn't be plugging any unknown USB cables, drives, or devices in to your device.
Or never borrow from someone you don't know. #neveragain #officialproductsonly LOL.Absolutely. There is a public charging station at my nearest airport with about 20 cables of various sizes. Every time I am there, they are almost all being used. That's hundreds of devices each day.
It's better to use a normal socket using your charging cable and adapter instead. This is what I usually do in an airport. 
And I can expect that the cables for data transfer between PC and Android will try to infect only the PC?
I go by the initial assumption that one has such a cable at home. If he uses it as data cable he will enable data transfer. Will Android run that if I don't install it? I hope not.
I go by the initial assumption that one has such a cable at home. If he uses it as data cable he will enable data transfer. Will Android run that if I don't install it? I hope not.
However, more important, since I am completely newbie on that field: are Android devices safe from such attacks? (With or without AV)
For several versions now, devices running Android software treat any connected USB as a charger only and display a prompt on the device before enabling data capabilities. As long as you have a recent version, and don't accept the prompt, then you are theoretically safe. There is always the possibility somebody finds a new method, hack, vulnerability, or similar, which allows them to bypass this prompt and transmit data. The safest method remains to not use public charging ports, or at least bring your own power-only USB cable with the data pins removed. There are also many tiny adapters on the market for a few bucks which you can connect between your phone and the USB cable which block all data transfer. antivirus normally don't question or block user's input from HID (keyboard, mouse, etc.). But Antivirus might block the downloaded malware or malicious script from the USB cable.
That's what I would also expect on Windows. And, interestingly, there are still many people around here that question the use of antivirus software...
However, more important, since I am completely newbie on that field: are Android devices safe from such attacks? (With or without AV)
This story makes me paranoid and makes me want my files to be secure.
Good. Paranoid is good. Yoy shouldn't be plugging any unknown USB cables, drives, or devices in to your device.OK, but antiviruses and such don't "see" this threat? I mean, those cables can be easily in your house without knowing it.
I don't know how they would be able to get my data because I just stuck it in the charging adaptor.
Because most devices have a single multi purpose port now. Any USB cable with data pins, even if you think it is just for charging, can send or receive data from your device too. You don't know what's inside the charging adapter. It could quite easily be hiding a few microchips ready to send malware to any device which connects.This story makes me paranoid and makes me want my files to be secure.
Good. Paranoid is good. Yoy shouldn't be plugging any unknown USB cables, drives, or devices in to your device.@o_e_l_e_o Is it really going to be effective to hack someone or infect a virus when you just use a public charging station? Infecting the one you are charging?
Absolutely. There is a public charging station at my nearest airport with about 20 cables of various sizes. Every time I am there, they are almost all being used. That's hundreds of devices each day.
I didn't know that this exists already. Thanks for sharing this. It's definitely scary to use cheap stuff that might compromise your status. I do have a cheap cable for charging (it's an L-type of cord, so I could play while charging), I don't know how they would be able to get my data because I just stuck it in the charging adaptor.
Anyways, this reminded me of a story by my boss at his previous work that he knows someone that is a good programmer and he created a flash drive that once you stuck it in your computer, it's going to get your files in the background while it's still inserted. This story makes me paranoid and makes me want my files to be secure.
So basically, this is a warning for everyone to NEVER use cheap cords and plug it in your computer. Now I'm more paranoid
@o_e_l_e_o Is it really going to be effective to hack someone or infect a virus when you just use a public charging station? Infecting the one you are charging?
So you could say that your smartphone would be getting HIV.
Anyways, this reminded me of a story by my boss at his previous work that he knows someone that is a good programmer and he created a flash drive that once you stuck it in your computer, it's going to get your files in the background while it's still inserted. This story makes me paranoid and makes me want my files to be secure.
So basically, this is a warning for everyone to NEVER use cheap cords and plug it in your computer. Now I'm more paranoid
@o_e_l_e_o Is it really going to be effective to hack someone or infect a virus when you just use a public charging station? Infecting the one you are charging?
So you could say that your smartphone would be getting HIV.
There are 100s of Chinese shops at AliExpress selling USB charging cables, many under 1$ a piece, shipping included.
Can anybody say they are legit? No.
Do they sell 1000s of cables? Yes.
Is there a chance known electronic shops resell such cables? Yes.
Sorry my friend, but imho there's no certainty the cable is good, no matter where you buy it from an at what price. Of course, unless you buy it together with a branded device.
Can anybody say they are legit? No.
Do they sell 1000s of cables? Yes.
Is there a chance known electronic shops resell such cables? Yes.
Sorry my friend, but imho there's no certainty the cable is good, no matter where you buy it from an at what price. Of course, unless you buy it together with a branded device.
If an attacker sets up a public charging station somewhere, they could infect hundreds of users.
That is exactly what he does at the end of the 2nd video in the original article. If you rewind to 0:50 you can see that he plugs in the USB cable as a charger in a conference room somewhere. And the trap is set! Here is one better, plug in a cable, get owned
This sounds pretty much identical to USBNinja. This is essentially a cable which works just like a normal USB, but can be remotely triggered via either a bluetooth transmitter or bluetooth app to change to a HID and deliver any desired input to the device it is connected to. You can buy one of these kits for 100 bucks, and it even comes with information and examples on how to design your own payload. There are also devices like Rubber Ducky for half that price which will perform the same keystroke attack whilst being disguised as a regular USB flash drive. Too bad there's no information whether it works without superuser, admin or root-level user
The USBharpoon attack revolves around fooling the computer in to thinking the USB cable connected is a human interface device, which it will then accept inputs from. Anything a standard user can do, this USB cable can do as well, including downloading and executing some specific malware.Anything the logged in user can do. It's creating keyboard / mouse commands so if you are admin / root and plug one of these in it is running with full privileges.
Here is one better, plug in a cable, get owned:
https://www.theverge.com/2019/8/15/20807854/apple-mac-lightning-cable-hack-mike-grover-mg-omg-cables-defcon-cybersecurity
From the article:
Quote
MG tells The Verge that his cables look and function like the standard Lightning cable you get with your iPhone. But MG hid software and hardware, including a wireless access point, inside its USB connector. When the cable is plugged into a computer, it can be triggered remotely to attempt to steal a user’s login credentials or install malicious software.
-Dave
I was just talking about this issue in another thread in Beginners and Help with another user who did not believe such an attack was possible.
You should obviously only be buying electronics from reputable sources, but I think the main vector of attack here is the use of public or shared cables rather than selling hacked cables. Selling a hacked cable is likely to only infect one user. If an attacker sets up a public charging station somewhere, they could infect hundreds of users. The solution is simple - never use public or shared charging stations or cables.
You should obviously only be buying electronics from reputable sources, but I think the main vector of attack here is the use of public or shared cables rather than selling hacked cables. Selling a hacked cable is likely to only infect one user. If an attacker sets up a public charging station somewhere, they could infect hundreds of users. The solution is simple - never use public or shared charging stations or cables.
Too bad there's no information whether it works without superuser, admin or root-level user
The USBharpoon attack revolves around fooling the computer in to thinking the USB cable connected is a human interface device, which it will then accept inputs from. Anything a standard user can do, this USB cable can do as well, including downloading and executing some specific malware. 
This can somehow be related to Hardware wallets OLED Display Vulnerability, and Trezor has solved this problem with new firmware, but we still wait for the new firmware from Ledger.
I'm not sure what the danger is for hardware wallets with USBHarpoon (if at all there is a danger), but cheap USB cables should not be used because they obviously pose a security risk. There is no doubt that all equipment should be purchased from trusted dealers, the time of buying this kind of stuff through eBay has obviously become too risky.
I'm not sure what the danger is for hardware wallets with USBHarpoon (if at all there is a danger), but cheap USB cables should not be used because they obviously pose a security risk. There is no doubt that all equipment should be purchased from trusted dealers, the time of buying this kind of stuff through eBay has obviously become too risky.
Did a quick search and couldn't find any threads talking about this.
I saw a link about this in our local forum so credits go to the OP sbogovac
Source: https://bitcointalksearch.org/topic/m.52525034
Original article: https://latesthackingnews.com/2018/08/27/usbharpoon-a-charging-cable-that-hacks-your-computer/
This was published last year and I think it fits in this section since it can be used to compromise both Windows and Macbooks via a compromised USB cable, similar to those we use with hardware wallets or mobile phones.
Two developers created a USB charging cable that they named USBharpoon that can be used "to compromise a computer in just a few seconds".
Once the cable is plugged in it can download and execute a malicious code on the PC and it works both on Windows and Mac. There are example videos on the link.
Source:
https://latesthackingnews.com/2018/08/27/usbharpoon-a-charging-cable-that-hacks-your-computer/
The lesson here is: Always buy hardware from official sources. Don't go for the cheap variant to save a few bucks if what you are protecting is worth a lot more.
I saw a link about this in our local forum so credits go to the OP sbogovac
Source: https://bitcointalksearch.org/topic/m.52525034
Original article: https://latesthackingnews.com/2018/08/27/usbharpoon-a-charging-cable-that-hacks-your-computer/
This was published last year and I think it fits in this section since it can be used to compromise both Windows and Macbooks via a compromised USB cable, similar to those we use with hardware wallets or mobile phones.
Two developers created a USB charging cable that they named USBharpoon that can be used "to compromise a computer in just a few seconds".
Quote
The cable was modified by researchers to transfer both data and power which makes it difficult to notice any abnormal behaviour from the user.
Once the cable is plugged in it can download and execute a malicious code on the PC and it works both on Windows and Mac. There are example videos on the link.
Source:
https://latesthackingnews.com/2018/08/27/usbharpoon-a-charging-cable-that-hacks-your-computer/
The lesson here is: Always buy hardware from official sources. Don't go for the cheap variant to save a few bucks if what you are protecting is worth a lot more.
Jump to: