Pierluigi Paganini August 26, 2018

A team of security experts has devised a rogue USB charging cable named USBHarpoon that can be used to compromise a computer in just a few seconds.

The team was composed of Olaf Tan and Dennis Goh of RFID Research Group, Vincent Yiu of SYON Security, and the popular Kevin Mitnick.

The USBHarpoon takes inspiration on the BadUSB project built by researchers at Security Research Labs lead by Karsten Nohl.

Nohl demonstrated that to turn one device type into another, USB controller chips in peripherals need to be reprogrammed. Unfortunately, many USB controller chips, including those in thumb drives, have no protection from such reprogramming.

USBHarpoon leverages on a charging cable instead of a USB drive to make the dirty job and hack into a computer.

The cable was modified to allow both data and power to pass through, in this way it is impossible for a victim to note any suspicious behavior.

A weaponized charging cable is not a novelty, a security researcher that goes online with the Twitter handle MG posted two videos that show the BadUSB cables he has built. The cable allows MD to carry out HID attacks when plugged into a computer’s USB port.

HID attacks via USB drives have become too suspicious. What about embedding the attack inside a USB cable?

Just a quick test for a few things I'm hoping to make over the next month. pic.twitter.com/3iNjLqXloW

— MG (@_MG_) January 1, 2018

BadUSB Cable #2. HID attack through an Apple MacBook USB-C charger. Great for shared workspaces!

Build info coming this month. Still working out some things. These cables work on just about any device with a USB port (Mac/Win/Linux, phones too) pic.twitter.com/b6254FvpLY

— MG (@_MG_) January 6, 2018

Mitnick asked MG to build a cable for him to use in a keynote speech to demonstrate new attack methods, but he did not receive it in time for his speech.

Mitnick contacted the researcher Dennis Goh to build a cable to use in the attack, then Goh accepted and worked with Olaf Tan to build the USBHarpoon.

Heh, looks like the same boots I showed Kevin earlier this year, but with tape holding together? Just use some potting compound to seal it!
Hey @vysecurity did you do anything besides adding 2 resistors for charge pass through? That seems to work fine. Data passthrough though… pic.twitter.com/69slNg2U0O

— MG (@_MG_) August 20, 2018

Yiu confirmed that his cable was not inspired by the MG’s research, anyway he credited the original work from MG once he learned about it.

The USBHarpoon works on unlocked machines, it allows the attackers to launch commands that download and execute a malicious code.

Experts noticed that on Windows, the commands are launched within the Run prompt, while on Mac and Linux they are launched from a terminal.

The attack is any way visible to the owner of the machine, for this reason, to make the attack stealth it is necessary to devise a method to hide the interaction with the system, for example, to run the attack when the victim is not around the machine.

The team of researchers is currently searching for methods to trigger the attack in a stealthy way, for example, involving as attack vectors Bluetooth and radio signals.

As mitigation, the experts suggest the adoption of USB condoms, also known as data-blocking device that works by blocking the data pins on a USB cable.

Anyway, MG published a video PoC that shows how USB condoms can be bypassed as well.

#3 – BadUSB Cables wouldn't be complete without BadUSB Condoms.

Tempted to get a run of these made for the vendor area at the next security con. pic.twitter.com/Iq8HHSV7qG

— MG (@_MG_) January 13, 2018

Pierluigi Paganini

(Security Affairs – USBHarpoon , BadUSB)

[adrotate banner=”5″]

[adrotate banner=”13″]