WATCH: USBHarpoon Is a BadUSB Attack with A Twist

Posted by Mitnick Security on Aug 19, 2018 5:00:00 PM

Several security experts have built a malicious version of a USB charging cable, one that can compromise a computer in just a few seconds. Once plugged in, it turns into a peripheral device capable of typing and launching commands.

USBHarpoon, as its makers call it, relies on the BadUSB research from Karsten Nohl and his team at Security Research Labs. Their work showed that an attacker can reprogram the controller chip of a USB drive and make it appear to the computer as a human interface device (HID).

The type of HID can be anything from an input device like a keyboard that issues a rapid succession of commands, to a network card that modifies the system’s DNS settings to redirect traffic.

With USBHarpoon, security experts replaced the USB drive with a charging cable, something that is as ubiquitous, but less likely for users to be cautious of.

The cable comes with modified connectors that allow both data and power to pass through so it will fulfill the expected function. This feature enables it to be accompanied by any type of device that powers through USB (fans, dongles distributed at conferences), without raising suspicions about plugging the cable.

Idea has been implemented before

Behind the USBHarpoon project are Olaf Tan and Dennis Goh of RFID Research Group, Vincent Yiu of SYON Security, and Kevin Mitnick, who catalyzed the entire collaboration.

Yiu, who works on the design and weaponization of the cable, says that he talked to multiple fellow researchers from different labs who tried to build a project like USBHarpoon, but they “were not able to make the cable charge for whatever reason.”“My team of friends has managed to weaponize this capability to make a fully working USB cable also a compatible HID device,” he added in a blog post.

It turns out that a weaponized charging USB cable already existed and was developed by a security researcher using the Twitter handle MG. As shown in the two videos below from January 2018, MG was able to create USB cables that could perform HID attacks when plugged into a computer's USB port.

To view an interesting video demonstrating USBHarpoon functionality and read the full article, plus other great security news refer to the source.

Source: Bleeping Computer

Topics: security expert, USB-C connector, USB condom, human interface device (HID), USBHarpoon, keynote speaker, Karsten Nohl, MacBook chargers, malicious USB charging cable, Twitter, Vincent Yiu, Bleeping Computer, computer weaponization, controller chip, Dennis Goh, DNS settings modification, BadUSB, Kevin Mitnick, MG, Olaf Tan

Latest Posts

Kevin offers three excellent presentations, two are based on his best-selling books. His presentations are akin to technology magic shows that educate and inform while keeping people on the edge of their seats. He offers expert commentary on issues related to information security and increases “security awareness.”

Redefining Your Enterprise’s Cyber Security Posture During Mergers & Acquisitions

With 3,205 data compromises occurring in 2023 alone, fortifying your enterprise’s cybersecurity posture is more important than ever.

Read more ›

Choosing a Penetration Testing Company for Mac-based Environments

Powering your business with Apple devices because of their reputable security and privacy features? You may be surprised to learn that while Apple dev..

Read more ›

AI in Cyber Security: Impacts, Benefits, and More To Be Aware Of

Artificial intelligence in cybersecurity has been a hot topic lately, especially with the rise of OpenAI’s ChatGPT. But does that mean it would make a..

Read more ›
tech-texture-bg

© Copyright 2004 - 2024 Mitnick Security Consulting LLC. All rights Reserved. | Privacy Policy