OK, it's not NSA-level tech, but a $10 hidden mic with location and GSM cellular built into a charging cable, that 95% of us never think twice about is scarey cool.
This is scary. I mean someone can just replace the cables in my house and my phones and computer would become infected. I can't even imagine the headache this does for company's cybersecurity practices.
A rogue janitor replaces the usb cables on some of the employees of a company that makes $INSERT_SUPER SECRET_TECH$ and done.
In super secure locations like a SCIF, a TSCM (technical surveillance countermeasures) team comes through on a regular basis with highly sensitive, expensive portable spectrum analyzers, which would find this really quick.
You're completely correct. You'd have to be watching that frequency continuously. Fortunately, there's another way...
Nonlinear junction detectors can find semiconductor things, be they powered on OR off. Long story short, you blanket an area with GHz rf, and then look at the harmonics of the freq you spray it with.
I can see how to create one with a 2.4GHz transmitter and a DSP. I know the prices Ive seen are in the thousands of $$$, in which it's not terribly complex. The hardware would probably cost around a few hundred, primarily cause DSPs are $$$$
Completely out of scope of anything but superpower espionage, but that got me wondering if you could do something useful with a nanoscale mechanical computer built the same way they do those microchip gyroscopes. The simplest would be a mechanical timer for toggling power only when there's no countermeasure scan going on, but I wonder if there are other clever things you could do if you had a nationstate budget
Why would a TSCM want to inject traffic and potentially alert the adversary to the detection? Have you seen some of the spectrum analyzers built on HackRF?
because for me, doing TSCM is only half of what I'm wanting to do.
There's a lot of wireless stuff out there, not using 802.11__ or BT specs and frequencies. Are these things secure? Probably not. Are they encrypted? Perhaps. Do they defend against replay? Likely not.
But in the end, how do we assess? Standard TSCM gear can do a good job scanning and finding peaks. But its not for protocol decoding and device assessments. My goal is to "Identify signals, categorize protocols for signals found, decode if possible, and attempt to access/exploit".
This is awesome and thanks for sharing it, do you know if the circle city con talks are going to be recorded? I'd love to see a walk through of this stuff
Ive never attended CircleCityCon before, but in my experience, hacker cons do record. The problem I find is the smaller cons end up hosting the videos on a private server.
You could certainly ask them over twitter. In my experience they return questions in an hour or 2.
You'll remove the USB controller from the USB port on the laptop, then provide an adapter that has a USB controller, and plus it to the regular usb cable.
Google USB-PD. Devices on either end of the USB cable could be dumb, and it would revert to some base minimum requirements (5V 500/900mA or so). But notebook may not be able to negotiate for higher power or higher voltage for charging.
I think the device featured in the article "merely" appears as a keyboard to the victim machine. The attack can then transmit keystrokes over WiFi. (This is still sufficiently dangerous. Essentially, it's "open terminal, download evil.exe, execute evil.exe, minimize/close" and escalate from there. So, not something you want to happen.)
That said, if you click the link next to BadUSB, they detail attacks whereby the device pretends to be a USB Ethernet adapter instead. And while you're right that stuff typically wants user input prior to connecting to WiFi networks, I don't think anything prompts before connecting to wired networks. The onboard WiFi could even make it appear to work, so as to not arouse suspicion (by simply bridging the pretend-ethernet to the WiFi), but now your attack has a MitM and a keyboard…
Needless to say, you don't want random USB devices getting plugged into your machine.
I’m sure there are some secure networks that require 802.1x authentication against a specific certificate authority, which would ensure devices only connect to a trusted network. That’s definitely an exception rather than the rule though - I’ve never worked anywhere that does anything more than limiting which device can connect to a particular switch port.
I've also seen wired network authentication, but that's typically the network authenticating the devices that connect to it. This is more like the need for the device to authenticate the network that it's attached to, or really, to authenticate the USB devices attached to it. This is somewhat problematic: I feel like most employees/people want to go to a coffee shop and do work, or work at home, etc. How does one distinguish between those networks and the rouge ones?
(I think ideally, you don't distinguish. Every network is equally untrusted, and you rely on good end-to-end encryption. That doesn't address the rouge HID attack, however.)
I've also seen unauthenticated corporate networks where STP packets reach the end user ports, and AIUI, the right response packet would direct the network to start sending all traffic my way…
Via the microcontroller embedded with the wifi adapter in the cable. It can effectively operate as a separate computer which uses the host PC parasitically for power and I/O.
A secretly-IoT keyboard that shares your key presses and may "type" malicious stuff when you're not looking at it; the OS wouldn't be able to tell it's not you doing the typing. Not scary at all, no sir.
So long as it can simulate them, installing a keylogger that can read them too is a matter of a few seconds (to "type" a PowerShell script that will download and execute the desired payload).
Hid usually ok with systems and hence a wireless mouse and keyboard pretended.
A windows hack may be - The “mouse” would ask to move to leftmost bottom corner then click. Type searching terms like Cmd<r>. Then if can get hold of the windows one is in ...
I took GP to be speculating about a hypothetical secretly-IoT-keyboard, not the cable being discussed. Similar thoughts are explored in the comments on TFA.
You can do all of that without WiFi. How is an attacker with no vision of the screen any more useful than a script that can auto type a command to get remote access?
A script that can autotype a command to get remote access needs to be able to communicate over your network, and it can be detected or blocked by your network security infrastructure.
A device like this packages its own covert communications channel together with the exploit dropper; it provides an entry point to your network (and exfiltration channel) that bypasses all your filtering, logging, scanning, etc.
The 'ESPloit v2' [1] appears on USB as both a keyboard and a serial port, and any data sent on the serial port can be exfiltrated by the ESP8266 over its own wifi connection.
You can also imagine a loop where first you install a keyboard logger and exfiltrate the user's password, then later you want to update the exploit scripts to make use of the password. Or hell, maybe this is a prank product and having a wireless button to rickroll your victim on demand makes you laugh.
With that said, the first person to make a fake USB keyboard had a much bigger and more exciting trick than this incremental change.
Edit: Or to put it another way, this is like the NSA's "Cottonmouth" bug, which "will provide air-gap bridging, software persistence capability, 'in-field' re-programmability, and covert communications with a host software implant over USB" [2] but 10 years later and without charging a million dollars for 50 units.
Long story short, underclocking the ESP12 compresses the RF envelope for 2.4GHz . It also means the RF energy is in what looks like 1/3 a normal 2.4GHz channel.
The awesome side effect is that this device's SSID is completely hidden from regular 2.4GHz radios. You need another ESP12 with the same underclock ratio... and then need the SSID (if hidden), and the password.
You'd be able to find it using an ADALM-PLUTO. It'd stick out like a sore thumb, but it still wouldn't make sense what's going on unless you build a decode stack in Gnu Radio.
If it is, then the computer doesn't connect to a router at all. The USB cable could make itself available as a network that you remotely connect to then execute commands. The cable then types out your commands as it imitates a USB keyboard. Have you ever seen a device or PC that randomly trusts a USB keyboard you plug into it?
Sorry, I was trying to reply to the above comment by structuring it in the same way, but making one minor switch to show how severe the issue can be. Trusting a router may not happen, but trusting a keyboard (as you've pointed out) almost always does.
Not without notice. Your computer won't connect to a wirless network automatically. So in order for this to work, the USB-device needs the same SSID and key. Then, in order to make it not suspicious (and get your data) you need to actually forward traffic to the internet. Not sure if those devices can repeat.
Emulating an USB ethernet might help you, as those will connect, but without uplink it's still suspicious.
The "cable" has WiFi, so it's probably possible to set up a hidden WiFi network around the premises of the target and have the implant connect with that. With the right type of antenna you can set up a WiFi connection to a specific device from quite a way away. Then tunnel the connection from your malicious AP and emulate ethernet on the USB side of the implant.
Or, search for open/guest networks and use those as an uplink. There's plenty of possibilities for this to work as a malicious network adaptor.
However, I think the network example is just a proof of concept and the remote connectivity is much more interesting to any real attacker.
Doable with an ESP chip, monitoring for open WiFi network and connects to whatever is available. Then you could have it await further instructions from a C&C.
That wouldn't need further actions from the victim.
While I understand how this could've been fun to 'try out', I can think of nothing but ways that this can be seriously abused. (atm attacks, corporate spying, ...)
Can a device like this be used do anything positive toward humanity?
Did I misunderstand something? (I'm genuinely curious!)
Edited: reworded (honest) question to be less negative.
> Can a device like this be used do anything positive toward humanity?
PoCs are often what lead to security changes. This device just existing will spur research into how to to defeat it which in turn may lead to improved security for all.
> whenever you think “there aught to be a law...” there probably shouldn’t be
I actually totally agree (which is the reason for my edited response above, before your comment arrived)... but there must be limits, musn't there? We don't arbitarily allow murder, rape or theft.
Looking at the concept of "freedom" is a tricky thing, I've found. At what point does "doing whatever I want" become unacceptable to the very society that bred that behaviour? What should that society do to curtail behaviours that are actively destructive against it?
As an individual in society, shouldn't I make some stand (as feeble as it might be), against what I (personally) think as exceedingly disruptive and that goes against the "common good"?
By the downvotes I've received, it seems that my voice is very much unwanted - which seems to show how it "me" that is the outcast in this situation, and not this builder of spyware. To me this is ironic (but irrefutable), despite the honest question of the purpose of this device which has been popularised on a well known 'tinkering' site.
You've upset people because what you seem to be talking about is either highly specific prohibitions, or a general prohibition on unlicensed tinkering and innovation. The latter will go down like a ton of bricks here and would have prevented most of the computer technological developments of our lifetimes.
But the way out of this is actually to make the constraint more orientated on the harm. Several jurisdictions already ban the sale of spy devices. Many have rules about non-consensual recording. Or general privacy rules.
Don't try to ban buidling things unless the other approaches have been tried and failed. The solution to "upskirting" and other non-consensual intrusive photography has been bans on doing that, not a ban on smartphones. There are all sorts of things that you can legally build and tinker with but not market to the public.
(Security researchers are particularly salty about this because you can't get people to take a threat seriously without building a proof-of-concept, but that is in itself a weapon. Often you can't prove a system is insecure without breaking it.)
I don’t know how to reply without being too snarky. Is your position that we shouldn’t “allow” someone to build a wifi module hidden in a USB cable, because we don’t allow rape and murder?
I’ll let someone else see if they can help you out. But I think you need to take a BIG step back and ask yourself this “have I solved all the problems in my own life” and if the answer is no, stop thinking so much about what other people should be “allowed” to do. Worry about self. Take up the position that my right to swing my fiat ends at your nose.
I think I've inadvertantly pressed some buttons, which I do apologise for - whole heartedly! The written language is a very imperfect thing to get right. I'm not trying to bait anyone in words.
Ironically, I do try to "let it be" and to not be a hypocrite in my day to day life. However, we are imperfect beings, and we all make mistakes (well, at least I do!).
I recognise the engineering and technical expertise of this device... but all through it's design phase and it's production, was there ever a purpose other than spyware? Was it ever meant to be anything other than nefarious?
For it's when someone can say to me "Oh, it's a really good thing because x,y,z" then I'll have learnt something new about the rich tapestry of life -- and I ask this because I don't understand, & not because I'm trying to lord it over anyone.
I think the point of people doing this is to prove publically that it can be done, and therefore almost certainly has already been done before by someone with nefarious intent who kept it quiet.
Perhaps I'm misunderstanding your comment but the reason planes aren't falling out of the sky and high rises aren't all on fire is because these things are so heavily regulated.
Not that I'm a fan of knee-jerk reactive lawmaking, but they struck me as odd examples.
Maybe he used a inaccurate analogy but if we had laws preventing inventing questionable technology we might not have a lot of things we take for granted. More like the wright brothers being banned from testing on the beach because they could hurt someone.
>I mean someone can just replace the cables in my house and my phones and computer would become infected.
Only if you leave your computer unlocked and unattended. If it's attended, obviously you'll see something's going on and pull the plug on the computer and probably investigate further. If your computer is locked (which is a good habit to have when leaving your workstation, the faked keyboard can't do.
So you bring all your cables with you everywhere you go?
I think OP is saying that these cables could be swapped out while you’re away.
As for “seeing that something is going on”, I really don’t think anyone worth half their salt would allow for such a scenario... authors of such implants aren’t exactly registering the device with the OS.
I'm wondering whether any of the Google security team will use this for their "leaving tradition" [1], or whether it's considered cheating, just too easy.
I worked on a security team that did this when I left - I taped & signed every USB connection at my desk and checked the signatures every time before I unlocked it.
I guess even some sort of "signed device protocol" will not work. An attacker can just create a device that guesses the device identifier (or whatever is used to create the signature). Then, the attacker device can just keep guessing until it gets it right. Chances are, some serial number or similar will be used for this, so continuous guessing is feasible.
Will the solution to this, then, be to have some sort of "smart card enabled device"? For example, assuming TOFU, you manually accept all device's public keys (and all devices, including cables and stuff will have one of these). Then, the computer will have to verify all actions done by those devices by sending a challenge for each action. But this seems impractical and inefficient...
Perhaps physical security is the only way for this...
On Windows XP this would display a “new device: keyboard connected” balloon and the Safely Remove Device icon would immediately set-off my spidersense - it’s unfortunate that newer releases of Windows hide those notifications by default and the only clue that something might be wrong would be hearing the generic device connected sound multiple times in quick succession which many users might think was their sound-card glitching.
I think a solution is for OSs to only allow the automatic mounting of newly-attached devices if they’re “passive” (e.g. mass storage - assuming no autorun.ini, output-only devices, HID class devices that only expose game-controller functionality, etc) - other device classes like mice and keyboards plugged-in to non-trusted ports should always require explicit approval.
While we’re on the subject: keyboards can be massively improved by adding over-the-wire encryption to prevent keyboard-port logging, and the USB keyboard class should be extended to include the keyboard declaring its layout to the host OS. It’s silly that we still need to configure keyboard language settings or that the OS infers it from our regional settings.
How would you approve the keyboard without using the keyboard?
Anyway since we are assuming physical access, they could just swap out your keyboard for one that works normally until you go for lunch, then starts typing for itself..
The OS could display a random sequence of keys that you have to press to enable the keyboard. If the evil cable can't see the screen it wouldn't know what keys to transmit.
This is not a serious suggestion since it would be annoying to most people.
No more annoying than Bluetooth pairing PINs or iOS's passcode-to-use-USB prompts. If the keyboard has secure stateful memory (e.g. for a client-certificate or client-secret) then the user would only have to enter it once.
> How would you approve the keyboard without using the keyboard?
On laptops the built-in mouse and keyboard would be "trusted".
On desktops and servers, I can think of a couple of strategies:
* Always trust keyboards only when plugged into certain USB ports (e.g. ports on the front of the computer highly visible to the computer's operator)
* Mutual keyboard/host authentication and encryption.
>Will the solution to this, then, be to have some sort of "smart card enabled device"? For example, assuming TOFU, you manually accept all device's public keys (and all devices, including cables and stuff will have one of these). Then, the computer will have to verify all actions done by those devices by sending a challenge for each action.
Even that's not enough. If you're feeling extra-evil you could tamper with the keyboard switches/traces to do whatever evil stuff you want. It's not like you can authenticate the on/off state at a switch level.
No need for any public crypto. On first use, the computer issues a unique key which the device uses to authenticate all messages, for example with hmac.
What is the wifi for? the only attack I can possibly see here is pretending to be a keyboard. And you don't need wifi for that, you just need a pre programmed set of steps to set up remote control for the pc.
That hardware solution sans wifi could offer some interesting security solutions such as trusted bridge between any computer and your mobile phone. Can't wait to see this torn down and hacked.
so... that could be useful to penetrate secure facilities, like nuclear weapons bunkers/reactors. A worker is sent a cable as a "gift" or has one substituted in by mail intercept for an actual order. Attacker waits outside in a van and controls things over wifi.
Also a reason why the TEMPEST standards exist, wifi isn't going to go very far through the walls of a shielded facility that is basically a huge Faraday cage.
Most operating systems trust USB devices completely. You can send keystrokes that open a text editor and type malware that'll do whatever you want, and you can control the attack in real time via wifi.
(it couldn't read user keypresses unless they use the cable to plug in their keyboard)
It certainly could read user keypresses after it typed in malware with a keylogger, and then transmit your keypresses over its wifi (not your network, where it might be detectable) back to the attacker.
It looks like this hack uses an esp8266, which supports WiFi. Most likely the chip is booting up its own WiFi network for the phone to connect to, the phone is sending the payload over this network, and running the usb exploit. Some esp family chips should also support Bluetooth.
Another reason to use QubesOS, where usb devices are connected to a separate virtual machine without any networking. And any usb keyboards are only activated after a confirmation.
Would a high voltage loop, for breaking components, be a good solution to an attack like this? Like, fry the electronic components to verify it's just plain metal on the insides?
- The cable is inserted into the victims computer
- The electronics inside the cable creates a WiFi network
- The attacker uses a separate computer to connect to this WiFi network
- Transmit the payloads to the victim
- ???
- Profit
It creates a wifi hotspot and the attacker can connect to that using another device from a distance. They can then do stuff via the USB port, for example send key presses.
Or if a real parabolic antenna is too expensive, sticking a copper wire on a BNC connector mounted in a Pringles can (5 GHz) or wider tin soup can (2.4 GHz) works as a cheap alternative.
Even simpler would be to take a standard dipole and put a corner reflector around it (not quite as pin-point powerful, but you can still get plenty of gain). You can make these out of roofing flashing.
Would this small device even be able to send data back to the antenna to complete the connection? It might work with a non standard protocol though, where it just accepts data sent to it via 2.4GHz.
Also, the 8 mile range is obviously very theoretical, in a direct line from point A to point B with no obstacles.
Huh, so all it takes is someone to break into your home when you're gone and swap a cable. Seems like privacy doesn't really exist for people who truly need it. Unless they're not using any technology.
Huh? What I wrote is basically saying privacy doesn't exist for the ones who truly need it. Since those two cases you write in question are pretty much universal and the majority of people using technology would be prone to them. Unless they're not using any form of technology.
There's no mention of using the rest of the cable as the antenna, since in my experience the above tiny adapters have an equally tiny antenna and thus poor reception.
It’s still impressive. It looks really close to the official Apple one and I wouldn’t think twice about plugging an iOS thingy into my computer with it. The only telltale might be how the coating feels (the Apple ones have a specific rubberized texture), but that wouldn’t be enough to prevent me from plugging it in.
Edit: stupid me, he probably just replaced the USB-A side of a legit Apple one. Ignore the part about the coating.
> There's no mention of using the rest of the cable as the antenna, since in my experience the above tiny adapters have an equally tiny antenna and thus poor reception.
Not sure how far you were from your router but I bought one of these and it worked quite fine through walls.
About a month ago I found a similar device on aliexpress that has GPS and SIM card slot:
https://www.aliexpress.com/item/1m-USB-Charging-Data-Cable-f...?
And it's only 10 bucks!
> "Sorry, this product is sold out"
I wonder how many things like this are in the wild and nobody's noticed.
Would be even scarier with eSIM, but I suppose it's just a matter of time before we get that.
I bet it's there, someplace, for sometime now.
Wow, do you know it actually works? Seems cool.
Looking at the reviews, it seems that the "GPS" is just a cell tower ID, and the microphone is very quiet.
OK, it's not NSA-level tech, but a $10 hidden mic with location and GSM cellular built into a charging cable, that 95% of us never think twice about is scarey cool.
99.9%
This is scary. I mean someone can just replace the cables in my house and my phones and computer would become infected. I can't even imagine the headache this does for company's cybersecurity practices.
A rogue janitor replaces the usb cables on some of the employees of a company that makes $INSERT_SUPER SECRET_TECH$ and done.
In secure locations it's common for USB ports to be physically blocked (the ones I've seen with glue/resin).
In super secure locations like a SCIF, a TSCM (technical surveillance countermeasures) team comes through on a regular basis with highly sensitive, expensive portable spectrum analyzers, which would find this really quick.
If you were designing a modern bug, wouldn't you make it cache data and limit its transmission window to one second a week?
You're completely correct. You'd have to be watching that frequency continuously. Fortunately, there's another way...
Nonlinear junction detectors can find semiconductor things, be they powered on OR off. Long story short, you blanket an area with GHz rf, and then look at the harmonics of the freq you spray it with.
I can see how to create one with a 2.4GHz transmitter and a DSP. I know the prices Ive seen are in the thousands of $$$, in which it's not terribly complex. The hardware would probably cost around a few hundred, primarily cause DSPs are $$$$
https://en.wikipedia.org/wiki/Nonlinear_junction_detector
Yes, burst transmitters have been a thing for a very long time
Speech to text aboard, compress the text and send it in bursts at random times.
Completely out of scope of anything but superpower espionage, but that got me wondering if you could do something useful with a nanoscale mechanical computer built the same way they do those microchip gyroscopes. The simplest would be a mechanical timer for toggling power only when there's no countermeasure scan going on, but I wonder if there are other clever things you could do if you had a nationstate budget
Ive made and will be giving a talk on what a TSCM team would use.
My talk was accepted at CircleCityCon in Indianapolis IN. I've built a tablet capable of intercepting and injecting radio from 20MHz to 1.5GHz.
https://ccc2019cfp.busyconf.com/activities/5c3a57314808fac10...
https://mobile.twitter.com/CrankyLinuxUser/status/1097884386...
Repo: https://gitlab.com/crankylinuxuser/siginttablet
Why would a TSCM want to inject traffic and potentially alert the adversary to the detection? Have you seen some of the spectrum analyzers built on HackRF?
because for me, doing TSCM is only half of what I'm wanting to do.
There's a lot of wireless stuff out there, not using 802.11__ or BT specs and frequencies. Are these things secure? Probably not. Are they encrypted? Perhaps. Do they defend against replay? Likely not.
But in the end, how do we assess? Standard TSCM gear can do a good job scanning and finding peaks. But its not for protocol decoding and device assessments. My goal is to "Identify signals, categorize protocols for signals found, decode if possible, and attempt to access/exploit".
This is awesome and thanks for sharing it, do you know if the circle city con talks are going to be recorded? I'd love to see a walk through of this stuff
Ive never attended CircleCityCon before, but in my experience, hacker cons do record. The problem I find is the smaller cons end up hosting the videos on a private server.
You could certainly ask them over twitter. In my experience they return questions in an hour or 2.
Hey, thanks for the response, I'll definitely follow up with them on twitter. And, seriously man, very cool stuff, very interested in digging in
Thank you!
Ideally, if you dont care about looks, all you need is a Raspberry Pi 3B+, keyboard/monitor/screen, Rtl-sdr, and a wire.
The wire is hooked up to GPIO 4 and used in conjunction with RPITX library.
The Rtlsdr allows receiving radio signals.
The only broken thing right now, is that changing GPU clock frequencies does "weird" things to the onboard wifi (unsurprising).
My next step will be making 2 scripts: 1 to install a SigInt tooling, and 2 is to update said tooling.
We stayed on NT4 into the mid-aughts partially because of the lack of USB support.
I have seen in the UK solder used to physically block usb ports on laptops - this was QinetiQ (the bit that remained as civilservants).
Of course they equipped the laptop with a cd burner
> I have seen in the UK solder used to physically block usb ports on laptops
With devices moving to USB-C for data and charging I wonder how security companies are going to prevent physical access to USB ports...
You'll remove the USB controller from the USB port on the laptop, then provide an adapter that has a USB controller, and plus it to the regular usb cable.
Disable the USB controller?
It's necessary to negotiate the power requirements.
I did not know this, that is interesting.
As in, the OS driver for the USB controller? Feels like a lot.
Google USB-PD. Devices on either end of the USB cable could be dumb, and it would revert to some base minimum requirements (5V 500/900mA or so). But notebook may not be able to negotiate for higher power or higher voltage for charging.
How? I've never seen a device, certainly not a PC, that will just randomly connect to any router it sees without some sort of user input.
I think the device featured in the article "merely" appears as a keyboard to the victim machine. The attack can then transmit keystrokes over WiFi. (This is still sufficiently dangerous. Essentially, it's "open terminal, download evil.exe, execute evil.exe, minimize/close" and escalate from there. So, not something you want to happen.)
That said, if you click the link next to BadUSB, they detail attacks whereby the device pretends to be a USB Ethernet adapter instead. And while you're right that stuff typically wants user input prior to connecting to WiFi networks, I don't think anything prompts before connecting to wired networks. The onboard WiFi could even make it appear to work, so as to not arouse suspicion (by simply bridging the pretend-ethernet to the WiFi), but now your attack has a MitM and a keyboard…
Needless to say, you don't want random USB devices getting plugged into your machine.
I’m sure there are some secure networks that require 802.1x authentication against a specific certificate authority, which would ensure devices only connect to a trusted network. That’s definitely an exception rather than the rule though - I’ve never worked anywhere that does anything more than limiting which device can connect to a particular switch port.
I've also seen wired network authentication, but that's typically the network authenticating the devices that connect to it. This is more like the need for the device to authenticate the network that it's attached to, or really, to authenticate the USB devices attached to it. This is somewhat problematic: I feel like most employees/people want to go to a coffee shop and do work, or work at home, etc. How does one distinguish between those networks and the rouge ones?
(I think ideally, you don't distinguish. Every network is equally untrusted, and you rely on good end-to-end encryption. That doesn't address the rouge HID attack, however.)
I've also seen unauthenticated corporate networks where STP packets reach the end user ports, and AIUI, the right response packet would direct the network to start sending all traffic my way…
Via the microcontroller embedded with the wifi adapter in the cable. It can effectively operate as a separate computer which uses the host PC parasitically for power and I/O.
My understanding is that it allows an attacker connected to it via WiFi to mess with the plugged-in computer using USB (pretending to be a keyboard).
See the Twitter video: https://mg.lol/blog/omg-cable/
A secretly-IoT keyboard that shares your key presses and may "type" malicious stuff when you're not looking at it; the OS wouldn't be able to tell it's not you doing the typing. Not scary at all, no sir.
It can't read your keypresses (I think)
So long as it can simulate them, installing a keylogger that can read them too is a matter of a few seconds (to "type" a PowerShell script that will download and execute the desired payload).
It can't (unless it's the keyboard cable).
Hid usually ok with systems and hence a wireless mouse and keyboard pretended.
A windows hack may be - The “mouse” would ask to move to leftmost bottom corner then click. Type searching terms like Cmd<r>. Then if can get hold of the windows one is in ...
Any better idea?
<windows-key>R brings up a run dialog with the focus already in the text box waiting for a command. No mouse needed.
Keyboard shortcuts.
I took GP to be speculating about a hypothetical secretly-IoT-keyboard, not the cable being discussed. Similar thoughts are explored in the comments on TFA.
Yes. I assumed it would be straightforward after you figure out how to hide wifi inside a USB cable.
Unless the attacker is able to view the screen somehow then this is pretty useless. Or at least no more useful than fake keyboards without WiFi.
PrintScreen/Upload screenshot to web server/Wait for command
Better than that is to just type a PowerShell script that gets all the info immediately and sends it to a server.
You can do all of that without WiFi. How is an attacker with no vision of the screen any more useful than a script that can auto type a command to get remote access?
A script that can autotype a command to get remote access needs to be able to communicate over your network, and it can be detected or blocked by your network security infrastructure.
A device like this packages its own covert communications channel together with the exploit dropper; it provides an entry point to your network (and exfiltration channel) that bypasses all your filtering, logging, scanning, etc.
It's more useful precisely because there's nothing running and no remote access on the OS. Traceless. Norton ain't catch that.
That's the same as regular fake keyboard usbs. The WiFi has no advantage here
The 'ESPloit v2' [1] appears on USB as both a keyboard and a serial port, and any data sent on the serial port can be exfiltrated by the ESP8266 over its own wifi connection.
You can also imagine a loop where first you install a keyboard logger and exfiltrate the user's password, then later you want to update the exploit scripts to make use of the password. Or hell, maybe this is a prank product and having a wireless button to rickroll your victim on demand makes you laugh.
With that said, the first person to make a fake USB keyboard had a much bigger and more exciting trick than this incremental change.
[1] https://github.com/exploitagency/ESPloitV2
Edit: Or to put it another way, this is like the NSA's "Cottonmouth" bug, which "will provide air-gap bridging, software persistence capability, 'in-field' re-programmability, and covert communications with a host software implant over USB" [2] but 10 years later and without charging a million dollars for 50 units.
[2] https://en.wikipedia.org/wiki/NSA_ANT_catalog#/media/File:NS...
It gets uglier, if the person who wrote this added in an underclocker.
https://hackaday.com/2019/01/04/underclocking-the-esp8266-le...
Long story short, underclocking the ESP12 compresses the RF envelope for 2.4GHz . It also means the RF energy is in what looks like 1/3 a normal 2.4GHz channel.
The awesome side effect is that this device's SSID is completely hidden from regular 2.4GHz radios. You need another ESP12 with the same underclock ratio... and then need the SSID (if hidden), and the password.
You'd be able to find it using an ADALM-PLUTO. It'd stick out like a sore thumb, but it still wouldn't make sense what's going on unless you build a decode stack in Gnu Radio.
It looks like it could be a variant of this squashed down to fit in the connector of a cable. https://github.com/spacehuhn/wifi_ducky
If it is, then the computer doesn't connect to a router at all. The USB cable could make itself available as a network that you remotely connect to then execute commands. The cable then types out your commands as it imitates a USB keyboard. Have you ever seen a device or PC that randomly trusts a USB keyboard you plug into it?
I can't tell if you're being sarcastic or not but yes, every device I own automatically accepts input from any keyboard I plug in.
Sorry, I was trying to reply to the above comment by structuring it in the same way, but making one minor switch to show how severe the issue can be. Trusting a router may not happen, but trusting a keyboard (as you've pointed out) almost always does.
'How' is DHCP.
That's one. Apparently there are least 28 more ways to use usb to attack a machine.
https://www.bleepingcomputer.com/news/security/heres-a-list-...
>'How' is DHCP.
Not without notice. Your computer won't connect to a wirless network automatically. So in order for this to work, the USB-device needs the same SSID and key. Then, in order to make it not suspicious (and get your data) you need to actually forward traffic to the internet. Not sure if those devices can repeat.
Emulating an USB ethernet might help you, as those will connect, but without uplink it's still suspicious.
The "cable" has WiFi, so it's probably possible to set up a hidden WiFi network around the premises of the target and have the implant connect with that. With the right type of antenna you can set up a WiFi connection to a specific device from quite a way away. Then tunnel the connection from your malicious AP and emulate ethernet on the USB side of the implant.
Or, search for open/guest networks and use those as an uplink. There's plenty of possibilities for this to work as a malicious network adaptor.
However, I think the network example is just a proof of concept and the remote connectivity is much more interesting to any real attacker.
Doable with an ESP chip, monitoring for open WiFi network and connects to whatever is available. Then you could have it await further instructions from a C&C.
That wouldn't need further actions from the victim.
Any PC may randomly connect to any router it sees if it firmly believes that is the same router the user allowed it to connect last time.
Who needs access to a router, just sniffing for passwords this would work.
Put in the right machine and you can see every company memo as it is written.
Or just sell you generic looking cables that have all these funzies inside on amazon/new egg/your favorite online store!
While I understand how this could've been fun to 'try out', I can think of nothing but ways that this can be seriously abused. (atm attacks, corporate spying, ...)
Can a device like this be used do anything positive toward humanity?
Did I misunderstand something? (I'm genuinely curious!)
Edited: reworded (honest) question to be less negative.
> Can a device like this be used do anything positive toward humanity?
PoCs are often what lead to security changes. This device just existing will spur research into how to to defeat it which in turn may lead to improved security for all.
>How does a device like this do anything but affect humanity in a negative way? How is the kind of 'research' remotely legal?
Here is some advice, whenever you think “there aught to be a law...” there probably shouldn’t be.
Planes would be falling out of the sky and high rises would be on fire if everyone had your sense of what types of research should “be allowed”.
> whenever you think “there aught to be a law...” there probably shouldn’t be
I actually totally agree (which is the reason for my edited response above, before your comment arrived)... but there must be limits, musn't there? We don't arbitarily allow murder, rape or theft.
Looking at the concept of "freedom" is a tricky thing, I've found. At what point does "doing whatever I want" become unacceptable to the very society that bred that behaviour? What should that society do to curtail behaviours that are actively destructive against it?
As an individual in society, shouldn't I make some stand (as feeble as it might be), against what I (personally) think as exceedingly disruptive and that goes against the "common good"?
By the downvotes I've received, it seems that my voice is very much unwanted - which seems to show how it "me" that is the outcast in this situation, and not this builder of spyware. To me this is ironic (but irrefutable), despite the honest question of the purpose of this device which has been popularised on a well known 'tinkering' site.
You've upset people because what you seem to be talking about is either highly specific prohibitions, or a general prohibition on unlicensed tinkering and innovation. The latter will go down like a ton of bricks here and would have prevented most of the computer technological developments of our lifetimes.
But the way out of this is actually to make the constraint more orientated on the harm. Several jurisdictions already ban the sale of spy devices. Many have rules about non-consensual recording. Or general privacy rules.
Don't try to ban buidling things unless the other approaches have been tried and failed. The solution to "upskirting" and other non-consensual intrusive photography has been bans on doing that, not a ban on smartphones. There are all sorts of things that you can legally build and tinker with but not market to the public.
(Security researchers are particularly salty about this because you can't get people to take a threat seriously without building a proof-of-concept, but that is in itself a weapon. Often you can't prove a system is insecure without breaking it.)
I don’t know how to reply without being too snarky. Is your position that we shouldn’t “allow” someone to build a wifi module hidden in a USB cable, because we don’t allow rape and murder?
I’ll let someone else see if they can help you out. But I think you need to take a BIG step back and ask yourself this “have I solved all the problems in my own life” and if the answer is no, stop thinking so much about what other people should be “allowed” to do. Worry about self. Take up the position that my right to swing my fiat ends at your nose.
I think I've inadvertantly pressed some buttons, which I do apologise for - whole heartedly! The written language is a very imperfect thing to get right. I'm not trying to bait anyone in words.
Ironically, I do try to "let it be" and to not be a hypocrite in my day to day life. However, we are imperfect beings, and we all make mistakes (well, at least I do!).
I recognise the engineering and technical expertise of this device... but all through it's design phase and it's production, was there ever a purpose other than spyware? Was it ever meant to be anything other than nefarious?
For it's when someone can say to me "Oh, it's a really good thing because x,y,z" then I'll have learnt something new about the rich tapestry of life -- and I ask this because I don't understand, & not because I'm trying to lord it over anyone.
Again, apologies.
I think the point of people doing this is to prove publically that it can be done, and therefore almost certainly has already been done before by someone with nefarious intent who kept it quiet.
Perhaps I'm misunderstanding your comment but the reason planes aren't falling out of the sky and high rises aren't all on fire is because these things are so heavily regulated.
Not that I'm a fan of knee-jerk reactive lawmaking, but they struck me as odd examples.
Maybe he used a inaccurate analogy but if we had laws preventing inventing questionable technology we might not have a lot of things we take for granted. More like the wright brothers being banned from testing on the beach because they could hurt someone.
>I mean someone can just replace the cables in my house and my phones and computer would become infected.
Only if you leave your computer unlocked and unattended. If it's attended, obviously you'll see something's going on and pull the plug on the computer and probably investigate further. If your computer is locked (which is a good habit to have when leaving your workstation, the faked keyboard can't do.
So you bring all your cables with you everywhere you go?
I think OP is saying that these cables could be swapped out while you’re away.
As for “seeing that something is going on”, I really don’t think anyone worth half their salt would allow for such a scenario... authors of such implants aren’t exactly registering the device with the OS.
If you can do this for kicks, imagine what you can do with a budget.
It's basically what the NSA's ANT catalogue had in their COTTONMOUTH devices, among others [1]
[1]: https://en.wikipedia.org/wiki/NSA_ANT_catalog
http://www.nsaplayset.org/turnipschool
Naomi Wu reported on those last August.[1] There's one on Amazon that uses GSM, but it's 2G.[2]
[1] https://twitter.com/realsexycyborg/status/103190315541447884...
[2] https://www.amazon.com/Jiusion-Listening-Surveillance-Quad-b...
This is a couple levels past just a simple audio recording device.
It's a remote control rubber ducky and more.
I'm wondering whether any of the Google security team will use this for their "leaving tradition" [1], or whether it's considered cheating, just too easy.
[1]: https://twitter.com/LeaKissner/status/1085624255381827584
I worked on a security team that did this when I left - I taped & signed every USB connection at my desk and checked the signatures every time before I unlocked it.
I must be out of the loop but, how do you sign USB connections?
"Tape and sign" sounds like apply tape and add a signature on the tape that you don't expect anyone else to be replicate reliably.
I think they mean literally stuck tape across the connection and signed that.
Here's the announcement tweet with a video demonstration:
https://twitter.com/_MG_/status/1094389042685259776
I guess even some sort of "signed device protocol" will not work. An attacker can just create a device that guesses the device identifier (or whatever is used to create the signature). Then, the attacker device can just keep guessing until it gets it right. Chances are, some serial number or similar will be used for this, so continuous guessing is feasible.
Will the solution to this, then, be to have some sort of "smart card enabled device"? For example, assuming TOFU, you manually accept all device's public keys (and all devices, including cables and stuff will have one of these). Then, the computer will have to verify all actions done by those devices by sending a challenge for each action. But this seems impractical and inefficient...
Perhaps physical security is the only way for this...
On Windows XP this would display a “new device: keyboard connected” balloon and the Safely Remove Device icon would immediately set-off my spidersense - it’s unfortunate that newer releases of Windows hide those notifications by default and the only clue that something might be wrong would be hearing the generic device connected sound multiple times in quick succession which many users might think was their sound-card glitching.
I think a solution is for OSs to only allow the automatic mounting of newly-attached devices if they’re “passive” (e.g. mass storage - assuming no autorun.ini, output-only devices, HID class devices that only expose game-controller functionality, etc) - other device classes like mice and keyboards plugged-in to non-trusted ports should always require explicit approval.
While we’re on the subject: keyboards can be massively improved by adding over-the-wire encryption to prevent keyboard-port logging, and the USB keyboard class should be extended to include the keyboard declaring its layout to the host OS. It’s silly that we still need to configure keyboard language settings or that the OS infers it from our regional settings.
How would you approve the keyboard without using the keyboard?
Anyway since we are assuming physical access, they could just swap out your keyboard for one that works normally until you go for lunch, then starts typing for itself..
The OS could display a random sequence of keys that you have to press to enable the keyboard. If the evil cable can't see the screen it wouldn't know what keys to transmit.
This is not a serious suggestion since it would be annoying to most people.
No more annoying than Bluetooth pairing PINs or iOS's passcode-to-use-USB prompts. If the keyboard has secure stateful memory (e.g. for a client-certificate or client-secret) then the user would only have to enter it once.
> How would you approve the keyboard without using the keyboard?
On laptops the built-in mouse and keyboard would be "trusted".
On desktops and servers, I can think of a couple of strategies:
* Always trust keyboards only when plugged into certain USB ports (e.g. ports on the front of the computer highly visible to the computer's operator) * Mutual keyboard/host authentication and encryption.
>Will the solution to this, then, be to have some sort of "smart card enabled device"? For example, assuming TOFU, you manually accept all device's public keys (and all devices, including cables and stuff will have one of these). Then, the computer will have to verify all actions done by those devices by sending a challenge for each action.
Even that's not enough. If you're feeling extra-evil you could tamper with the keyboard switches/traces to do whatever evil stuff you want. It's not like you can authenticate the on/off state at a switch level.
No need for any public crypto. On first use, the computer issues a unique key which the device uses to authenticate all messages, for example with hmac.
What is the wifi for? the only attack I can possibly see here is pretending to be a keyboard. And you don't need wifi for that, you just need a pre programmed set of steps to set up remote control for the pc.
That hardware solution sans wifi could offer some interesting security solutions such as trusted bridge between any computer and your mobile phone. Can't wait to see this torn down and hacked.
so... that could be useful to penetrate secure facilities, like nuclear weapons bunkers/reactors. A worker is sent a cable as a "gift" or has one substituted in by mail intercept for an actual order. Attacker waits outside in a van and controls things over wifi.
Also a reason why the TEMPEST standards exist, wifi isn't going to go very far through the walls of a shielded facility that is basically a huge Faraday cage.
what's the attack? the website just drones on about a cable that, as far as i can tell, could just broadcast your keypresses over wifi.
Most operating systems trust USB devices completely. You can send keystrokes that open a text editor and type malware that'll do whatever you want, and you can control the attack in real time via wifi.
(it couldn't read user keypresses unless they use the cable to plug in their keyboard)
It certainly could read user keypresses after it typed in malware with a keylogger, and then transmit your keypresses over its wifi (not your network, where it might be detectable) back to the attacker.
Remote keypress injection.
Can someone confirm for me? This needs a nearby wifi network that is either open or has credentials too, correct?
The video appeared to have it connect directly to the phone or to the network they both were on.
It looks like this hack uses an esp8266, which supports WiFi. Most likely the chip is booting up its own WiFi network for the phone to connect to, the phone is sending the payload over this network, and running the usb exploit. Some esp family chips should also support Bluetooth.
Okay, so the attacker would need to be within range. Is that a correct understanding?
Although that’s implied, you could use a proxy device nearby instead
"within range" can be quite far away if you use targeted directional antennas.
Another reason to use QubesOS, where usb devices are connected to a separate virtual machine without any networking. And any usb keyboards are only activated after a confirmation.
Noob question: How do you confirm?
Qubes is designed for laptops, so your first keyboard does not need any confirmation (it's not connected via usb).
upd: Alternatively, for installations with a usb keyboard, this defence is disabled.
Would a high voltage loop, for breaking components, be a good solution to an attack like this? Like, fry the electronic components to verify it's just plain metal on the insides?
Perhaps, but it could start a fire. You might consider plugging into a power supply and measuring if there is any current draw.
USB type A male-to-female inline ammeters are really cheap, and accurate to 0.1W. I got one for ten bucks.
How do you know THAT doesn’t have a surveillance device inside?
Sort of a "it's turtles all the way down" type problem, but one could always x-ray it.
+/-20mA seems a bit coarse...with modern low-power silicon, imagining it wouldn't be too difficult to skate under that radar.
A USB C cable has active electronics inside it, they are used to define the wire gauge on the conductors and the length of the cable.
Right. Also the Apple cords have an entire ARM micro in them for cable authentication.
Likely fry the conductors in the cable too. Might as well cut the cable in half...or leave it in the home of your enemy.
Just do an insulation test at say 250V using a commonly available 'megger' device
the cable is cool, but i'm more excited to read about his PCB manufacturing process. he built those tiny boards on a desktop CNC machine!
Does it just connect to the first WiFi which is t password protected? I’m assuming it’s useless if there’s no open WiFi about?
I'm guessing it goes something like:
- The cable is inserted into the victims computer - The electronics inside the cable creates a WiFi network - The attacker uses a separate computer to connect to this WiFi network - Transmit the payloads to the victim - ??? - Profit
It creates a wifi hotspot and the attacker can connect to that using another device from a distance. They can then do stuff via the USB port, for example send key presses.
So they have to be close by.
https://www.simplewifi.com/products/parabolic-grid
"2.4Ghz wifi antenna extends a 7 degree wide cone, allowing it to perform over large distances up to 8 miles of range."
Or if a real parabolic antenna is too expensive, sticking a copper wire on a BNC connector mounted in a Pringles can (5 GHz) or wider tin soup can (2.4 GHz) works as a cheap alternative.
https://en.wikipedia.org/wiki/Cantenna
http://www.turnpoint.net/wireless/cantennahowto.html
Even simpler would be to take a standard dipole and put a corner reflector around it (not quite as pin-point powerful, but you can still get plenty of gain). You can make these out of roofing flashing.
Would this small device even be able to send data back to the antenna to complete the connection? It might work with a non standard protocol though, where it just accepts data sent to it via 2.4GHz.
Also, the 8 mile range is obviously very theoretical, in a direct line from point A to point B with no obstacles.
Info sec industry is a rabbit hole. Just ask Jeff Bezos.
Jeff Bezos would probably think "info sec" is a unit of time.
He is Electrical Engineering and CS graduate from Princeton.
Having an engineering degree doesn't mean you necessarily know what 'infosec' is. Different domain and discipline.
What domain or discipline (specifically undergraduate major) does infosec fall under if not electrical engineering or computer science?
Any links to schematics and code?
Huh, so all it takes is someone to break into your home when you're gone and swap a cable. Seems like privacy doesn't really exist for people who truly need it. Unless they're not using any technology.
If someone's broken into your house, your privacy has been pretty seriously invaded already.
Do you not use laptops? Or do you never leave your home?
Huh? What I wrote is basically saying privacy doesn't exist for the ones who truly need it. Since those two cases you write in question are pretty much universal and the majority of people using technology would be prone to them. Unless they're not using any form of technology.
Brb signing up for Handy
Are their third party OS extensions for macOS, like Little Snitch, that act as a firewall for USB-C devices?
It’s just crazy to me that plugging my Crapbook Pro into a USB-C power brick could do all sorts of bad to my computer when all I need is power.
The construction of this device is quite impressive, in that it fits entirely inside a USB plug
The level of miniaturisation is not all that impressive, these have been around for a while:
https://www.amazon.com/Edimax-EW-7811Un-150Mbps-Raspberry-Su...
There's no mention of using the rest of the cable as the antenna, since in my experience the above tiny adapters have an equally tiny antenna and thus poor reception.
It’s still impressive. It looks really close to the official Apple one and I wouldn’t think twice about plugging an iOS thingy into my computer with it. The only telltale might be how the coating feels (the Apple ones have a specific rubberized texture), but that wouldn’t be enough to prevent me from plugging it in.
Edit: stupid me, he probably just replaced the USB-A side of a legit Apple one. Ignore the part about the coating.
> There's no mention of using the rest of the cable as the antenna, since in my experience the above tiny adapters have an equally tiny antenna and thus poor reception.
Not sure how far you were from your router but I bought one of these and it worked quite fine through walls.
I have this adapter, works well with a router two levels above.
Impressive for someone like me, whose not that close to the tech!
It says there's a microcontroller as well.
There's a microcontroller in the connector at each end of your USB Type C cables.
Well, I assume in this case, one that drives and controls the wifi independent of whatever you plugged this into.
The ones in those tiny dongles have one too.
* home manufacture.