A New Method for Hacking Computers Using a USB Charging Cable
In August 2014, well-known researchers Karsten Nohl and Jakob Lell from the consulting company Security Research Labs reported a “fundamental vulnerability in USB devices.” Later that October, they published code on GitHub that allowed computers to be hacked via USB. This class of attacks still enables attackers to take control of many devices with a USB port. An attacker can emulate any peripheral device, but keyboards are the most common choice.
Over the years, users have become more cautious about trusting USB devices. For example, many people would never risk plugging a flash drive found on the street into their computer, which is a wise precaution.
The idea of creating an ordinary USB cable that exploits the BadUSB vulnerability has been around for a while. A cable is much less suspicious to a potential victim than a peripheral device. However, until recently, there were almost no successful attempts to create such a cable.
The Creation of USBHarpoon
To develop USBHarpoon, experts from RFID Research Group, SYON Security, and Kevin Mitnick teamed up. Mitnick, inspired by the work of a researcher known as MG on Twitter, proposed the idea to the team. Earlier that year, MG had demonstrated an attack using a USB cable on his Twitter account, but Mitnick was unable to contact him directly to discuss collaboration.
Instead, Mitnick brought together specialists from the aforementioned companies, who successfully tackled the challenge. In his blog, Vincent Yiu from SYON Security explained that many hackers and experts had tried to create something similar to USBHarpoon, but always ran into obstacles. The combined research team managed to solve all the issues and designed a working USB cable that also functions as an HID-compliant device.
How USBHarpoon Works
USBHarpoon will work on any unlocked machine it is connected to. Once plugged in, the cable executes a series of commands, downloads, and runs a payload. On Windows, this is done directly through the Run dialog, while on Linux and macOS, it may require launching the terminal. By default, this activity is visible on the device’s screen, but the attacker can hide it if necessary. Currently, it is assumed that the attack would be carried out when the device owner is absent.
Ongoing Risks and Protection
Karsten Nohl, the author of the original BadUSB research, reminds us that the BadUSB problem has not been resolved and remains dangerous to this day. The only real protection against such attacks is using a special protective adapter, known as a USB condom. However, MG has also demonstrated on Twitter that even these adapters can be compromised, proving that they cannot be fully trusted either.
Vincent Yiu included a video in his report on the development of USBHarpoon, showing a drone connected to a Windows machine for charging, sending commands to the device and performing potentially malicious actions.