The compromised machines could be used to collect user’s information
A new feature included in many modern laptops is the option to power them up through the USB port. Unlike the old USB ports, this new kind, the USB-C, can carry energy enough to charge your machine. This is a big plus, because you wouldn’t need to add a different port just to load, in addition, when the USB port is not used as a power source, it can be used to plug in storage devices or to charge your smartphone.
Anyways, specialists in enterprise network security from the International Institute of Cyber Security, consider that this function is an opportunity for hackers to exploit a new vulnerability.
An enterprise network security researcher, who has chosen to remain anonymous, has revealed some details about a project in which he developed a specially crafted MacBook charger that can be used for malicious purposes on a device, compromising it without the owner even noticing.
This is the type of hack that causes panic among professionals in enterprise network security. The typical white and square MacBooks chargers are located in offices and cafes around the world. They are borrowed, lost and replaced regularly.
As he has reported, the researcher dismantled the inside of a charger and filled it with small components that activate when the victim, unsuspectingly, plugs it to his computer. This is extremely difficult to detect, as the equipment regularly performs the battery charging process.
The device was able to insert a fake log in screen into a website. If this technique was used in a real scenario, the attacker could use this method to collect any relevant data through the fake site. “In the demo we are only collecting username and password”, the researcher said. “However, it could also be used to inject malware, root kits, or other types of malicious software”.
The project continues in testing phase, but the researcher thinks that the attack could work on any machine powered via USB-C, regardless of the manufacturer.
The researcher is keeping private the precise details of his project. Among the information he has revealed so far, he mentions he does not work for any security company, so he could invite other investigators to work with him in the development of this project, adding that he will eventually make public the content of this research.
The main premise of this attack is not a new discovery. In smartphones, where the charging point is often the same slot through which the device transfers data, hackers carry out the so-called “juice jacking” attacks. This attack takes advantage of people’s need to keep their devices powered so they don’t lose communication. What makes this new attack different is the use of USB-C, which has made it possible to extract information via laptop charger.
The easiest way to protect yourself against this type of attack is to take care of your charger, but once more details of the attack e revealed, better security measures will be also disclosed.
Working as a cyber security solutions architect, Alisa focuses on bug bounty and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.