New USB attack variant via USB charging cable

This new attack relies on a previously released investigation

A group of cyber security organization specialists have created a malicious version of a USB charging cable capable of compromising any device in just a few seconds. Once plugged into the computer, the cable becomes a peripheral device capable of entering and executing commands.

The attack, named USBHarpoon by its developers, is based on the BadUSB research released a couple of years ago. This research showed that an attacker can reprogram the controller chip of a USB drive and make it appear on the computer as a Human Interface Device (HID).

This type of HID can be anything from an input device like a keyboard that emits a quick succession of commands, to a network card that modifies the DNS configuration of the system to redirect traffic. With USBHarpoon, cyber security organization experts replaced the USB drive with a charging cable, a most common device for which users do not implement any security measures.

The cable was included modified connectors that allow the transfer of data and energy to fulfill the required function. This feature allows the cable to be connected without raising suspicion of the attacker’s intentions.

It’s not a new idea

The cyber security organization specialist in charge of the design and assembly of the cable mentions that he spoke with several fellow investigators from different security firms who tried to build a project like USBHarpoon, but could not successfully develop it. “My team has managed to render the USB cable into a fully functional attack tool”, the expert added.

There even existed previously a USB cable specially crafted to deploy a cyberattack, developed by an anonymous researcher. This person was able to create USB cables that could perform HID attacks when connected to a computer’s USB port. The anonymous investigator also showed that the attack would work with a USB-C connector, used in MacBook chargers, informing that “it works on almost any device with a USB port, including smartphones”.

Possible defenses against USBHarpoon

The USBHarpoon attack is only successful on unlocked machines, where it can execute commands to download and execute a payload. The process to run the payload is visible on the screen, so hackers would have to find a method to hide the process from the user’s view. The USBHarpoon development team is currently exploring methods to trigger the attack when the victim is not near.

For cyber security organization specialists from the International Institute of Cyber Security, protecting against attacks deployed via USB is not easy. A possible solution is to use data-blocking devices, also known as USB condoms. This is an electronic accessory that blocks the data transfer via USB function and only allows the device’s charging, thus avoid the command’s entry via USB.