Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

USBHarpoon a look-like charging cable that can hack into your computer

A team of security experts has devised a rogue USB charging cable named USBHarpoon that can be used to compromise a computer in just a few seconds. The team was composed of Olaf Tan and Dennis Goh of RFID Research Group, Vincent Yiu of SYON Security, and the popular Kevin Mitnick. The USBHarpoon takes inspiration on the BadUSB project built by […]

USBHarpoon

A team of security experts has devised a rogue USB charging cable named USBHarpoon that can be used to compromise a computer in just a few seconds.

The team was composed of Olaf Tan and Dennis Goh of RFID Research Group, Vincent Yiu of SYON Security, and the popular Kevin Mitnick.

The USBHarpoon takes inspiration on the BadUSB project built by researchers at Security Research Labs lead by Karsten Nohl.

Nohl demonstrated that to turn one device type into another, USB controller chips in peripherals need to be reprogrammed. Unfortunately, many USB controller chips, including those in thumb drives, have no protection from such reprogramming.

USBHarpoon leverages on a charging cable instead of a USB drive to make the dirty job and hack into a computer.

The cable was modified to allow both data and power to pass through, in this way it is impossible for a victim to note any suspicious behavior.

A weaponized charging cable is not a novelty, a security researcher that goes online with the Twitter handle MG posted two videos that show the BadUSB cables he has built. The cable allows MD to carry out HID attacks when plugged into a computer’s USB port.

MG demonstrated that his BadUSB cable would work with a 24-pin USB-C connector which is used in MacBook chargers. MG added that it “work on just about any device with a USB port,” including mobile devices.

Mitnick asked MG to build a cable for him to use in a keynote speech to demonstrate new attack methods, but he did not receive it in time for his speech.

USBHarpoon

Mitnick contacted the researcher Dennis Goh to build a cable to use in the attack, then Goh accepted and worked with Olaf Tan to build the USBHarpoon.

Yiu confirmed that his cable was not inspired by the MG’s research, anyway he credited the original work from MG once he learned about it.

The USBHarpoon works on unlocked machines, it allows the attackers to launch commands that download and execute a malicious code.

Yiu published a short video to show how USBHarpoon works. The video PoC shows a drone connected to a Windows PC and sends it commands to list content in a folder on the system drive.

Experts noticed that on Windows, the commands are launched within the Run prompt, while on Mac and Linux they are launched from a terminal.

The attack is any way visible to the owner of the machine, for this reason, to make the attack stealth it is necessary to devise a method to hide the interaction with the system, for example, to run the attack when the victim is not around the machine.

The team of researchers is currently searching for methods to trigger the attack in a stealthy way, for example, involving as attack vectors Bluetooth and radio signals.

As mitigation, the experts suggest the adoption of USB condoms, also known as data-blocking device that works by blocking the data pins on a USB cable.

Anyway, MG published a video PoC that shows how USB condoms can be bypassed as well.

USBHarpoon is the demonstration that USB devices can be used as attack vectors difficult to detect.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – USBHarpoon , BadUSB)

[adrotate banner=”5″]

[adrotate banner=”13″]