WiFi Hides Inside a USB Cable(hackaday.com) |
WiFi Hides Inside a USB Cable(hackaday.com) |
https://www.aliexpress.com/item/1m-USB-Charging-Data-Cable-f...?
I wonder how many things like this are in the wild and nobody's noticed.
A rogue janitor replaces the usb cables on some of the employees of a company that makes $INSERT_SUPER SECRET_TECH$ and done.
Of course they equipped the laptop with a cd burner
That said, if you click the link next to BadUSB, they detail attacks whereby the device pretends to be a USB Ethernet adapter instead. And while you're right that stuff typically wants user input prior to connecting to WiFi networks, I don't think anything prompts before connecting to wired networks. The onboard WiFi could even make it appear to work, so as to not arouse suspicion (by simply bridging the pretend-ethernet to the WiFi), but now your attack has a MitM and a keyboard…
Needless to say, you don't want random USB devices getting plugged into your machine.
See the Twitter video: https://mg.lol/blog/omg-cable/
If it is, then the computer doesn't connect to a router at all. The USB cable could make itself available as a network that you remotely connect to then execute commands. The cable then types out your commands as it imitates a USB keyboard. Have you ever seen a device or PC that randomly trusts a USB keyboard you plug into it?
That's one. Apparently there are least 28 more ways to use usb to attack a machine.
https://www.bleepingcomputer.com/news/security/heres-a-list-...
That wouldn't need further actions from the victim.
Put in the right machine and you can see every company memo as it is written.
Can a device like this be used do anything positive toward humanity?
Did I misunderstand something? (I'm genuinely curious!)
Edited: reworded (honest) question to be less negative.
PoCs are often what lead to security changes. This device just existing will spur research into how to to defeat it which in turn may lead to improved security for all.
Here is some advice, whenever you think “there aught to be a law...” there probably shouldn’t be.
Planes would be falling out of the sky and high rises would be on fire if everyone had your sense of what types of research should “be allowed”.
Only if you leave your computer unlocked and unattended. If it's attended, obviously you'll see something's going on and pull the plug on the computer and probably investigate further. If your computer is locked (which is a good habit to have when leaving your workstation, the faked keyboard can't do.
I think OP is saying that these cables could be swapped out while you’re away.
As for “seeing that something is going on”, I really don’t think anyone worth half their salt would allow for such a scenario... authors of such implants aren’t exactly registering the device with the OS.
[1] https://twitter.com/realsexycyborg/status/103190315541447884...
[2] https://www.amazon.com/Jiusion-Listening-Surveillance-Quad-b...
It's a remote control rubber ducky and more.
[1]: https://twitter.com/LeaKissner/status/1085624255381827584
Will the solution to this, then, be to have some sort of "smart card enabled device"? For example, assuming TOFU, you manually accept all device's public keys (and all devices, including cables and stuff will have one of these). Then, the computer will have to verify all actions done by those devices by sending a challenge for each action. But this seems impractical and inefficient...
Perhaps physical security is the only way for this...
(it couldn't read user keypresses unless they use the cable to plug in their keyboard)
The video appeared to have it connect directly to the phone or to the network they both were on.
upd: Alternatively, for installations with a usb keyboard, this defence is disabled.
- The cable is inserted into the victims computer - The electronics inside the cable creates a WiFi network - The attacker uses a separate computer to connect to this WiFi network - Transmit the payloads to the victim - ??? - Profit
It’s just crazy to me that plugging my Crapbook Pro into a USB-C power brick could do all sorts of bad to my computer when all I need is power.
The level of miniaturisation is not all that impressive, these have been around for a while:
https://www.amazon.com/Edimax-EW-7811Un-150Mbps-Raspberry-Su...
There's no mention of using the rest of the cable as the antenna, since in my experience the above tiny adapters have an equally tiny antenna and thus poor reception.
Edit: stupid me, he probably just replaced the USB-A side of a legit Apple one. Ignore the part about the coating.
Not sure how far you were from your router but I bought one of these and it worked quite fine through walls.
I think a solution is for OSs to only allow the automatic mounting of newly-attached devices if they’re “passive” (e.g. mass storage - assuming no autorun.ini, output-only devices, HID class devices that only expose game-controller functionality, etc) - other device classes like mice and keyboards plugged-in to non-trusted ports should always require explicit approval.
While we’re on the subject: keyboards can be massively improved by adding over-the-wire encryption to prevent keyboard-port logging, and the USB keyboard class should be extended to include the keyboard declaring its layout to the host OS. It’s silly that we still need to configure keyboard language settings or that the OS infers it from our regional settings.
Anyway since we are assuming physical access, they could just swap out your keyboard for one that works normally until you go for lunch, then starts typing for itself..
Even that's not enough. If you're feeling extra-evil you could tamper with the keyboard switches/traces to do whatever evil stuff you want. It's not like you can authenticate the on/off state at a switch level.
Not without notice. Your computer won't connect to a wirless network automatically. So in order for this to work, the USB-device needs the same SSID and key. Then, in order to make it not suspicious (and get your data) you need to actually forward traffic to the internet. Not sure if those devices can repeat.
Emulating an USB ethernet might help you, as those will connect, but without uplink it's still suspicious.
Or, search for open/guest networks and use those as an uplink. There's plenty of possibilities for this to work as a malicious network adaptor.
However, I think the network example is just a proof of concept and the remote connectivity is much more interesting to any real attacker.
(I think ideally, you don't distinguish. Every network is equally untrusted, and you rely on good end-to-end encryption. That doesn't address the rouge HID attack, however.)
I've also seen unauthenticated corporate networks where STP packets reach the end user ports, and AIUI, the right response packet would direct the network to start sending all traffic my way…
This is not a serious suggestion since it would be annoying to most people.
On laptops the built-in mouse and keyboard would be "trusted".
On desktops and servers, I can think of a couple of strategies:
* Always trust keyboards only when plugged into certain USB ports (e.g. ports on the front of the computer highly visible to the computer's operator) * Mutual keyboard/host authentication and encryption.
With devices moving to USB-C for data and charging I wonder how security companies are going to prevent physical access to USB ports...
"2.4Ghz wifi antenna extends a 7 degree wide cone, allowing it to perform over large distances up to 8 miles of range."
Also, the 8 mile range is obviously very theoretical, in a direct line from point A to point B with no obstacles.
Nonlinear junction detectors can find semiconductor things, be they powered on OR off. Long story short, you blanket an area with GHz rf, and then look at the harmonics of the freq you spray it with.
I can see how to create one with a 2.4GHz transmitter and a DSP. I know the prices Ive seen are in the thousands of $$$, in which it's not terribly complex. The hardware would probably cost around a few hundred, primarily cause DSPs are $$$$
My talk was accepted at CircleCityCon in Indianapolis IN. I've built a tablet capable of intercepting and injecting radio from 20MHz to 1.5GHz.
https://ccc2019cfp.busyconf.com/activities/5c3a57314808fac10...
https://mobile.twitter.com/CrankyLinuxUser/status/1097884386...
I actually totally agree (which is the reason for my edited response above, before your comment arrived)... but there must be limits, musn't there? We don't arbitarily allow murder, rape or theft.
Looking at the concept of "freedom" is a tricky thing, I've found. At what point does "doing whatever I want" become unacceptable to the very society that bred that behaviour? What should that society do to curtail behaviours that are actively destructive against it?
As an individual in society, shouldn't I make some stand (as feeble as it might be), against what I (personally) think as exceedingly disruptive and that goes against the "common good"?
By the downvotes I've received, it seems that my voice is very much unwanted - which seems to show how it "me" that is the outcast in this situation, and not this builder of spyware. To me this is ironic (but irrefutable), despite the honest question of the purpose of this device which has been popularised on a well known 'tinkering' site.
But the way out of this is actually to make the constraint more orientated on the harm. Several jurisdictions already ban the sale of spy devices. Many have rules about non-consensual recording. Or general privacy rules.
Don't try to ban buidling things unless the other approaches have been tried and failed. The solution to "upskirting" and other non-consensual intrusive photography has been bans on doing that, not a ban on smartphones. There are all sorts of things that you can legally build and tinker with but not market to the public.
(Security researchers are particularly salty about this because you can't get people to take a threat seriously without building a proof-of-concept, but that is in itself a weapon. Often you can't prove a system is insecure without breaking it.)
I’ll let someone else see if they can help you out. But I think you need to take a BIG step back and ask yourself this “have I solved all the problems in my own life” and if the answer is no, stop thinking so much about what other people should be “allowed” to do. Worry about self. Take up the position that my right to swing my fiat ends at your nose.
Ironically, I do try to "let it be" and to not be a hypocrite in my day to day life. However, we are imperfect beings, and we all make mistakes (well, at least I do!).
I recognise the engineering and technical expertise of this device... but all through it's design phase and it's production, was there ever a purpose other than spyware? Was it ever meant to be anything other than nefarious?
For it's when someone can say to me "Oh, it's a really good thing because x,y,z" then I'll have learnt something new about the rich tapestry of life -- and I ask this because I don't understand, & not because I'm trying to lord it over anyone.
Again, apologies.
Not that I'm a fan of knee-jerk reactive lawmaking, but they struck me as odd examples.
Better than that is to just type a PowerShell script that gets all the info immediately and sends it to a server.
As in, the OS driver for the USB controller? Feels like a lot.
There's a lot of wireless stuff out there, not using 802.11__ or BT specs and frequencies. Are these things secure? Probably not. Are they encrypted? Perhaps. Do they defend against replay? Likely not.
But in the end, how do we assess? Standard TSCM gear can do a good job scanning and finding peaks. But its not for protocol decoding and device assessments. My goal is to "Identify signals, categorize protocols for signals found, decode if possible, and attempt to access/exploit".
A windows hack may be - The “mouse” would ask to move to leftmost bottom corner then click. Type searching terms like Cmd<r>. Then if can get hold of the windows one is in ...
Any better idea?
You could certainly ask them over twitter. In my experience they return questions in an hour or 2.
Ideally, if you dont care about looks, all you need is a Raspberry Pi 3B+, keyboard/monitor/screen, Rtl-sdr, and a wire.
The wire is hooked up to GPIO 4 and used in conjunction with RPITX library.
The Rtlsdr allows receiving radio signals.
The only broken thing right now, is that changing GPU clock frequencies does "weird" things to the onboard wifi (unsurprising).
My next step will be making 2 scripts: 1 to install a SigInt tooling, and 2 is to update said tooling.
A device like this packages its own covert communications channel together with the exploit dropper; it provides an entry point to your network (and exfiltration channel) that bypasses all your filtering, logging, scanning, etc.
You can also imagine a loop where first you install a keyboard logger and exfiltrate the user's password, then later you want to update the exploit scripts to make use of the password. Or hell, maybe this is a prank product and having a wireless button to rickroll your victim on demand makes you laugh.
With that said, the first person to make a fake USB keyboard had a much bigger and more exciting trick than this incremental change.
[1] https://github.com/exploitagency/ESPloitV2
Edit: Or to put it another way, this is like the NSA's "Cottonmouth" bug, which "will provide air-gap bridging, software persistence capability, 'in-field' re-programmability, and covert communications with a host software implant over USB" [2] but 10 years later and without charging a million dollars for 50 units.
[2] https://en.wikipedia.org/wiki/NSA_ANT_catalog#/media/File:NS...
https://hackaday.com/2019/01/04/underclocking-the-esp8266-le...
Long story short, underclocking the ESP12 compresses the RF envelope for 2.4GHz . It also means the RF energy is in what looks like 1/3 a normal 2.4GHz channel.
The awesome side effect is that this device's SSID is completely hidden from regular 2.4GHz radios. You need another ESP12 with the same underclock ratio... and then need the SSID (if hidden), and the password.
You'd be able to find it using an ADALM-PLUTO. It'd stick out like a sore thumb, but it still wouldn't make sense what's going on unless you build a decode stack in Gnu Radio.
