Daily Archives: February 19, 2019

Security Researcher Creates Remote WiFi USB Charging Cable

Early last week; a security researcher has demonstrated a new means of social engineering which could be used to compromise the security of a computer network:

TL DR: This cable poses a threat from a social engineering perspective. Should these cables become widespread: I would recommend being more careful of the cables you use to charge devices and consider using power outlets for charging.

What kind of threat does this pose?
The researcher created a custom USB cable that looks just like a standard cable. This cable could obviously be used to charge a smartphone. This cable however contains a custom printed circuit board (PCB) that allows an attacker to send commands to it via WiFi. The cable “appears” and acts as a keyboard and mouse when connected to a system and allows the attacker to control as if they had physical access to it and allows the opening of a reverse shell to execute commands:

The researcher demonstrated how the “mouse” feature of the cable could be used to prevent a system from locking after the real user has left the system by continually moving the mouse; just as a real person would.

Worse than this the cable has the potential to conduct WiFi deuthentication (de-auth) attacks which will disconnect devices in the vicinity from the WiFi networks they have connected with. This would constitute a denial of service attack and the inconvenience of having to keep re-connecting your wireless devices to the WiFi network again. Whether such an attack could be used to sniff/capture WiFi authentication credentials or to be used to exploit the KRACK vulnerability is not clear:

How could an adversary use this cable in a practical way?
The adversary simply need to wait for you to plug this cable into one of your systems. They don’t need to be nearby in order for them to access the system the cable is connected to (since the cable appears to be accessible over the internet connection in your office). Consider if an adversary left some of these cables on the desks in your organisation. How many people connect the cables to their systems to charge their phone? This would be even more common in older offices were USB charging ports aren’t readily available.

An adversary could also send some cables to your office via postal mail while pretending they came from the marketing department or another office of the same organisation. Cables aren’t considered malicious (like an unknown USB thumb drive should be) and will be used by those who receive them. Employees might also take them home or give these “free” cables to friends and family.

How can I protect myself from this type of threat?
This is not an easy question to answer. While you can educate your employees to not use cables that arrive in the postal mail (or even from your marketing department); what is to prevent them from doing so? Do you then treat every cable as a possible threat? You would need to place your office in a Faraday cage to truly mitigate this! Should you split every cable open to check if it has a WiFi PCB added to it (even if you did; could you tell what you are looking at)?

Given how common and widespread they are; is that even possible? You could ask that charging cables are only connected to power (electrical) outlets (requiring employees to bring the charging adapters for their devices (which almost nobody does)) or ask them to use portable battery packs. But again; what is to stop an employee from not doing this especially if they are travelling and need to charge their mobile devices? It’s already difficult to educate your employees about the dangers of BadUSB or juice-jacking (my previous post on that topic) but this is even harder to defend against:

It’s very likely that this cable would have a MAC address and while you can use MAC address authentication to protect your network; that can be bypassed. An adversary can spoof a MAC address (to use a legitimate MAC address from your own network). So, if you deny that MAC access to your network you could block the legitimate device too.

Note: The adversary would need to use some form of software to spoof the MAC address. The cable may not currently accommodate that capability. I assume the adversary can’t manufacture the silicon needed for a WiFi adapter and doesn’t have the ability to “burn” a MAC address of their choice into it.

It’s important to remember this cable is only a proof of concept at this time but the researcher does plan to sell them. They could be used by pen testers in much the same way as Wi-Fi Pineapples or RubberDuckies currently are. Given that the cable looks exactly like a standard USB smartphone charger (for an Apple device); from the photos included you can’t tell the difference between a genuine cable and this pen testing cable.

Can an upcoming standard for USB help with this issue?

Unfortunately, while the new USB Type-C Authentication Program appears to be more of a Digital Rights Management (DRM) feature that may raise charger and cable prices and potentially creating vendor lock-in. While it would help with detecting a malicious cable or a cable that was tampered with; it remains to be seen if the standard in reality increases security. It’s also unclear how the cables will authenticate since we have seen digital signatures being stolen in the past to bypass this form of authentication:

Thank you.

Adobe Flash Player 2019 Update Tracker

In a similar manner to previous years this post will track the number of vulnerabilities patched within Adobe Flash for 2019. This will be the penultimate year of tracking these numbers since Flash Player is due to be decommissioned in 2020.

As always this post will be updated throughout the year with the details of vulnerabilities being patched and if they are being exploited in the wild. Apologies for not making this 2019 tracker available sooner.

Thank you.


8th  January 2019: Adobe releases Flash Player v32.0.0.114 This update is a non-security update addressing only feature and performance bugs.

12th February: Adobe releases Flash Player v32.0.0.142 resolving 1x priority 2 CVE.

12th March: Adobe have not released any Flash Player updates this month.

12th March 2019: Adobe makes available Flash Player v32.0.0.156 to resolve non-security bugs only.

9th April 2019: Adobe releases Flash Player v32.0.0.171  resolving 2x priority 2 vulnerabilities (CVEs) (1x Critical and 1x Important severity).

14th May 2019: Adobe releases  Flash Player v32.0.0.192 to resolve a single critical CVE.

11th June 2019: Adobe releases Flash Player v32.0.0.207 just like last month to resolve a single critical CVE.

9th July 2019: Adobe has not released any Flash Player updates this month.

13th August 2019: Just like last month; Adobe has not released any Flash Player updates this month.

10th September 2019: Adobe has released Flash Player v32.0.0.255 to resolve 2x critical vulnerabilities.

Update: 19th February 2019: The timeline was created to include the Adobe Flash Player updates for January and February 2019. At the time of writing no exploits for the issue fixed by the February update are known to be taking place.

Update 12th March 2019: The timeline was updated to reflect that Adobe did not issue Flash Player updates this month.

Update: 21st March 2019: The timeline was updated to reflect that Adobe did publish a Flash Player update for March 2019 but it is a non-security update.

Update: 10th April 2019: The timeline was updated to include the Adobe Flash Player updates for April 2019. At the time of writing no exploits for the issues resolved fixed by the April update are known to be taking place.

Update: 12th June 2019: The timeline was updated to include the Adobe Flash Player updates for May and June 2019. At this time no exploits for the issues resolved in either month are known to be currently taking place.

Update: 9th July 2019: The timeline was updated to state Adobe did not release Flash Player update for July 2019.

Update: 13th August 2019: The timeline was updated to state Adobe did not release Flash Player update for August 2019.

Update: 10th September 2019: The timeline was updated to add a Flash Player update for September 2019. At the time of writing, the two vulnerabilities it resolves are not known to being exploited in the wild (namely being exploited on computing devices used by the general public in their professional and personal lives).