Security Researcher Creates Remote WiFi USB Charging Cable

Early last week; a security researcher has demonstrated a new means of social engineering which could be used to compromise the security of a computer network:

TL DR: This cable poses a threat from a social engineering perspective. Should these cables become widespread: I would recommend being more careful of the cables you use to charge devices and consider using power outlets for charging.

What kind of threat does this pose?
The researcher created a custom USB cable that looks just like a standard cable. This cable could obviously be used to charge a smartphone. This cable however contains a custom printed circuit board (PCB) that allows an attacker to send commands to it via WiFi. The cable “appears” and acts as a keyboard and mouse when connected to a system and allows the attacker to control as if they had physical access to it and allows the opening of a reverse shell to execute commands:

The researcher demonstrated how the “mouse” feature of the cable could be used to prevent a system from locking after the real user has left the system by continually moving the mouse; just as a real person would.

Worse than this the cable has the potential to conduct WiFi deuthentication (de-auth) attacks which will disconnect devices in the vicinity from the WiFi networks they have connected with. This would constitute a denial of service attack and the inconvenience of having to keep re-connecting your wireless devices to the WiFi network again. Whether such an attack could be used to sniff/capture WiFi authentication credentials or to be used to exploit the KRACK vulnerability is not clear:

How could an adversary use this cable in a practical way?
The adversary simply need to wait for you to plug this cable into one of your systems. They don’t need to be nearby in order for them to access the system the cable is connected to (since the cable appears to be accessible over the internet connection in your office). Consider if an adversary left some of these cables on the desks in your organisation. How many people connect the cables to their systems to charge their phone? This would be even more common in older offices were USB charging ports aren’t readily available.

An adversary could also send some cables to your office via postal mail while pretending they came from the marketing department or another office of the same organisation. Cables aren’t considered malicious (like an unknown USB thumb drive should be) and will be used by those who receive them. Employees might also take them home or give these “free” cables to friends and family.

How can I protect myself from this type of threat?
This is not an easy question to answer. While you can educate your employees to not use cables that arrive in the postal mail (or even from your marketing department); what is to prevent them from doing so? Do you then treat every cable as a possible threat? You would need to place your office in a Faraday cage to truly mitigate this! Should you split every cable open to check if it has a WiFi PCB added to it (even if you did; could you tell what you are looking at)?

Given how common and widespread they are; is that even possible? You could ask that charging cables are only connected to power (electrical) outlets (requiring employees to bring the charging adapters for their devices (which almost nobody does)) or ask them to use portable battery packs. But again; what is to stop an employee from not doing this especially if they are travelling and need to charge their mobile devices? It’s already difficult to educate your employees about the dangers of BadUSB or juice-jacking (my previous post on that topic) but this is even harder to defend against:

It’s very likely that this cable would have a MAC address and while you can use MAC address authentication to protect your network; that can be bypassed. An adversary can spoof a MAC address (to use a legitimate MAC address from your own network). So, if you deny that MAC access to your network you could block the legitimate device too.

Note: The adversary would need to use some form of software to spoof the MAC address. The cable may not currently accommodate that capability. I assume the adversary can’t manufacture the silicon needed for a WiFi adapter and doesn’t have the ability to “burn” a MAC address of their choice into it.

It’s important to remember this cable is only a proof of concept at this time but the researcher does plan to sell them. They could be used by pen testers in much the same way as Wi-Fi Pineapples or RubberDuckies currently are. Given that the cable looks exactly like a standard USB smartphone charger (for an Apple device); from the photos included you can’t tell the difference between a genuine cable and this pen testing cable.

Can an upcoming standard for USB help with this issue?

Unfortunately, while the new USB Type-C Authentication Program appears to be more of a Digital Rights Management (DRM) feature that may raise charger and cable prices and potentially creating vendor lock-in. While it would help with detecting a malicious cable or a cable that was tampered with; it remains to be seen if the standard in reality increases security. It’s also unclear how the cables will authenticate since we have seen digital signatures being stolen in the past to bypass this form of authentication:

Thank you.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.