This can somehow be related to Hardware wallets OLED Display Vulnerability, and Trezor has solved this problem with new firmware, but we still wait for the new firmware from Ledger.

I'm not sure what the danger is for hardware wallets with USBHarpoon (if at all there is a danger), but cheap USB cables should not be used because they obviously pose a security risk. There is no doubt that all equipment should be purchased from trusted dealers, the time of buying this kind of stuff through eBay has obviously become too risky.

Anything the logged in user can do. It's creating keyboard / mouse commands so if you are admin / root and plug one of these in it is running with full privileges.

Here is one better, plug in a cable, get owned:

https://www.theverge.com/2019/8/15/20807854/apple-mac-lightning-cable-hack-mike-grover-mg-omg-cables-defcon-cybersecurity

From the article:

-Dave

That is exactly what he does at the end of the 2nd video in the original article. If you rewind to 0:50 you can see that he plugs in the USB cable as a charger in a conference room somewhere. And the trap is set!

I didn't know that this exists already. Thanks for sharing this. It's definitely scary to use cheap stuff that might compromise your status. I do have a cheap cable for charging (it's an L-type of cord, so I could play while charging), I don't know how they would be able to get my data because I just stuck it in the charging adaptor.

Anyways, this reminded me of a story by my boss at his previous work that he knows someone that is a good programmer and he created a flash drive that once you stuck it in your computer, it's going to get your files in the background while it's still inserted. This story makes me paranoid and makes me want my files to be secure.

So basically, this is a warning for everyone to NEVER use cheap cords and plug it in your computer. Now I'm more paranoid

---

@o_e_l_e_o Is it really going to be effective to hack someone or infect a virus when you just use a public charging station? Infecting the one you are charging?

So you could say that your smartphone would be getting HIV.

OK, but antiviruses and such don't "see" this threat? I mean, those cables can be easily in your house without knowing it.

For several versions now, devices running Android software treat any connected USB as a charger only and display a prompt on the device before enabling data capabilities. As long as you have a recent version, and don't accept the prompt, then you are theoretically safe. There is always the possibility somebody finds a new method, hack, vulnerability, or similar, which allows them to bypass this prompt and transmit data. The safest method remains to not use public charging ports, or at least bring your own power-only USB cable with the data pins removed. There are also many tiny adapters on the market for a few bucks which you can connect between your phone and the USB cable which block all data transfer.

This article by the verge is quite recent and it's a good read too. This shows that a cable looks and functions like a normal lightning cable but it has an additional feature where it has a wireless point (additional hardware) making it a remote hacking device. It's definitely a scary place we live in now, everything can be remotely hijacked. And guess what, it says "it's nothing new". It has been going around and I have no idea until recently. 

Or never borrow from someone you don't know. #neveragain #officialproductsonly LOL.

It's better to use a normal socket using your charging cable and adapter instead. This is what I usually do in an airport.

An Update.

Recently came across this article: https://www.vice.com/en_us/article/3kx5nk/fake-apple-lightning-cable-hacks-your-computer-omg-cable-mass-produced-sold

It's said there that it's going to be mass-produced and a factory has accepted it also, further Quality Analysis and Testing will be done on the product. Pretty much the same with the articles above but I think knowing that it is possible that it's on-going production already, you can encounter this kind of device. Better safe than sorry, make sure to have a legitimate and certified product.

It's a bit more worrying for the "captive audience" type. Get them into the hotel gift shop or cruise ship or the store at the train station and you know more or less where many of your victims will be.

New business model. USB cables with clear plastic so you can see everything inside.

-Dave

Lots of Uber/Lyft passengers use driver-provided chargers. It's a really common amenity. I guess it could be a dangerous attack vector now. A phone or tablet innocently placed in the car could be running malicious scripts on any passenger who plugs in. Crazy stuff!