Bitcoin Forum
December 04, 2021, 09:27:44 AM *
News: Latest Bitcoin Core release: 22.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 [2] 3 »  All
  Print  
Author Topic: USBHarpoon - a charging cable that can hack your computer  (Read 534 times)
Pmalek
Legendary
*
Offline Offline

Activity: 1876
Merit: 3142


Powerful promotion strategy https://bit.ly/3cRVjFi


View Profile
October 02, 2019, 04:33:15 PM
 #21

New business model. USB cables with clear plastic so you can see everything inside.
Sure, why not. If you know how the inside of a standard USB cable should look like. Many people don't and those people who fall victims to phishing sites aren't cautious enough and wouldn't notice anything wrong with their cable.   

1638610064
Hero Member
*
Offline Offline

Posts: 1638610064

View Profile Personal Message (Offline)

Ignore
1638610064
Reply with quote  #2

1638610064
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1638610064
Hero Member
*
Offline Offline

Posts: 1638610064

View Profile Personal Message (Offline)

Ignore
1638610064
Reply with quote  #2

1638610064
Report to moderator
1638610064
Hero Member
*
Offline Offline

Posts: 1638610064

View Profile Personal Message (Offline)

Ignore
1638610064
Reply with quote  #2

1638610064
Report to moderator
1638610064
Hero Member
*
Offline Offline

Posts: 1638610064

View Profile Personal Message (Offline)

Ignore
1638610064
Reply with quote  #2

1638610064
Report to moderator
squatter
Legendary
*
Offline Offline

Activity: 1666
Merit: 1189


STOP SNITCHIN'


View Profile
October 02, 2019, 08:32:33 PM
 #22

The above article says that the cable creates a wireless hotspot which means that the hacker would need to be close to the victim to take advantage of the vulnerability. It is still a scary thought if the person who sells it to you knows where you live or where you will be using it.

It's a bit more worrying for the "captive audience" type. Get them into the hotel gift shop or cruise ship or the store at the train station and you know more or less where many of your victims will be.

Lots of Uber/Lyft passengers use driver-provided chargers. It's a really common amenity. I guess it could be a dangerous attack vector now. A phone or tablet innocently placed in the car could be running malicious scripts on any passenger who plugs in. Crazy stuff!

vapourminer
Legendary
*
Offline Offline

Activity: 3444
Merit: 2120


what is this "brake pedal" you speak of?


View Profile
October 19, 2019, 05:15:20 PM
 #23



@o_e_l_e_o Is it really going to be effective to hack someone or infect a virus when you just use a public charging station? Infecting the one you are charging?

Absolutely. There is a public charging station at my nearest airport with about 20 cables of various sizes. Every time I am there, they are almost all being used. That's hundreds of devices each day.

i never use airport, hotel, or any other public charging ports or cables for any device i own. i always have my own usb chargers and cables when i have AC outlets available, and several powerbanks (and assorted cables for them also) for when out and about. powerbanks are a lifesaver at airports and such when your phone is more or less indispensable (as they can have tickets, itinerary, tsa and airline apps etc loaded on them and constantly in use).

usb powerbanks come in so many sizes and capacities its foolish not to have some. some are solar powered, so can be charged even when no power is available.

EDIT you can also build your own powerbanks if you are so inclined and just want to be sure its not hiding any funny stuff.. just search for "diy usb power bank" in your favorite search engine.
crwth
Copper Member
Legendary
*
Offline Offline

Activity: 1876
Merit: 1083


Best Trading Tool https://gunbot.ph


View Profile WWW
October 21, 2019, 01:04:20 AM
 #24

I recently watched this YouTube video by BRIGHT SIDE - Why No One Should Use Airport USB Charging Stations: https://www.youtube.com/watch?v=4gJlkS_WxZA

It's all the reasons why you shouldn't use Airport USB Charging Stations. It covers these areas in the video.
  • What could happen to your smartphone if you insert directly in the USB Port
  • Video-Jacking
  • Why you should use your own cable
  • Updated Firmwares of Smartphones (Android and iOS)
  • What you could do when you need to charge
  • Protecting your sensitive data

I think these points could cover most of the video. It's very informative and I think that everyone deserves to know this, especially frequent travelers.

.BEST..CHANGE.███████████████
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
███████████████
..BUY/ SELL CRYPTO..
Pmalek
Legendary
*
Offline Offline

Activity: 1876
Merit: 3142


Powerful promotion strategy https://bit.ly/3cRVjFi


View Profile
October 21, 2019, 08:55:33 AM
 #25

Snip
Valid points but the problem is if something is free people will use it!
If you offer free refreshments to people on a busy street most of them will drink it not even thinking about what it is they are drinking. Even those who are not thirsty will take some just because it is free. It could be an interesting social experiment to conduct.

crwth
Copper Member
Legendary
*
Offline Offline

Activity: 1876
Merit: 1083


Best Trading Tool https://gunbot.ph


View Profile WWW
October 21, 2019, 09:00:53 AM
 #26

Valid points but the problem is if something is free people will use it!
I think you could call that taking advantage of opportunities.  Cheesy BUT you will never know what comes after. Like why is it going to be free? Almost everything now has a pricetag and you should be careful with the ones which are free, you will never know.

If you offer free refreshments to people on a busy street most of them will drink it not even thinking about what it is they are drinking. Even those who are not thirsty will take some just because it is free. It could be an interesting social experiment to conduct.
It depends on where the experiment happens because most of the time, there are free tastes in supermarkets that let you try the product for free. I love those kinds of marketing tactics though. If it's not in a supermarket and it's on a busy street, it's going to be a different issue.

Let's be vigilant with regard to those kinds of things. Growing paranoid in the right amount is good for us, I think. Lol.

.BEST..CHANGE.███████████████
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
███████████████
..BUY/ SELL CRYPTO..
o_e_l_e_o
Legendary
*
Offline Offline

Activity: 1498
Merit: 7951


Wear a mask, slow the spread


View Profile
October 21, 2019, 09:49:29 AM
 #27

Why you should use your own cable
Using your own cable is not enough. Plugging a cable from your device in to a public socket, charger, power point, etc. could still compromise your device. Your cable will happily transmit anything it is told to, including any malware from chips hidden inside the socket or charger unit you just connected to.

The only way to be completely safe is to bring your own charger plug as well as USB cable, or use your own portable power packs instead.

Valid points but the problem is if something is free people will use it!
If something is free, you are the product, as the saying goes. This is equally true of free samples in supermarkets enticing you to spend money, as it is of Facebook and Google mining and selling all your data.

crwth
Copper Member
Legendary
*
Offline Offline

Activity: 1876
Merit: 1083


Best Trading Tool https://gunbot.ph


View Profile WWW
October 21, 2019, 09:54:11 AM
 #28

Using your own cable is not enough. Plugging a cable from your device in to a public socket, charger, power point, etc. could still compromise your device. Your cable will happily transmit anything it is told to, including any malware from chips hidden inside the socket or charger unit you just connected to.
Well, there's another solution to that where you would use a Non-Data transferring cable. I think that's how they could get your data but when it's just power, it's okay, no data transferring.

The only way to be completely safe is to bring your own charger plug as well as USB cable, or use your own portable power packs instead.
I agree with the fact that you could still use a compromised socket with the charging of a power bank then charging your phone from the power bank. Just like in the video. I think it's an okay thing.


.BEST..CHANGE.███████████████
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
███████████████
..BUY/ SELL CRYPTO..
o_e_l_e_o
Legendary
*
Offline Offline

Activity: 1498
Merit: 7951


Wear a mask, slow the spread


View Profile
October 21, 2019, 10:36:52 AM
 #29

Well, there's another solution to that where you would use a Non-Data transferring cable.
Yeah, I mentioned those in a previous post. You can buy them fairly cheaply, or buy a small adapter to plug on to the end of an existing USB cable which will prevent data transfer. You can even make one yourself by removing the data pins from an existing cable, and you can find instructions online to show you how to do this.

I agree with the fact that you could still use a compromised socket with the charging of a power bank then charging your phone from the power bank.
A power bank is just a battery. As far as I'm aware, they don't contain any hardware with the capability to store malware, so connecting one to a malicious charger is safe as any malware can't copy itself to the power bank. That's not to say malicious power banks don't also exist, and an attacker could very well open one up and hide a microchip or two inside.

naska21
Hero Member
*****
Offline Offline

Activity: 1554
Merit: 635



View Profile
October 21, 2019, 12:15:34 PM
Merited by vapourminer (1)
 #30

snip

Arguably that USBharpoon should be easy to spot by testing the cable's wiring for continuity with ordinary multimeter. Opposite to original USB cable, touching the data wires of the same color   on the opposite  sides of "harpoon" should result in non zero readings.

whole nazca signature space owned by naska21 for rent, feel free to PM me
crwth
Copper Member
Legendary
*
Offline Offline

Activity: 1876
Merit: 1083


Best Trading Tool https://gunbot.ph


View Profile WWW
October 21, 2019, 02:45:02 PM
 #31

You can even make one yourself by removing the data pins from an existing cable, and you can find instructions online to show you how to do this.
I didn't know you could actually DIY a cable. I wouldn't prefer to do that because I don't think I would be successful in the first few tries that I would do.

That's not to say malicious power banks don't also exist, and an attacker could very well open one up and hide a microchip or two inside.
Maybe creating one is more complicated than just using a malicious wire or something. If someone is to create it, it's just a waste of resources, like the weights/batteries inside of it, it's not gonna do anything or would just add to the data powerline and make charging slow. Or something like that.



Arguably that USBharpoon should be easy to spot by testing the cable's wiring for continuity with ordinary multimeter. Opposite to original USB cable, touching the data wires of the same color   on the opposite  sides of "harpoon" should result in non zero readings.
If our smartphones could have an instant multimeter, that would be awesome. I wouldn't want to bring a multimeter anywhere I go. Great tip btw. To be clear, it's the resistance readings, right?

.BEST..CHANGE.███████████████
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
██
███████████████
..BUY/ SELL CRYPTO..
o_e_l_e_o
Legendary
*
Offline Offline

Activity: 1498
Merit: 7951


Wear a mask, slow the spread


View Profile
October 21, 2019, 06:22:37 PM
 #32

I didn't know you could actually DIY a cable.
Take any standard USB cable with a male USB A end (the normal PC/laptop connector). If you look in the end of it you will see 4 metal pins embedded in the white plastic part, inside the outer metal casing. The two outer pins transmit power, the two inner pins transmit data. If you cover or remove the two inner pins, then you have made yourself a power only cable.

This is fairly easily done, in one of two ways. You can simply cut a piece of tape to size and cover the two inner pins to make a reversible power only cable, but be absolutely sure you have entirely covered the pins, as if any connection remains (however small) data can still be transmitted. More securely, but irreversibly, you can remove the two pins without much hassle. You don't need to open the casing at all - simply use a small flat-head screwdriver or similar to prise the two middle pins up, and a pair of pliers to pull them out.

naska21
Hero Member
*****
Offline Offline

Activity: 1554
Merit: 635



View Profile
November 03, 2019, 08:59:20 PM
 #33

snip
Arguably that USBharpoon should be easy to spot by testing the cable's wiring for continuity with ordinary multimeter. Opposite to original USB cable, touching the data wires of the same color   on the opposite  sides of "harpoon" should result in non zero readings.
If our smartphones could have an instant multimeter, that would be awesome. I wouldn't want to bring a multimeter anywhere I go. Great tip btw. To be clear, it's the resistance readings, right?

Yeah, test for continuity in electrical wire means measuring its resistance, so to do it you need to select pertaining mode for multimiter. You can also use continuity tester to check whether USB cable is "harpooned" or not. In this case two central pins on one side of the cable must be shorted together when probe and the second  end of the tester touch central pins on the opposite cable side.

whole nazca signature space owned by naska21 for rent, feel free to PM me
Ann1989
Jr. Member
*
Offline Offline

Activity: 40
Merit: 10


View Profile
December 06, 2019, 09:12:05 AM
 #34

The above article says that the cable creates a wireless hotspot which means that the hacker would need to be close to the victim to take advantage of the vulnerability. It is still a scary thought if the person who sells it to you knows where you live or where you will be using it.
I think it's best to use air-gapped hardware wallets. They don't have any physical points of attack. All transactions happen through a QR code.
jerry0
Full Member
***
Offline Offline

Activity: 1330
Merit: 151


View Profile
January 26, 2020, 02:48:19 AM
 #35

What about cables on amazon though?
o_e_l_e_o
Legendary
*
Offline Offline

Activity: 1498
Merit: 7951


Wear a mask, slow the spread


View Profile
January 26, 2020, 08:04:03 PM
 #36

What about cables on amazon though?
Probably safe. Maybe not, though.

Amazon sell items from a huge number of different retailers. It is impossible for them to vouch for/verify every single one of them. Even items sold directly by Amazon, or even produced by Amazon such as the AmazonBasics range, could be subject to attack. What if a rogue employee on the production line started slipping chips in to their cables? How many do you think would get out before someone else picked it up in quality control? Impossible to know.

The only way you could be 100% safe is if you build your own cable from scratch. There was a recent topic started about this here: https://bitcointalk.org/index.php?topic=5218898.0. You have to consider, though, that if you are this concerned about a supply chain attack on a USB cable, what about the same attack on any of the hardware inside your computer or your phone?

jerry0
Full Member
***
Offline Offline

Activity: 1330
Merit: 151


View Profile
February 15, 2020, 07:53:55 PM
 #37

Has anyone here had a case like this though?  Again cables seem very scary because of this.
DaveF
Legendary
*
Offline Offline

Activity: 2590
Merit: 2635


I DO NOT TRADE on Telegram or Skype or Discord.


View Profile WWW
February 08, 2021, 10:03:38 PM
 #38

When was the last time you looked at the USB plug where your keyboard is plugged into:
https://hackerwarehouse.com/product/keygrabber/

What do you know about your network switch:
https://www.amazon.com/Dualcomm-DCSW-1005PT-Ethernet-Network-Pass-Through/dp/B003PCHAC6

Or how about your network cable:
https://greatscottgadgets.com/throwingstar/

Yeah, all of the above require access to you PC / home / office as opposed to just buying a wonky cable. Not going to dispute that.
But, most people are not even aware that things like this exist so it's probably good to put it out there.

-Dave

jerry0
Full Member
***
Offline Offline

Activity: 1330
Merit: 151


View Profile
February 09, 2021, 07:27:30 AM
 #39

What if your computer is locked on windows?  I assume that doesn't do anything right?


Now if your computer isn't turned on... i assume no issue?



What if you use veracrypt or bitlocker on it?  I assume as long as you aren't logged in your computer, the usb charging cable can't do anything?
bob123
Legendary
*
Offline Offline

Activity: 1610
Merit: 2428



View Profile WWW
February 09, 2021, 08:11:01 AM
Merited by vapourminer (1)
 #40

~snip~

Hello old friend..



What if your computer is locked on windows?  I assume that doesn't do anything right?

Whether the computer is locked, doesn't matter.
Windows is shitty enough that the "lock" simply means you can't move your mouse etc. without entering the password.

Inserting an USB device which executes malicious code is still doable.



Now if your computer isn't turned on... i assume no issue?

If it is not turned on, how is it supposed to execute code?
If the CPU is turned off, it can't do anything.



What if you use veracrypt or bitlocker on it?  I assume as long as you aren't logged in your computer, the usb charging cable can't do anything?

Full disk encryption? And turned off?
Same as above.. if the PC is not turned on, it can not execute code.

Pages: « 1 [2] 3 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!