USBHarpoon - a charging cable that can hack your computer

[vapourminer]

@o_e_l_e_o Is it really going to be effective to hack someone or infect a virus when you just use a public charging station? Infecting the one you are charging?

Absolutely. There is a public charging station at my nearest airport with about 20 cables of various sizes. Every time I am there, they are almost all being used. That's hundreds of devices each day.

i never use airport, hotel, or any other public charging ports or cables for any device i own. i always have my own usb chargers and cables when i have AC outlets available, and several powerbanks (and assorted cables for them also) for when out and about. powerbanks are a lifesaver at airports and such when your phone is more or less indispensable (as they can have tickets, itinerary, tsa and airline apps etc loaded on them and constantly in use).

usb powerbanks come in so many sizes and capacities its foolish not to have some. some are solar powered, so can be charged even when no power is available.

EDIT you can also build your own powerbanks if you are so inclined and just want to be sure its not hiding any funny stuff.. just search for "diy usb power bank" in your favorite search engine.

[1714046066]

1714046066

[1714046066]

1714046066

[1714046066]

1714046066

[1714046066]

1714046066

[crwth]

I recently watched this YouTube video by BRIGHT SIDE - Why No One Should Use Airport USB Charging Stations: https://www.youtube.com/watch?v=4gJlkS_WxZA

It's all the reasons why you shouldn't use Airport USB Charging Stations. It covers these areas in the video.

• What could happen to your smartphone if you insert directly in the USB Port
• Video-Jacking
• Why you should use your own cable
• Updated Firmwares of Smartphones (Android and iOS)
• What you could do when you need to charge
• Protecting your sensitive data

I think these points could cover most of the video. It's very informative and I think that everyone deserves to know this, especially frequent travelers.

[Pmalek]

Snip

Valid points but the problem is if something is free people will use it!
If you offer free refreshments to people on a busy street most of them will drink it not even thinking about what it is they are drinking. Even those who are not thirsty will take some just because it is free. It could be an interesting social experiment to conduct.

[crwth]

Valid points but the problem is if something is free people will use it!

I think you could call that taking advantage of opportunities.  BUT you will never know what comes after. Like why is it going to be free? Almost everything now has a pricetag and you should be careful with the ones which are free, you will never know.

If you offer free refreshments to people on a busy street most of them will drink it not even thinking about what it is they are drinking. Even those who are not thirsty will take some just because it is free. It could be an interesting social experiment to conduct.

It depends on where the experiment happens because most of the time, there are free tastes in supermarkets that let you try the product for free. I love those kinds of marketing tactics though. If it's not in a supermarket and it's on a busy street, it's going to be a different issue.

Let's be vigilant with regard to those kinds of things. Growing paranoid in the right amount is good for us, I think. Lol.

[o_e_l_e_o]

Why you should use your own cable

Using your own cable is not enough. Plugging a cable from your device in to a public socket, charger, power point, etc. could still compromise your device. Your cable will happily transmit anything it is told to, including any malware from chips hidden inside the socket or charger unit you just connected to.

The only way to be completely safe is to bring your own charger plug as well as USB cable, or use your own portable power packs instead.

Valid points but the problem is if something is free people will use it!

If something is free, you are the product, as the saying goes. This is equally true of free samples in supermarkets enticing you to spend money, as it is of Facebook and Google mining and selling all your data.

[crwth]

Using your own cable is not enough. Plugging a cable from your device in to a public socket, charger, power point, etc. could still compromise your device. Your cable will happily transmit anything it is told to, including any malware from chips hidden inside the socket or charger unit you just connected to.

Well, there's another solution to that where you would use a Non-Data transferring cable. I think that's how they could get your data but when it's just power, it's okay, no data transferring.

The only way to be completely safe is to bring your own charger plug as well as USB cable, or use your own portable power packs instead.

I agree with the fact that you could still use a compromised socket with the charging of a power bank then charging your phone from the power bank. Just like in the video. I think it's an okay thing.

[o_e_l_e_o]

Well, there's another solution to that where you would use a Non-Data transferring cable.

Yeah, I mentioned those in a previous post. You can buy them fairly cheaply, or buy a small adapter to plug on to the end of an existing USB cable which will prevent data transfer. You can even make one yourself by removing the data pins from an existing cable, and you can find instructions online to show you how to do this.

I agree with the fact that you could still use a compromised socket with the charging of a power bank then charging your phone from the power bank.

A power bank is just a battery. As far as I'm aware, they don't contain any hardware with the capability to store malware, so connecting one to a malicious charger is safe as any malware can't copy itself to the power bank. That's not to say malicious power banks don't also exist, and an attacker could very well open one up and hide a microchip or two inside.

[naska21]

snip

Arguably that USBharpoon should be easy to spot by testing the cable's wiring for continuity with ordinary multimeter. Opposite to original USB cable, touching the data wires of the same color   on the opposite  sides of "harpoon" should result in non zero readings.

[crwth]

You can even make one yourself by removing the data pins from an existing cable, and you can find instructions online to show you how to do this.

I didn't know you could actually DIY a cable. I wouldn't prefer to do that because I don't think I would be successful in the first few tries that I would do.

That's not to say malicious power banks don't also exist, and an attacker could very well open one up and hide a microchip or two inside.

Maybe creating one is more complicated than just using a malicious wire or something. If someone is to create it, it's just a waste of resources, like the weights/batteries inside of it, it's not gonna do anything or would just add to the data powerline and make charging slow. Or something like that.

Arguably that USBharpoon should be easy to spot by testing the cable's wiring for continuity with ordinary multimeter. Opposite to original USB cable, touching the data wires of the same color   on the opposite  sides of "harpoon" should result in non zero readings.

If our smartphones could have an instant multimeter, that would be awesome. I wouldn't want to bring a multimeter anywhere I go. Great tip btw. To be clear, it's the resistance readings, right?

[o_e_l_e_o]

I didn't know you could actually DIY a cable.

Take any standard USB cable with a male USB A end (the normal PC/laptop connector). If you look in the end of it you will see 4 metal pins embedded in the white plastic part, inside the outer metal casing. The two outer pins transmit power, the two inner pins transmit data. If you cover or remove the two inner pins, then you have made yourself a power only cable.

This is fairly easily done, in one of two ways. You can simply cut a piece of tape to size and cover the two inner pins to make a reversible power only cable, but be absolutely sure you have entirely covered the pins, as if any connection remains (however small) data can still be transmitted. More securely, but irreversibly, you can remove the two pins without much hassle. You don't need to open the casing at all - simply use a small flat-head screwdriver or similar to prise the two middle pins up, and a pair of pliers to pull them out.

[naska21]

snip

Arguably that USBharpoon should be easy to spot by testing the cable's wiring for continuity with ordinary multimeter. Opposite to original USB cable, touching the data wires of the same color   on the opposite  sides of "harpoon" should result in non zero readings.

If our smartphones could have an instant multimeter, that would be awesome. I wouldn't want to bring a multimeter anywhere I go. Great tip btw. To be clear, it's the resistance readings, right?

Yeah, test for continuity in electrical wire means measuring its resistance, so to do it you need to select pertaining mode for multimiter. You can also use continuity tester to check whether USB cable is "harpooned" or not. In this case two central pins on one side of the cable must be shorted together when probe and the second  end of the tester touch central pins on the opposite cable side.

[Ann1989]

The above article says that the cable creates a wireless hotspot which means that the hacker would need to be close to the victim to take advantage of the vulnerability. It is still a scary thought if the person who sells it to you knows where you live or where you will be using it.

I think it's best to use air-gapped hardware wallets. They don't have any physical points of attack. All transactions happen through a QR code.

[jerry0]

What about cables on amazon though?

[o_e_l_e_o]

What about cables on amazon though?

Probably safe. Maybe not, though.

Amazon sell items from a huge number of different retailers. It is impossible for them to vouch for/verify every single one of them. Even items sold directly by Amazon, or even produced by Amazon such as the AmazonBasics range, could be subject to attack. What if a rogue employee on the production line started slipping chips in to their cables? How many do you think would get out before someone else picked it up in quality control? Impossible to know.

The only way you could be 100% safe is if you build your own cable from scratch. There was a recent topic started about this here: https://bitcointalk.org/index.php?topic=5218898.0. You have to consider, though, that if you are this concerned about a supply chain attack on a USB cable, what about the same attack on any of the hardware inside your computer or your phone?

[jerry0]

Has anyone here had a case like this though?  Again cables seem very scary because of this.

[DaveF]

When was the last time you looked at the USB plug where your keyboard is plugged into:
https://hackerwarehouse.com/product/keygrabber/

What do you know about your network switch:
https://www.amazon.com/Dualcomm-DCSW-1005PT-Ethernet-Network-Pass-Through/dp/B003PCHAC6

Or how about your network cable:
https://greatscottgadgets.com/throwingstar/

Yeah, all of the above require access to you PC / home / office as opposed to just buying a wonky cable. Not going to dispute that.
But, most people are not even aware that things like this exist so it's probably good to put it out there.

-Dave

[jerry0]

What if your computer is locked on windows?  I assume that doesn't do anything right?


Now if your computer isn't turned on... i assume no issue?



What if you use veracrypt or bitlocker on it?  I assume as long as you aren't logged in your computer, the usb charging cable can't do anything?

[bob123]

~snip~

Hello old friend..

What if your computer is locked on windows?  I assume that doesn't do anything right?

Whether the computer is locked, doesn't matter.
Windows is shitty enough that the "lock" simply means you can't move your mouse etc. without entering the password.

Inserting an USB device which executes malicious code is still doable.

Now if your computer isn't turned on... i assume no issue?

If it is not turned on, how is it supposed to execute code?
If the CPU is turned off, it can't do anything.

What if you use veracrypt or bitlocker on it?  I assume as long as you aren't logged in your computer, the usb charging cable can't do anything?

Full disk encryption? And turned off?
Same as above.. if the PC is not turned on, it can not execute code.

[Pmalek]

Bump