Bitcoin Forum
November 11, 2024, 02:49:13 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 »  All
  Print  
Author Topic: anyone make their own USB cables from scratch?  (Read 630 times)
vapourminer (OP)
Legendary
*
Offline Offline

Activity: 4508
Merit: 4102


what is this "brake pedal" you speak of?


View Profile
January 19, 2020, 01:41:22 PM
Merited by Welsh (2), Lucius (1), ABCbits (1), 20kevin20 (1)
 #1

per title.. would suck bad to use a compromised cable with a hardware usb connected wallet. maybe this is overblown? although this (bluetooth chip or even just memory to cache communications) is in prototype phases and as such it is a real possibility.

as it seems with the extremely small chips that could be hidden in a usb cable/connector now, and the proof of concepts out there demonstrating it. so to protect against that, seems it should be easy to make your own cables to meet minimum usb1.1 spec.

anyone done so?

EDIT: aaack. meant to put this in Hardware Wallets. if a mod could please move it there if more appropriate, thanks.
o_e_l_e_o
In memoriam
Legendary
*
Offline Offline

Activity: 2268
Merit: 18746


View Profile
January 19, 2020, 02:32:37 PM
Merited by Welsh (4), vapourminer (2)
 #2

Kind of, but it's unnecessary.

The whole point of a good hardware wallet (such as a Ledger device) is to protect your keys (and therefore your coins) from malware and other attacks, including when connecting them to compromised software or hardware. The most that a compromised cable could do would be to change the transaction between you clicking to sign it on your computer and it showing up on the screen of your hardware device. In that case, provided you double check what shows up on your hardware device matches what you have tried to do on your computer, then you will recognize the attack immediately. Your keys never leave the device and so couldn't be stolen. If the cable tried to change your transaction after you had signed it on your hardware wallet and were sending it back to your computer, then it would become invalid and wouldn't be accepted by the network.



Easier than building your own from scratch would be to just open up the casing on a cable you have to make sure there are no extra chips hidden in there. If you want to build your own, you can buy entire DIY USB kits, or male and female connectors for a few bucks and strip an old cable that you already own. You can also find no-solder connectors that you can just screw the cables in to if you don't have a soldering iron. I followed this guide from the geekhack forums when I did it several years ago: https://geekhack.org/index.php?topic=44924.0. I had an extra long cable which had become damaged at one end, and wanted to repair it rather than buy a new one. The repair worked, but my handiwork was even less robust than the manufacturer's and it wore through again within a few months, so I just bought a good quality braided cable instead.
vapourminer (OP)
Legendary
*
Offline Offline

Activity: 4508
Merit: 4102


what is this "brake pedal" you speak of?


View Profile
January 19, 2020, 03:01:58 PM
Merited by o_e_l_e_o (1)
 #3

yes, trezor and other hardware wallets that you confirm addys and amounts are the same as the computer displays prevent most attacks.

i also lump in "badusb" type stuff that may not target the wallet, but want to inject malware to that machine, hoping to get other data. should of been more clear, my bad.

i have looked into just buying bulk usb cable and connectors. probably make some just for piece of mind.

EDIT: nice site, bookmarked.
o_e_l_e_o
In memoriam
Legendary
*
Offline Offline

Activity: 2268
Merit: 18746


View Profile
January 19, 2020, 04:48:27 PM
Merited by vapourminer (1)
 #4

i also lump in "badusb" type stuff that may not target the wallet, but want to inject malware to that machine, hoping to get other data. should of been more clear, my bad.
Oh yeah, in that case, it's certainly a vector of attack to be aware of. There are devices on the market such as USBHarpoon and USBNinja that anyone can purchase and configure, which are essentially a BadUSB attack hidden inside a USB cable. The cable will perform normally otherwise, transmitting power and data to any connected devices, and can be programmed to deliver the attack when it detects periods of inactivity (so less chance of being detected) or when it is triggered by Bluetooth or an antenna. There's also the possibility of attacks similar to juice jacking.

These attacks are the reason you should never use public charging stations' provided cables, and should only use the station at all if you can connect to it with your own power only USB cable, which is unable to transmit data of any sort. You can buy such cables, but they are very simple to create yourself - take any existing USB cable, and remove the inner two data pins, leaving only the outer two power pins. Although its nicer if you open up the casing and remove the pins gently, you can also achieve this by just pulling them out with a small pair of pliers.
vapourminer (OP)
Legendary
*
Offline Offline

Activity: 4508
Merit: 4102


what is this "brake pedal" you speak of?


View Profile
January 19, 2020, 05:24:40 PM
 #5

heh yeah ive never used airport or hotel charger ports, i always bring my own battery banks and cable (for on the go) and bring my own wall powered usb chargers, usually just need quality extrnally powered hub as most support hi speed charging protocols on some/all ports.

with supply chain attacks happening more and more sooner or later compromised cables will be out in the wild, if not there already. i never use cable that come with hardware wallets any more; they go into the trash (overly paranoid? you bet!). im sure theyre fine, but my philosophy is you cant be too prepared, especially in security.

i plan on whipping up a bunch of self built  usb 2,(whatever) cables purely for my own peace of mind.

hugeblack
Legendary
*
Offline Offline

Activity: 2688
Merit: 3971



View Profile WWW
January 21, 2020, 12:02:17 PM
 #6

You do not have to be anxious about these attacks, even if you use a harmful USB, the hacker still needs some permissions from you to be able to carry out the attack successfully, in fact, these attacks are based on the fact that your computer allows and enables HID devices on all USB ports.

The easy solution: Use only a reliable USB link, avoid connecting any unknown connections, you can check the connection by dismantling part of it.
The difficult solution: Add some codes that deny access to these permissions.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
vapourminer (OP)
Legendary
*
Offline Offline

Activity: 4508
Merit: 4102


what is this "brake pedal" you speak of?


View Profile
January 21, 2020, 10:11:37 PM
 #7

The difficult solution: Add some codes that deny access to these permissions.

how would that work? any links or such?
AltcoinBuilder
Copper Member
Jr. Member
*
Offline Offline

Activity: 85
Merit: 5


View Profile WWW
January 23, 2020, 07:35:26 AM
 #8

if you are worry about usb cable, always use branded, original cables from famous companies and that will be ok
o_e_l_e_o
In memoriam
Legendary
*
Offline Offline

Activity: 2268
Merit: 18746


View Profile
January 23, 2020, 10:08:08 AM
Merited by vapourminer (1)
 #9

Why? Because shady individuals never apply to work at famous companies? How much oversight do you really think companies like Apple or Samsung put in to churning out millions of USB cables? You think every single one is quality control checked by at least two different people? If a rogue employee at Apple wanted to start embedding chips in to USB cables, they could probably get a good few thousand out before someone in quality control or a consumer picked it up.

It's a very unlikely attack, as each cable is probably only going to be used by one or two individuals. Much better to put a malicious cable at a public charging point and infect 100s of users a day. If, however, it's a vector of attack you want to protect against, then using cables from famous companies offers very little additional protection.
AltcoinBuilder
Copper Member
Jr. Member
*
Offline Offline

Activity: 85
Merit: 5


View Profile WWW
January 23, 2020, 02:53:03 PM
 #10

Ability to do such thing in a company like Apple or Samsung with high control on employees is very low. According to this article they need to insert a wifi chip in cable's socket to remotely accept hacker's command. they also need to know who bought that fake cable they created in product line and then go close enough to victim to connect to wifi chip.... it is mission impossible. so that will be safer to use original cable than buying ready USB sockets online and creating cable himself. those sockets are more dangerous and may equipped with such chips.
next level could be using 007 USB cable Grin
DaveF
Legendary
*
Offline Offline

Activity: 3654
Merit: 6666


Crypto Swap Exchange


View Profile WWW
January 23, 2020, 03:07:14 PM
Merited by Welsh (2), vapourminer (1)
 #11

For *charging* you can get away with making your own cables fairly easily. I have done it and repaired some.
For data transfer, it's a bit more picky. They did work but with 1.1 speeds, the tolerances are easy for a machine to solder tougher for a human THAT DOES NOT DO IT WELL.
You can get away with many solder connections that are OK or even pretty good, to get full USB speed it's more difficult.

At least for me.

-Dave

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
o_e_l_e_o
In memoriam
Legendary
*
Offline Offline

Activity: 2268
Merit: 18746


View Profile
January 23, 2020, 03:19:05 PM
 #12

they need to insert a wifi chip in cable's socket to remotely accept hacker's command. they also need to know who bought that fake cable they created in product line and then go close enough to victim to connect to wifi chip.
A WiFi chip and proximity to the cable is completely unnecessary. If the device is set up to accept USB devices (as many are by default), a chip can execute any arbitrary code, including clipboard malware, key logging, screen capturing, uploading data from the device, or even downloading a payload over the internet.

those sockets are more dangerous and may equipped with such chips.
How? If you are buying individual components to assemble yourself, where are they going to hide a chip that you won't notice it?
jerry0
Full Member
***
Offline Offline

Activity: 1792
Merit: 186


View Profile
February 15, 2020, 08:19:23 PM
 #13

Any cases where there is malware/virus from buying cables on ebay or amazon?
Pmalek
Legendary
*
Offline Offline

Activity: 2940
Merit: 7550


Playgram - The Telegram Casino


View Profile
February 16, 2020, 10:39:21 AM
Merited by vapourminer (1)
 #14

Any cases where there is malware/virus from buying cables on ebay or amazon?
I cant remember a particular case where i have read of an infected series of cables being distributed over Ebay/Amazon but it is possible, why not. A malicious person could infect at least a few devices before negative comments start to flow in. After that the users would become cautious and ebay/amazon could delete the sales threads.

▄▄███████▄▄███████
▄███████████████▄▄▄▄▄
▄████████████████████▀░
▄█████████████████████▄░
▄█████████▀▀████████████▄
██████████████▀▀█████████
████████████████████████
██████████████▄▄█████████
▀█████████▄▄████████████▀
▀█████████████████████▀░
▀████████████████████▄░
▀███████████████▀▀▀▀▀
▀▀███████▀▀███████

▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
 
Playgram.io
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀

▄▄▄░░
▀▄







▄▀
▀▀▀░░
▄▄▄███████▄▄▄
▄▄███████████████▄▄
▄███████████████████▄
▄██████████████▀▀█████▄
▄██████████▀▀█████▐████▄
██████▀▀████▄▄▀▀█████████
████▄▄███▄██▀█████▐██████
█████████▀██████████████
▀███████▌▐██████▐██████▀
▀███████▄▄███▄████████▀
▀███████████████████▀
▀▀███████████████▀▀
▀▀▀███████▀▀▀
██████▄▄███████▄▄████████
███▄███████████████▄░░▀█▀
███████████░█████████░░
░█████▀██▄▄░▄▄██▀█████░
█████▄░▄███▄███▄░▄█████
███████████████████████
███████████████████████
██░▄▄▄░██░▄▄▄░██░▄▄▄░██
██░░░░██░░░░██░░░░████
██░░░░██░░░░██░░░░████
██▄▄▄▄▄██▄▄▄▄▄██▄▄▄▄▄████
███████████████████████
███████████████████████
 
PLAY NOW

on Telegram
[/
n0nce
Hero Member
*****
Offline Offline

Activity: 882
Merit: 5918


not your keys, not your coins!


View Profile WWW
May 26, 2022, 10:51:39 PM
Merited by vapourminer (2)
 #15

The most that a compromised cable could do would be to change the transaction between you clicking to sign it on your computer and it showing up on the screen of your hardware device.
I think it would also be possible for a badUSB cable to intercept the xpub or individual public keys that are sent from device to host and then send those to a server for deanonymization, wouldn't it?

Any cases where there is malware/virus from buying cables on ebay or amazon?
Should be highly unlikely since the cables in question are much more expensive than regular USB cables so they cannot be sold for like $10 without taking a loss. They are just used for targeted attacks. For instance, someone handing you such a cable, or distributing them in the office.

USB attacks in the wild also happen in airports or other public places where there are free phone charging spots. You connect the phone to a bad USB socket or cable and get infected with some malware / virus / tracker. Speaking of airports: border security of some nations intentionally infects devices of visitors to spy on them.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
vapourminer (OP)
Legendary
*
Offline Offline

Activity: 4508
Merit: 4102


what is this "brake pedal" you speak of?


View Profile
May 26, 2022, 11:42:56 PM
Merited by n0nce (1)
 #16

USB attacks in the wild also happen in airports or other public places where there are free phone charging spots. You connect the phone to a bad USB socket or cable and get infected with some malware / virus / tracker. Speaking of airports: border security of some nations intentionally infects devices of visitors to spy on them.

thats why when i travel i never use usb charge sockets in airports and hotel rooms. i bring several usb battery banks for my phones and ebook reader for on the go recharging. in hotel rooms i always bring my own powered hubs.. like the ones that plug into conventional wall power and can charge 10+ usb items and such. plus spare hubs and cables so when one craps out i have spares. no need to by crap stuff cuz youre out.
NotATether
Legendary
*
Offline Offline

Activity: 1778
Merit: 7372


Top Crypto Casino


View Profile WWW
May 27, 2022, 07:11:11 AM
Merited by vapourminer (1)
 #17

But if hardware wallets encrypt all data being transmitted from the device to the PC with an AES key [hardcoded in both hardware device and software library], then wouldn't a malicious cable only be able to read gibberish anyway?

After all, it's not like they can get an Ethernet interface or WiFi interface inside it and relay the gibberish to some remote server to attempt to brute-force the key. Or try to do it themselves by putting a mini-ASIC of some sort.

███████████████████████
████▐██▄█████████████████
████▐██████▄▄▄███████████
████▐████▄█████▄▄████████
████▐█████▀▀▀▀▀███▄██████
████▐███▀████████████████
████▐█████████▄█████▌████
████▐██▌█████▀██████▌████
████▐██████████▀████▌████
█████▀███▄█████▄███▀█████
███████▀█████████▀███████
██████████▀███▀██████████

███████████████████████
.
BC.GAME
▄▄▀▀▀▀▀▀▀▄▄
▄▀▀░▄██▀░▀██▄░▀▀▄
▄▀░▐▀▄░▀░░▀░░▀░▄▀▌░▀▄
▄▀▄█▐░▀▄▀▀▀▀▀▄▀░▌█▄▀▄
▄▀░▀░░█░▄███████▄░█░░▀░▀▄
█░█░▀░█████████████░▀░█░█
█░██░▀█▀▀█▄▄█▀▀█▀░██░█
█░█▀██░█▀▀██▀▀█░██▀█░█
▀▄▀██░░░▀▀▄▌▐▄▀▀░░░██▀▄▀
▀▄▀██░░▄░▀▄█▄▀░▄░░██▀▄▀
▀▄░▀█░▄▄▄░▀░▄▄▄░█▀░▄▀
▀▄▄▀▀███▄███▀▀▄▄▀
██████▄▄▄▄▄▄▄██████
.
..CASINO....SPORTS....RACING..


▄▄████▄▄
▄███▀▀███▄
██████████
▀███▄░▄██▀
▄▄████▄▄░▀█▀▄██▀▄▄████▄▄
▄███▀▀▀████▄▄██▀▄███▀▀███▄
███████▄▄▀▀████▄▄▀▀███████
▀███▄▄███▀░░░▀▀████▄▄▄███▀
▀▀████▀▀████████▀▀████▀▀
o_e_l_e_o
In memoriam
Legendary
*
Offline Offline

Activity: 2268
Merit: 18746


View Profile
May 27, 2022, 07:56:28 AM
Merited by vapourminer (3)
 #18

But if hardware wallets encrypt all data being transmitted from the device to the PC with an AES key [hardcoded in both hardware device and software library], then wouldn't a malicious cable only be able to read gibberish anyway?
A malicious cable could still inject and run arbitrary code on the computer you are connecting the hardware wallet to, and steal your unencrypted public keys or addresses from there. So although a good hardware wallet should protect you from any direct security risks associated with a malicious cable, as n0nce says there is still a privacy risk.

thats why when i travel i never use usb charge sockets in airports and hotel rooms. i bring several usb battery banks for my phones and ebook reader for on the go recharging. in hotel rooms i always bring my own powered hubs.. like the ones that plug into conventional wall power and can charge 10+ usb items and such. plus spare hubs and cables so when one craps out i have spares. no need to by crap stuff cuz youre out.
Go one step further, and make sure all the cables you are carrying with you are power only cables (except maybe one data cable if you need to connect up your hardware wallet/phone/tablet/laptop to each other). That way, you can use public charging points or hotel charging points without risk of transmitting any data to or from your devices. You can buy such cables or make them yourself as I described above. You can also buy small adapters which connect to regular USB cables and only attach to the power pins, leaving the data pins disconnected - search for USB defender or USB blocker.

vapourminer (OP)
Legendary
*
Offline Offline

Activity: 4508
Merit: 4102


what is this "brake pedal" you speak of?


View Profile
May 27, 2022, 11:56:20 AM
 #19

You can also buy small adapters which connect to regular USB cables and only attach to the power pins, leaving the data pins disconnected - search for USB defender or USB blocker.

sweet. gonna grab me some pronto.
BitMaxz
Legendary
*
Offline Offline

Activity: 3430
Merit: 3168


Playbet.io - Crypto Casino and Sportsbook


View Profile WWW
May 27, 2022, 02:05:07 PM
Merited by vapourminer (1)
 #20

You can also buy small adapters which connect to regular USB cables and only attach to the power pins, leaving the data pins disconnected - search for USB defender or USB blocker.

sweet. gonna grab me some pronto.

Why not strip the wire instead and cut the two lines the data+(green wire) and the data-(White wire) then two negative(Black) and positive(Red) should remain then use heat shrink to cover it back. If you need the cable for other things to transfer data make sure it's not related to your wallet or any important data then you can strip it again and connect those two cut lines.

Or buy an adapter like this below then put a tape on the two pins in the middle


███████████████
█████████████████████
██████▄▄███████████████
██████▐████▄▄████████████
██████▐██▀▀▀██▄▄█████████
████████▌█████▀██▄▄██████
██████████████████▌█████
█████████████▀▄██▀▀██████
██████▐██▄▄█▌███████████
██████▐████▀█████████████
██████▀▀███████████████
█████████████████████
███████████████

.... ..Playbet.io..Casino & Sportsbook.....Grab up to  BTC + 800 Free Spins........
████████████████████████████████████████
██████████████████████████████████████████████
██████▄▄████████████████████████████████████████
██████▐████▄▄█████████████████████████████████████
██████▐██▀▀▀██▄▄██████████████████████████████████
████████▌█████▀██▄▄█████▄███▄███▄███▄█████████████
██████████████████▌████▀░░██▌██▄▄▄██████████████
█████████████▀▄██▀▀█████▄░░██▌██▄░░▄▄████▄███████
██████▐██▄▄█▌██████████▀███▀███▀███▀███▀█████████
██████▐████▀██████████████████████████████████████
██████▀▀████████████████████████████████████████
██████████████████████████████████████████████
████████████████████████████████████████
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!