
WiFi Hides Inside a USB Cable - glax
https://hackaday.com/2019/02/18/wifi-hides-inside-a-usb-cable/
======
psophis
About a month ago I found a similar device on aliexpress that has GPS and SIM
card slot:

[https://www.aliexpress.com/item/1m-USB-Charging-Data-
Cable-f...](https://www.aliexpress.com/item/1m-USB-Charging-Data-Cable-for-
GPS-Locator-GPS-Positioning-Pick-up-Line-Tracker-Remote-
Tracking/32822576534.html)?

~~~
vetler
Would be even scarier with eSIM, but I suppose it's just a matter of time
before we get that.

~~~
qrbLPHiKpiux
I bet it's there, someplace, for sometime now.

------
itissid
This is scary. I mean someone can just replace the cables in my house and my
phones and computer would become infected. I can't even imagine the headache
this does for company's cybersecurity practices.

A rogue janitor replaces the usb cables on some of the employees of a company
that makes $INSERT_SUPER SECRET_TECH$ and done.

~~~
TylerE
How? I've never seen a device, certainly not a PC, that will just randomly
connect to any router it sees without some sort of user input.

~~~
snazz
My understanding is that it allows an attacker connected to it via WiFi to
mess with the plugged-in computer using USB (pretending to be a keyboard).

See the Twitter video: [https://mg.lol/blog/omg-
cable/](https://mg.lol/blog/omg-cable/)

~~~
muthdra
A secretly-IoT keyboard that shares your key presses and may "type" malicious
stuff when you're not looking at it; the OS wouldn't be able to tell it's not
you doing the typing. Not scary at all, no sir.

~~~
yipbub
It can't read your keypresses (I think)

~~~
blattimwind
It can't (unless it's the keyboard cable).

~~~
ngcc_hk
Hid usually ok with systems and hence a wireless mouse and keyboard pretended.

A windows hack may be - The “mouse” would ask to move to leftmost bottom
corner then click. Type searching terms like Cmd<r>. Then if can get hold of
the windows one is in ...

Any better idea?

~~~
tyingq
<windows-key>R brings up a run dialog with the focus already in the text box
waiting for a command. No mouse needed.

------
jchrisa
If you can do this for kicks, imagine what you can do with a budget.

~~~
NamTaf
It's basically what the NSA's ANT catalogue had in their COTTONMOUTH devices,
among others [1]

[1]:
[https://en.wikipedia.org/wiki/NSA_ANT_catalog](https://en.wikipedia.org/wiki/NSA_ANT_catalog)

~~~
nyolfen
[http://www.nsaplayset.org/turnipschool](http://www.nsaplayset.org/turnipschool)

------
Animats
Naomi Wu reported on those last August.[1] There's one on Amazon that uses
GSM, but it's 2G.[2]

[1]
[https://twitter.com/realsexycyborg/status/103190315541447884...](https://twitter.com/realsexycyborg/status/1031903155414478848?lang=en)

[2] [https://www.amazon.com/Jiusion-Listening-Surveillance-
Quad-b...](https://www.amazon.com/Jiusion-Listening-Surveillance-Quad-band-
Lightning/dp/B06X42SGPY)

~~~
strictnein
This is a couple levels past just a simple audio recording device.

It's a remote control rubber ducky and more.

------
raphlinus
I'm wondering whether any of the Google security team will use this for their
"leaving tradition" [1], or whether it's considered cheating, just too easy.

[1]:
[https://twitter.com/LeaKissner/status/1085624255381827584](https://twitter.com/LeaKissner/status/1085624255381827584)

~~~
usepgp
I worked on a security team that did this when I left - I taped & signed every
USB connection at my desk and checked the signatures every time before I
unlocked it.

~~~
justaj
I must be out of the loop but, how do you sign USB connections?

~~~
Etheryte
"Tape and sign" sounds like apply tape and add a signature on the tape that
you don't expect anyone else to be replicate reliably.

------
miguelmota
Here's the announcement tweet with a video demonstration:

[https://twitter.com/_MG_/status/1094389042685259776](https://twitter.com/_MG_/status/1094389042685259776)

------
entire-name
I guess even some sort of "signed device protocol" will not work. An attacker
can just create a device that guesses the device identifier (or whatever is
used to create the signature). Then, the attacker device can just keep
guessing until it gets it right. Chances are, some serial number or similar
will be used for this, so continuous guessing is feasible.

Will the solution to this, then, be to have some sort of "smart card enabled
device"? For example, assuming TOFU, you manually accept all device's public
keys (and all devices, including cables and stuff will have one of these).
Then, the computer will have to verify all actions done by those devices by
sending a challenge for each action. But this seems impractical and
inefficient...

Perhaps physical security is the only way for this...

~~~
DaiPlusPlus
On Windows XP this would display a “new device: keyboard connected” balloon
and the Safely Remove Device icon would immediately set-off my spidersense -
it’s unfortunate that newer releases of Windows hide those notifications by
default and the only clue that something might be wrong would be hearing the
generic device connected sound multiple times in quick succession which many
users might think was their sound-card glitching.

I think a solution is for OSs to only allow the automatic mounting of newly-
attached devices if they’re “passive” (e.g. mass storage - assuming no
autorun.ini, output-only devices, HID class devices that only expose game-
controller functionality, etc) - other device classes like mice and keyboards
plugged-in to non-trusted ports should always require explicit approval.

While we’re on the subject: keyboards can be massively improved by adding
over-the-wire encryption to prevent keyboard-port logging, and the USB
keyboard class should be extended to include the keyboard declaring its layout
to the host OS. It’s silly that we still need to configure keyboard language
settings or that the OS infers it from our regional settings.

~~~
cheerlessbog
How would you approve the keyboard without using the keyboard?

Anyway since we are assuming physical access, they could just swap out your
keyboard for one that works normally until you go for lunch, then starts
typing for itself..

~~~
wmf
The OS could display a random sequence of keys that you have to press to
enable the keyboard. If the evil cable can't see the screen it wouldn't know
what keys to transmit.

This is not a serious suggestion since it would be annoying to most people.

~~~
DaiPlusPlus
No more annoying than Bluetooth pairing PINs or iOS's passcode-to-use-USB
prompts. If the keyboard has secure stateful memory (e.g. for a client-
certificate or client-secret) then the user would only have to enter it once.

------
baroffoos
What is the wifi for? the only attack I can possibly see here is pretending to
be a keyboard. And you don't need wifi for that, you just need a pre
programmed set of steps to set up remote control for the pc.

------
Timothycquinn
That hardware solution sans wifi could offer some interesting security
solutions such as trusted bridge between any computer and your mobile phone.
Can't wait to see this torn down and hacked.

------
aussieguy1234
so... that could be useful to penetrate secure facilities, like nuclear
weapons bunkers/reactors. A worker is sent a cable as a "gift" or has one
substituted in by mail intercept for an actual order. Attacker waits outside
in a van and controls things over wifi.

~~~
walrus01
Also a reason why the TEMPEST standards exist, wifi isn't going to go very far
through the walls of a shielded facility that is basically a huge Faraday
cage.

------
throw7
what's the attack? the website just drones on about a cable that, as far as i
can tell, could just broadcast your keypresses over wifi.

~~~
hannasanarion
Most operating systems trust USB devices completely. You can send keystrokes
that open a text editor and type malware that'll do whatever you want, and you
can control the attack in real time via wifi.

(it couldn't read user keypresses unless they use the cable to plug in their
keyboard)

~~~
PeterisP
It certainly could read user keypresses after it typed in malware with a
keylogger, and then transmit your keypresses over _its_ wifi (not your
network, where it might be detectable) back to the attacker.

------
ElijahLynn
Can someone confirm for me? This needs a nearby wifi network that is either
open or has credentials too, correct?

The video appeared to have it connect directly to the phone or to the network
they both were on.

~~~
jwagenet
It looks like this hack uses an esp8266, which supports WiFi. Most likely the
chip is booting up its own WiFi network for the phone to connect to, the phone
is sending the payload over this network, and running the usb exploit. Some
esp family chips should also support Bluetooth.

~~~
ElijahLynn
Okay, so the attacker would need to be within range. Is that a correct
understanding?

~~~
compscistd
Although that’s implied, you could use a proxy device nearby instead

------
fghtr
Another reason to use QubesOS, where usb devices are connected to a separate
virtual machine without any networking. And any usb keyboards are only
activated after a confirmation.

~~~
diegoperini
Noob question: How do you confirm?

~~~
fghtr
Qubes is designed for laptops, so your first keyboard does not need any
confirmation (it's not connected via usb).

upd: Alternatively, for installations with a usb keyboard, this defence is
disabled.

------
rhema
Would a high voltage loop, for breaking components, be a good solution to an
attack like this? Like, fry the electronic components to verify it's just
plain metal on the insides?

~~~
proee
Perhaps, but it could start a fire. You might consider plugging into a power
supply and measuring if there is any current draw.

~~~
walrus01
USB type A male-to-female inline ammeters are really cheap, and accurate to
0.1W. I got one for ten bucks.

~~~
foobar1962
How do you know THAT doesn’t have a surveillance device inside?

~~~
walrus01
Sort of a "it's turtles all the way down" type problem, but one could always
x-ray it.

------
woodrowbarlow
the cable is cool, but i'm more excited to read about his PCB manufacturing
process. he built those tiny boards on a desktop CNC machine!

------
jayflux
Does it just connect to the first WiFi which is t password protected? I’m
assuming it’s useless if there’s no open WiFi about?

~~~
quickthrower2
It creates a wifi hotspot and the attacker can connect to that using another
device from a distance. They can then do stuff via the USB port, for example
send key presses.

~~~
megaremote
So they have to be close by.

~~~
VikingCoder
[https://www.simplewifi.com/products/parabolic-
grid](https://www.simplewifi.com/products/parabolic-grid)

"2.4Ghz wifi antenna extends a 7 degree wide cone, allowing it to perform over
large distances up to 8 miles of range."

~~~
pdkl95
Or if a real parabolic antenna is too expensive, sticking a copper wire on a
BNC connector mounted in a Pringles can (5 GHz) or wider tin soup can (2.4
GHz) works as a cheap alternative.

[https://en.wikipedia.org/wiki/Cantenna](https://en.wikipedia.org/wiki/Cantenna)

[http://www.turnpoint.net/wireless/cantennahowto.html](http://www.turnpoint.net/wireless/cantennahowto.html)

~~~
JustSomeNobody
Even simpler would be to take a standard dipole and put a corner reflector
around it (not quite as pin-point powerful, but you can still get plenty of
gain). You can make these out of roofing flashing.

------
netwanderer3
Info sec industry is a rabbit hole. Just ask Jeff Bezos.

~~~
krapp
Jeff Bezos would probably think "info sec" is a unit of time.

~~~
dsabanin
He is Electrical Engineering and CS graduate from Princeton.

~~~
krapp
Having an engineering degree doesn't mean you necessarily know what 'infosec'
is. Different domain and discipline.

~~~
exegete
What domain or discipline (specifically undergraduate major) does infosec fall
under if not electrical engineering or computer science?

------
emilfihlman
Any links to schematics and code?

------
bellerose
Huh, so all it takes is someone to break into your home when you're gone and
swap a cable. Seems like privacy doesn't really exist for people who truly
need it. Unless they're not using any technology.

~~~
hannasanarion
Do you not use laptops? Or do you never leave your home?

~~~
bellerose
Huh? What I wrote is basically saying privacy doesn't exist for the ones who
truly need it. Since those two cases you write in question are pretty much
universal and the majority of people using technology would be prone to them.
Unless they're not using any form of technology.

------
bradgessler
Are their third party OS extensions for macOS, like Little Snitch, that act as
a firewall for USB-C devices?

It’s just crazy to me that plugging my Crapbook Pro into a USB-C power brick
could do all sorts of bad to my computer when all I need is power.

------
userbinator
_The construction of this device is quite impressive, in that it fits entirely
inside a USB plug_

The level of miniaturisation is not all that impressive, these have been
around for a while:

[https://www.amazon.com/Edimax-EW-7811Un-150Mbps-Raspberry-
Su...](https://www.amazon.com/Edimax-EW-7811Un-150Mbps-Raspberry-
Supports/dp/B003MTTJOY)

There's no mention of using the rest of the cable as the antenna, since in my
experience the above tiny adapters have an equally tiny antenna and thus poor
reception.

~~~
tyingq
It says there's a microcontroller as well.

~~~
gumby
There's a microcontroller in the connector at each end of your USB Type C
cables.

~~~
tyingq
Well, I assume in this case, one that drives and controls the wifi independent
of whatever you plugged this into.

