USB Harpoon Is a BadUSB Attack with A Twist


Several security experts have built a malicious version of a USB charging cable, one that can compromise a computer in just a few seconds. Once plugged in, it turns into a peripheral device capable of typing and launching commands.

USBHarpoon, as its makers call it, relies on the BadUSB research from Karsten Nohl and his team at Security Research Labs. Their work showed that an attacker can reprogram the controller chip of a USB drive and make it appear to the computer as a human interface device (HID).

The type of HID can be anything from an input device like a keyboard that issues a rapid succession of commands, to a network card that modifies the system’s DNS settings to redirect traffic.

With USBHarpoon, security experts replaced the USB drive with a charging cable, something that is as ubiquitous, but less likely for users to be cautious of.

The cable comes with modified connectors that allow both data and power to pass through so it will fulfill the expected function. This feature enables it to be accompanied by any type of device that powers through USB (fans, dongles distributed at conferences), without raising suspicions about plugging the cable.

Idea has been implemented before

Behind the USBHarpoon project are Olaf Tan and Dennis Goh of RFID Research Group, Vincent Yiu of SYON Security, and Kevin Mitnick, who catalyzed the entire collaboration.

Yiu, who works on the design and weaponization of the cable, says that he talked to multiple fellow researchers from different labs who tried to build a project like USBHarpoon, but they “were not able to make the cable charge for whatever reason.”“My team of friends has managed to weaponize this capability to make a fully working USB cable also a compatible HID device,” he added in a blog post.

It turns out that a weaponized charging USB cable already existed and was developed by a security researcher using the Twitter handle MG.

Hiding the attack, defending against it

The USBHarpoon / BadUSB cable attack is successful on unlocked machines, where it can launch commands that download and execute a payload. On Windows, the commands can run directly from the Run prompt; on Mac and Linux it could launch a terminal and work from there.

This activity is visible on the screen, so the attacker has to come up with a method to hide it. Yiu says the team is currently exploring methods to trigger the attack when the victim is not around.

Delaying the action is one avenue they study, but there are other channels they consider for getting the desired response. Bluetooth and radio signals could be part of the solution.

Protecting against attacks that rely on a USB connection is not easy. A potential answer is to use a data-blocking device, also known as USB condom. An electronic accessory like this blocks the data pins on a USB cable and allows only power to go through.

But MG proves a valid point in a video where he shows that USB condoms can be infected just as well, and you cannot trust them unless you have a way to audit them before use.