Shameless plug: the hak5 community[0] is super nice and while there are "can you hack facebook" people around there is also a dearth of super kind people who are willing to put in the time to teach people about computers.
I have been watching their shows since season two and recently was granted the proud responsibility of hosting their IRC these days[1]. (which is the shameless plug)
Obviously it's built for newbies but that's part of the charm and a lot of the content gets new people interested in security and computers in general. :)
'I had developed a small reputation from my appearances at the Ice House, and on May 6, 1969, I wrangled a meeting and auditioned in an office for Steve Allen’s two producers, Elias Davis and David Pollock. They accepted me with more ease than I expected, and when I spoke with them afterward, they commented, “There seems to be a dearth of young comedians right now.” I looked puzzled. I said, “That’s odd, I don’t think there are many at all.” Their stares made me realize my blunder. I knew the word, but I had the definition backward.'
For those who may be curious, how two very similar products (USBNinja and the O.MG Cable) exist, there is a bit of history.
Both products are based on the concept of a HID attack: most modern OSs (MacOS, Linux, Windows, Android...) trust HID (Human Interface Devices) implicitly. This means that when you plug in a Keyboard, Mouse, Storage device or Network device, they work instantly. You don't need to install drivers or explicitly enable them. The newly attached devices work instantly - even on a locked device.
The advantage here is obvious. The disadvantage is more subtle, but was exploited by the Hak5 "Rubber Ducky". By emulating a HID device (or even worse, multiple HID devices simultaneously..) - you could essentially control a computer and deploy / execute anything, as if you had full control of the device.
"The Classic" PoC is the Windows "Creds" attack [1] - which unlocks locked windows machines - later turned very, very nuclear by Samy Kamkar with PoisonTap [2], which essentially exfiltrates data, exfiltrates cookies and credentials, and permanently backdoors a locked PC.
The idea of moving from a dedicated device (Rubber Ducky) to an embedded device first came to surface with the BadUSB device [3].
The idea of moving it into a cable came from the NSA, a device called COTTONMOUTH [4][6], which was leaked during the NSA document dumps [5]. MG, the designer of BadUSB, built a prototype of this with today's resources.
RRG, the company behind the latest iterations of Proxmark 3, ChameleonTiny, etc prototyped and built the USBNinja. Their device is built on the Arduino (Ducky) framework, as opposed to the ESP32 Framework.
There is / was drama between MG (behind BadUSB) and RRG / Kevin Mitnik; MG claimed that it was his prototyped device was brought to market first by RRG.
Drama aside, both products exist, both serve the same purposes, and from a hardware point of view, they're both incredible devices that we could have never imagined 10 years ago.
Personally, I find the framework of the USBNinja to be slightly better in practical purposes, (Non-degraded USB-C charging and performance, non detectable wifi etc). I believe there is also a "pro" version slated for release that adds significant functionality.
Source / disclaimer for all of this: I source products for https://Lab401.com - so we performed a deep dive on both products before deciding which to stock. I also had the chance to visit the factories and witness the prototyping - absolutely fascinating.
It's worth underlining that when the COTTONMOUTH device came out in 2009, it had a value of over 1MUSD. 10 years later, arguably better and smaller devices are literally 0.01% the price, and you can have one in your hand. Progress is amazing.
Im not sure how you managed to get almost all of this wrong.
Network adapter attacks like poisontap are not even HID.
COTTONMOUTH was hardware added inside a USB cable with the type of attack not detailed.
MG (twitter.com/_MG_) did not invent BadUSB. He was the first to put a HID attack inside a cable.
Kevin Mitnick asked MG to build him one. Two months later, Mitnick announces that he created the same cable with the help of RRD Group. In his first announcement he even said “this took longer to ship than to make!”. His collaborators (twitter.com/vysecurity) were sorely misinformed about the internals of the cable they claimed to help build. They kept saying it was totally different hardware but it ended up being the same as MG’s. Mitnick started threatening MG for telling people that he had previously shown Mitnick the internals of his prototype. MG eventually opensourced the prototype as DemonSeed around the same time he released the OMG Cable that has much more powerful hardware.
Stop shilling for crappy people. Stop shilling for an online shop that claims to do research that most obviously it never did.
At some point iOS started asking if I want to trust the device, so I suppose if I use this malicious cable with charger and iOS asks me about computer or accessory, I would know things are fishy, would not I?
Theoretically. Unfortunately, the device trust settings are not reliably remembered. My phone regularly asks me if I want to trust my computer despite the fact that I haven't made any changes to it. So it might be an indication that something is fishy, or (much more likely) it might just be that a trust setting has expired. Also, no device fingerprint is displayed along with the query, so there's no way to know which device the phone is actually asking you to approve.
This is true. If one uses this cable to attach to a computer- there is no way to know, but charger is supposed to be dumb device. I wonder if this thing detects that and does not announce itself.
I saw something about changing the cable's hardware ids to avoid this. I guess you find a piece of hardware that you know is trusted by the target phone and then copy its hardware id onto the cable if you want to evade that warning.
Maybe you first use physical access to connect to the victim’s computer, get the ID, and masquerade as it in the cable? It’s a hassle, but if the laptop is left alone in the house, doable.
Aren’t you asked every time you reestablish a connection? If I unplug my iPhone (applies to Android too but with slightly different options) and plug it back into the computer I simply get prompted again. I think the trust is ephemeral and is forgotten the moment you disconnect from the USB port. From the phone’s perspective there doesn’t seem to be a trust store where devices are uniquely identified and remembered.
I had a similar experience. It took me a long time to find out if "personal hotspot" is turned on, iPhone will always ask to trust when connecting to a computer.
> There doesn't seem to be any pattern to it that I have been able to discern.
How often do you charge your phone? I only get those prompts when charging with a computer, not with a charger. One explanation might be that it remembers your computer for 1 week (random guess), but if you irregularly connect your phone to your computer it might seem random to you.
> There doesn't seem to be any pattern to it that I have been able to discern.
In sufficiently complex software, things can appear to be random (or magic), even when they are neither. — I seldom trust myself to declare something random in computer technology, just because I haven’t figured out the pattern (yet).
In this case it doesn't matter. The indiscernibility of a pattern has the same effect as the absence of a pattern, namely, I can't tell whether or not the decice that my phone is asking me about is actually my computer or malicious hardware embedded in my USB cable.
I didn’t think the device had any way of telling if the cable was malicious. So even if it wouldn’t ask repeatedly, you wouldn’t know if the cable was evil? So I’m not sure if the question “do you trust the device you just plugged in” does much of anything other than giving you a chance to reconsider? Also, is there a chance that the trust is lost on a weird AI timer? For example, a little while ago, my phone asked, if I wanted an alarm set to a specific time on a specific weekday morning, apparently just because I needed such an alarm for 2 weeks in a row. That made the pattern easy to recognize, but it also told me that the phone AI is trying too hard to learn about me. - I assume you’re always using the same cable? And I also assume you don’t get the trust dialog when plugging into a wall charger directly?
> I didn’t think the device had any way of telling if the cable was malicious.
Well, no, but I assume it has a way of knowing if the computer I'm plugging it in to now is the same one that I plugged it in to yesterday and that I told it to trust yesterday.
The cable I'm using is the one that came with the phone, so if it was malicious that would be big news. But I just realized that I left out an important detail: my phone is not plugged directly into my computer, but is instead connected through a USB hub and an OWC Thunderbolt dock. So that muddies the waters considerably. It is not at all out of the question that one of those devices is doing something hinky, though I'll give long odds against.
> is there a chance that the trust is lost on a weird AI timer?
Extremely unlikely. This one computer is the only one my phone has ever been plugged in to (AFAIK).
> I assume you’re always using the same cable? And I also assume you don’t get the trust dialog when plugging into a wall charger directly?
Wow - it’s a strange one indeed. Your use case doesn’t even strike me as that far from a pretty normal scenario. But it illustrates, how much potential for malfeasance is introduced with the chains of “smart” components that we’re increasingly required to use. And even being vigilant becomes difficult to impossible, because there are just too many vectors of vulnerability. Kinda depressing...
(The most depressing thing to me is that people actually pay money for devices like Alexa and Google Voice which are designed to spy on them. Who needs to become a hacker when people will voluntarily give up their privacy for a shiny thing?)
Just for the record: I just unlocked my phone after it was plugged in to my computer all night and it put up the "trust this computer?" dialog. I did not confirm. Instead, I turned the phone off, and plugged it back in directly to my computer without the intervening hub and dock. This time it did NOT put up the trust dialog. I plugged it back in to the hub and it once again did NOT put up the dialog.
It's very weird, and the fact that the trust dialog does not display any kind of device fingerprint makes it impossible to know what is actually going on.
just wow - that’s pretty crazy - it sure would be interesting to find out what signals the logic/code behind the trust dialog actually looks for, and maybe even more interesting why it was designed that way, or if it’s just really buggy.
This depends on what the attached device seems to be, which of course a malevolent cable can choose.
You're correct that if I plug the phone into my PC the phone defaults to just charging from it, and needs an explicit UI intervention to offer other features - but if I plug it into my USB keyboard it just works as a keyboard, no further UI intervention needed.
I guess it's _possible_ that I forgot having one time authorised this for the keyboard, but even if that's true it means a malevolent device just needs to guess what to impersonate to get into any phone that has even once authorised such a device, because there's no cryptographic protection - if I say "I'm a Cheap Ass Generic USB Keyboard serial # 00001" then there's no way to distinguish me from the real "Cheap Ass Generic USB Keyboard serial # 00001".
Now, maybe the situation is that phones allow some safer things and not more dangerous ones. Maybe you can pretend to be a USB keyboard or mouse, but it will refuse to offer any of the file transfer type features or networking. I don't know, but my expectation is that people who've built these cables do know and there are plenty of holes.
Is your question: Do real devices do this? None that I'm aware of. Are they allowed to do this? I would be astonished if the USB-C specification has a big list of what is or is not allowed to volunteer power, seems like just an opportunity to fail more than necessary.
But anyway, suppose phones are smart enough to refuse to charge from a keyboard. These cable are remote controlled. So you plug in your phone, it charges... and then a minute later when you're distracted it gets told the charger went away... and now here's a keyboard. Attack in progress.
I reckon you could work out a procedure e.g. pretend to be power for 90 seconds, supposing experience teaches that's how long people take to forget they plugged the phone in. Then, turn the power off. Watch. An attentive user may notice, unplug their phone and try again thinking the cable may be faulty. Re-enable power when the phone vanishes. If not, after giving them say 30 seconds to notice switch to keyboard mode. Or you could just wing it. A lot of good physical penetration testers "wing it" all the time.
Interestingly, there is no way to get an iPhone to charge off of a computer port (which will try to send data?) without trusting it. It will just refuse the connection entirely instead of accepting just power.
Not necessarily. Those notifications pop up when your cable is starting to fail as well. If your malicious cable had 'amazon basics' printed on the side and looked a little ratty, no one would bat an eye.
>Not necessarily. Those notifications pop up when your cable is starting to fail as well
I think you're talking about the "this accessory is not supported by this iphone" prompt, not the "trust this computer?" or "allow this device to access your photos and videos" prompts. The first shows up if your cable can't be verified to be mfi compatible (via a special chip in the cable), and the last two only show up when connecting to a computer.
Not sure I’m understanding what this does? The page lacks information in the extreme. Can this keylog? Does other data just transparently pass through or can this log it? Does it show up as an HID device when not activated? What wireless bands does this operate on?
At the very least a list of specs would be greatly appreciated!
It might lead you to the original person who stole your bag, but it likely won't help you recover your devices because those are very quickly forwarded onto organized crime networks which take stolen phones, reset and refurbish them, and sell them overseas or via used goods channels.
How effective is this type of crime system with Activation Lock-secured iPhones? You can't just wipe an iPhone from DFU mode and then set it up normally without the owner's Apple ID information.
Do they try to sell to people who they know won't check if the device has Activation Lock and then disappear when the buyer discovers it doesn't work?
I know someone who fell for this. Even though they were skeptical when they received the message, they thought there was a chance it was legit, and therefore gave them some change to recover their stolen phone. I guess they had nothing to lose, as the chance of recovering the phone was ~zero anyway.
Very common to then aggressively try to phish the user's iCloud credentials and remove the activation lock; third-party vendors offer this sort of service, and they're very convincing.
I wonder if it's a perception thing--since you are hyper aware to the point you have a specialized USB cable-lojack, you are far less likely to be a victim of theft.
Similar to how self-defense training doesn't necessarily make you a skilled fighter, but instead trains you to be more aware of your situations, and there for reduce the likelihood you will need to defend yourself.
Not this exactly but similar - for some time I've wanted a charging cable with enough fast memory on it to act as a boot drive. Normal charging cable when plugged in on both ends, boot drive when only plugged in on one. Pair with an innocuous windows laptop and you can go through airport security without worrying about compromising your data.
I assume it (a) actually functions as a cable that can charge a phone (b) can enumerate on the USB A connection as various types of slave (such as network adapter or storage device) and use this to bridge into the computer (c) enabled connections to the cable Wi-Fi from a phone as a means to control or monitor the cables activities.
I initially thought this might be used to hack into phones via the lightening or USB ports, but the security on these devices is pretty good. It seems less likely that an exploit of this value would be put into cables like this. I still worry about plugging my phone into random hotel or transport USB charge ports however... I should pick up a USB condom I guess!
I think the DEFCON exploit was having this act as a USB keyboard to the computer it’s plugged into, and using the keyboard to open terminal and execute the attack.
I poked around their site and they talk about Red Teams a lot, which are a concept of institutionalized penetration testing. Not unlike Chaos Monkey is to reliability engineering.
I have been watching their shows since season two and recently was granted the proud responsibility of hosting their IRC these days[1]. (which is the shameless plug)
Obviously it's built for newbies but that's part of the charm and a lot of the content gets new people interested in security and computers in general. :)
[0]: https://forums.hak5.org/
[1]: ircs://irc.hak5.org/hak5