Most people know that they shouldn’t plug strange flash drives into their computers, but what about a USB cable? A cable doesn’t immediately register as an active electronic device to most people, but it’s entirely possible to hide a small, malicious microcontroller inside the shell of one of the plugs. [Joel Serna Moreno] and some collaborators have done just that with their Evil Crow Cable-Wind.
This cable comes in two variants: one USB-A to USB-C, and one with USB-C to USB-C. A tiny circuit board containing an ESP32-S3 hides inside a USB-C plug on each cable, and can carry out a keystroke injection attack. The cable’s firmware is open-source, and has an impressive set of features: a payload syntax checker, payload autocompletion, OS detection, and the ability to impersonate the USB device of your choice.
The cable provides a control interface over WiFi, and it’s possible to edit and deploy live payloads without physical access to the cable (this is where the syntax checker should be particularly useful). The firmware also provides a remote shell for computers without a network connection; the cable opens a shell on the target computer which routes commands and responses through the cable’s WiFi connection (demonstrated in the video below).
The main advantage of the Evil Crow Cable Wind is its price: only about $25, at which point you can afford to lose a few during deployment. We’ve previously seen a malicious cable once before. Of course, these attacks aren’t limited to cables and USB drives; we’ve seen them in USB-C docks, in a gaming mouse, and the fear of them in fans.
Thanks to [rustysun9] for the tip!
Making it easier for someone to do something terrible is a bad move.
Making these more accessible to security researchers makes them easier to develop defenses against. It is also bad for nation states and well funded hacking collectives to have exclusive access to advanced exploits.
The only thing special about this thing is the form factor, from the security standpoint there is nothing new here besides that.
You don’t need to make them in a stealthy everyday cable form factor for the security research – 99% of such research could be done with an obvious dev board, and the remaining 1% can be done with regular cables with an over moulded detail, tiny engraved logo or something so you can prove your staff are stupid enough to plug in something that hasn’t been security vetted…
But bad-mouthing someone for publishing instruction for this actively-exploited, decade-old attack is a waste of breath. There was no conceivable way to prevent the further spread of this knowledge.
The only thing worth discussing is how to raise consumer awareness and what our hardware and software -makers can do to protect us.
The problem has been known to exist for a long time, the solution will never happen unless it is seen as something that actually needs to be fixed.
Maybe it is something that can be solved by the USB consortium in their USB 5.0 specification or later. Maybe it is something that can be fixed by OS designers. Maybe by automatically disabling any USB device that changes it’s function(s).
My fear is the USB consortium’s solution will be “digitally signed cables” that only work if you sign up for their secure cable service plan. Ask anyone with Windows 10 and no TPM 2.0 chip what they think of Microsoft’s approach to this same problem.
Now, if the standard instead called for a 1kV spike tester that blasted sample cables with a kilovolt across a couple of random pins, at least we could have fun watching the bugs blow up. So some good may come from this yet. :-)
It will not be a nice solution, it will likely involve locking down and making it less easy for us to utilise the hardware we purchase.
Yes because security through obscurity is a great idea! If we just don’t publish how things work, the bad guys will never figure it out themselves!! :D
That’s why I use Windows. Linux being open source makes it too easy to hack.
LoL Oh wow, where do I even start?
Probably with identifying sarcasm. I thought it was absurd enough not to need a disclaimer. I use Debian for my servers and Mint for my workstations.
Sarcasm aside, and given recent history, I’d be interested to see how far apart the skills required to exploit Windows or poison an OSS repository are
In terms of solutions, I’m thinking if these cables can be detected through power consumption. The best case scenario is a user plug in a cable only and is warned that power draw is suspect. But it has to also handle when a device is already connected to the cable. Maybe host and device can share more detailed power numbers to look for a difference that points to a cable being suspect. The suspect cables can get better at low power, and then the detection might need to look for peak in rush or other types of heuristics
MG (of O.MG cable fame) also developed a detector that flashes an LED based on the amount of power drawn by the “cable”. At the moment, it’s the only effective approach (although I did also see someone suggesting putting 100V into a cable, which should also be effective, so long as there is nothing else plugged into the cable!)
ROFL windows over Linux for security 🤣 😂 Seriously you must be MAD or you are being facetious?
Just incase you or anyone else believes that let me share some cold hard facts.
Firstly windows has been the most hacked os in all time and because of its popularity has attracted the most bad actors and subsequent exploits hacks data breaches and cost cost the world over 10 trillion dollars to date! Microsoft office applications account for over 60% of global attacks in a 2 year span fall 2021-fall 2023 for example highlights the ridiculous idea that windows or any Microsoft is more secure. windows specifically had nearly 600 reported vulnerabilities with 33 considered critical some stem from legacy code and even newer versions like windows 11.
Here is why I open source is more secure although not without its own problems you have transparency the code is being actively examined by a community of developers Security Experts and enthusiasts constantly scrutinizing the code identifying vulnerabilities and proposing solutions. The collective efforts lead to a much faster identification and patching of bugs and security flaws compared to closed Source systems like Windows where only the vendor internal teams have access to the code. Now if Linux were to magically become extremely popular and consume 90% or more of the consumer Marketplace then indeed Linux would have there sure problems. The more popular it operating system the more it’s going to attract these problems. But no matter what operating system you use there’s always going to be a risk so it’s a good idea to take precautions use Virtual machines and containers and utilize sandboxing applications Etc smart password security and never Recycling and always rotating credentials can be extremely helpful.
My experience I’ve been on computers since a child in the 70s and I have worked in the it and security industry for nearly four decades.
Just because you can hurt someone with a knife doesn’t mean you won’t teach your kids to be careful so they don’t get hurt
The web finally adopted HTTPS en masse after http exploit tools became so easy to use coffee shop pranksters had a go.
If the hacker doesn’t already know about this, then they are not a hacker and not a problem. The problem is a lack of awareness. This article highlights a problem that has been around since the 1990s, and people were only made aware of it in the last decade; there has been no solution. Between the miniaturization of this micro-hardware and AI, many victims will fall prey to this in many ways. You basically cannot trust any third-party aftermarket cord or any public charging station, etc. The fact that it has its own Wi-Fi makes it extremely dangerous for the corporate world and political arena, whether they are charging cords, USB charging ports, or credit card skimmers, hidden cameras or Rogue access points etc. Awareness is best. This article might inspire a few would-be bad actors, but it will do a lot more good in the end.
Making people aware of security threats like this is useful. Particularly knowing the deployment cost is so low!
There was a time I had to finnick around a bit with udev rules to get a newly inserted USB device to be accepted by my Linux distro. Looks like they changed that a few years ago, or I am really lagging behind with my electronics projects. But even then, I think there was a general exception for HID devices, which makes the whole use of manual udev rules a lot less useful.
It could help if only one keyboard and one mouse were automatically allowed / verified / accepted after boot, and more HID devices would also be enforced by adding udev rules. But that would make it difficult to swap out a faulty keyboard for example. Rebooting just to switch a keyboard is so PS/2 age.
In the struggle between security and convenience, security almost always looses. At least in “consumer grade” equipment.
The Linux kernel actual has built in USB auth you can use where the kernel won’t hand the hardware over to a driver without a blessing. It’s not complete protection against this type of attack as the cable can just spoof as the device on the other end, but at the very least it could be built out into a framework preventing random devices from being used.
It could be easily solved by the OS with a dialogue box popping up and telling the user that a new usb {keyboard, mouse, storage device, …} has just been plugged in and if the user want’s to use this device.
and which device they use to confirm that ?
The mouse that is only allowed to move and left click until approved. Or the keyboard restricted to direction inputs and enter until approved.
That’s actually a brilliant idea–initially the keyboard is only allowed to type two strings, “yes” and “no” :)
The new keyboard.. only allow it to enter into a new dialog that is a captcha.. or throw it back to the lock screen. Only the keyboard that enters the password/pin has access.
Keyboard not found.
Press any key to continue booting.
That’s when you enter the hacked USB flash stick.
Another example of why I want a USB filter/firewall device.
The solution is quite simple, plug the usb cable into a testing rig if it is suspect, the only wires allowed to have active electronics are the CC/POWER lines, if the data wires(used only for the malicious device) are active with no device connection it is a bad idea to use it
It can also test for the normal emark chip for 5a pd, so having a tester at home for cables is great, you can easily figure out which ones are worth keeping and which ones are simply too cheap for being useful
Then they’ll ad AI, so then you put it in an AI test device, and after a few dozen iteration the cable and tester become self-aware. Then the tester makes a deal telling the human the cable is OK so that the cable can take over the planet and release the tester from its device-confines.
Now look what you did christopher.
Marketing idea – cables with clear overmolding
Not a magic bullet, but if you can look into the connector it gets a lot harder to hide shenanegins
Using a magnet to enable JTAG for flashing – that’s clever!