TLDR; A bunch of hackers went and created a BadUSB, in cable form, where charging of the phone works.

Introduction

As Red Teamers we are always looking for means to compromise machines. Karsten Nohl had released his research on BadUSB: https://threatpost.com/badusb-patch-skirts-more-effective-options/108775/

Looking around, there was soon devices such as Hak5's RubberDucky[1] and BashBunny which were created to emulate a Human Interface Device (HID). Essentially these were programmable USB drives that would simulate a keyboard, or mouse, and enter keystrokes into the target machine it's plugged into.

The most common form of this attack is whereby the attacker plugs in a USB physically into an unlocked machine and the device will input the necessary keyboard shortcuts and keystrokes to execute a malware implant. On Windows this could be Windows Key + R to trigger the Run prompt, then typing in a command to fetch and execute a payload. On Mac it could be launching Terminal then typing in a payload.

Masquerade

We've always known that users cannot be trusted. Social Engineering has proven this greatly over the years with it being at the root cause of many breaches. In my opinion the RubberDucky, the BadUSB, just looks too suspicious. Many users are now being made aware that USBs are bad, and we shouldn't just plug them in.

We set out to make a different device, one that is more covert and can masquerade as a legitimate day-to-day device.

USBNinja

My friends have worked closely with our Red Team expertise and practical experience to craft a new device known as the USBNinja. The USBNinja can come in many forms, the one that we will show you in this blog post is the USB charging cable. We've got other options such as conference dongles, USB fans[2], and more.

WeChat-Image_20180817213230

Of course, images don't really demonstrate capabilities as all you can see is cable. We've uploaded a quick demonstration video to YouTube:

Conclusion

I've spoken to people at different labs who have had hardware expertise. Some also attempted the same project, but were not able to make the cable charge for whatever reason. My team of friends have managed to weaponize this capability to make a fully working USB cable also a compatible HID device.

Next-generation are coming with hidden contraptions using triggers such as Magnets for physical mode switching, or even Bluetooth for arbitrary on the fly execution from a distance. These are under progress as we speak.

Credits

Vincent Yiu (斯圆网络安全咨询服务) - Blog post, software, weaponization
Olaf Tan - ProxGrind
Dennis Goh - RFID Research Group
Kevin Mitnick - Mitnick Security Consulting

For the record, the guys developing this had no idea the cable had already existed, prior research, or any information on how the cable was made by MG. The internals and engineering was performed with no prior knowledge of MG's work. Although two things look the same on the outside, do not mean they are the same on the inside. For completeness, MG - http://mg.lol/blog/badusb-cables.

需要网络安全咨询服务的话,可以跟我联系!

References

[1]: https://hakshop.com/products/usb-rubber-ducky-deluxe
[2]: https://www.washingtonpost.com/technology/2018/07/03/what-was-usb-fan-given-trump-kim-summit-security-experts-say-nothing-but-dont-plug-it/?noredirect=on&utm_term=.e0362077a5d0