USB Cables Can Hide A New Payload Threat

In previous articles, we discussed how lines sometimes blur between cyber security and TSCM, where skills from both disciplines may be needed to identify threats. Here’s a recent example that illustrates this, where transmitters and receivers can be used to initiate a cyber attack.

There are USB cables that can be controlled remotely via wireless/bluetooth to inject a payload with command line/keystrokes onto a computer. The computer can be remote controlled, accessing networks, files, control settings, permissions, or a critical information. It could also be used to inject a virus.

One particular product that has been covered in recent security forums is the USBNinja by RFID Research Group. When dormant, USBNinja is a regular USB cable, able to transfer data and charge devices. From the outside, there is no reason to suspect it is anything but a standard USB cable. But a Bluetooth PCB is masterfully concealed inside the housing.

When it receives a command from a smartphone with the manufacturer’s app, or from the custom Bluetooth remote controller, it changes from a passive to an active controller, emulating a USB mouse and/or keyboard to deliver the payload to the host.
Open source programming standard, Arduino IDE, provides completely customizable payload development capability. USBNinja will supply payload examples that inject keystrokes and move and click the mouse.

USBNinja offers several kits from beginner to professional and includes Micro-USB, USB Type C, and Lightning cable (Apple). Current and voltage are the same as standard cables (4-25V@10mA). The wireless Bluetooth controller includes a 3.6V 40mAh rechargeable battery, with a 98-328 ft/30-100m range with the 2,3, or 18 dBi antenna. The smartphone app also allows Bluetooth access.

In this YouTube video, Vincent Yiu of USBNinja demonstrates how it works:

The 2 primary defense strategies being discussed online regarding these USB payload attacks are:

1. Impose impractical restrictions on all USB devices

2. Establish awareness and prevention policies

There are actually many measures that can be employed to help reduce the threat – whitelisting/blacklisting peripherals; IT controls (locking unused ports); locking down approved devices, HR policies restricting personal devices, etc. They mainly relate to passive preventative measures and all have holes that can be exploited. For now, until there’s a silver bullet for this attack, it’s best to remain vigilant using any unfamiliar USB cables.

This is an excerpt from REI’s TSCM Journal (View the full PDF version).

Related Articles You May Also Enjoy:

Protecting Conversations With Noise Masking

What is a GSM Bug?

Preventing Fraud at Exam Testing Sites Using the ANDRE