USB Cable with Embedded Wi-Fi Controller

It's only a prototype, but this USB cable has an embedded Wi-Fi controller. Whoever controls that Wi-Fi connection can remotely execute commands on the attached computer.

Posted on February 14, 2019 at 6:53 AM • 34 Comments

Comments

WeskerTheLurkerFebruary 14, 2019 8:14 AM

There were a group of implants like this in the ANT catalogue. The bar continues to drop.

tfbFebruary 14, 2019 8:45 AM

Plugging things into your machine whose provenance you don't know is like eating pills from a bottle with no seal & no label. This doesn't really change that, does it?

tazer2000February 14, 2019 8:54 AM

ummmm...even the wires themselves can be a source of secpol violations.This goes back to what I referenced a few days back, in regards to EMF frequency modulations and SDR tricks on microcontrollers, asic, soc, fpga, ...ect. Attacks at the hardware/hardware protocol layer...

asdfFebruary 14, 2019 11:43 AM

USB condom defeats this attack and any other attack over USB, provided you only need the cable for power.

If you need USB for data, well... I hope you have vetted your cables.

WinterFebruary 14, 2019 12:50 PM

I have a stupid question.

Can't you shield your cables? Say wrap tinfoil around the cable and plug instead of wasting it on a hat?

albertFebruary 14, 2019 1:02 PM

I have another stupid question. Are these cables intended to be used as a substitute for a mouse, keyboard, or printer cable?
. .. . .. --- ....

Mark M.February 14, 2019 1:25 PM

tfb, tazer2000:
Think industrial espionage, not national security. No development shop I've worked in applies physical security to USB cables, or verifies the integrity of cabling every morning (or ever). A janitor swapping out keyboard cables with ones looking very similar could open up the entire enterprise to surveillance, and its codebase to modification.

Sancho_PFebruary 14, 2019 3:53 PM

@Bob, re grounded shields

Um. Which length of ground wire would be preferred?
Is your laptop grounded? OK, it’s not just tinfoil, but there is a lot of sophisticated shielding inside. Useless?
(Undetected) HW access is game over, LAN, USB or motherboard doesn’t matter.

tazer2000February 14, 2019 4:16 PM

@Mark M. Yes, some good points you bring up, but this isnt just limited to eavesdropping either. The traffic can be modified as it flows through the connect, all MITM goodness is possible. Also, what good is infiltration of networks if you cant get the data back out?...Remember those random fields in TCP/IP packets?, he'll they're in alot of other protocols also. It's not to hard to establish a low bandwidth hidden channel using things like ISN's, port pairings, and some modern math. Do a little piggy backing on some already existing https communications. Watch the ISN/port pairings as they flow into/out the backbone nodes...lol

tazer2000February 14, 2019 4:24 PM

Damn...I need to get back to work so I dont have so much time to run my mouth. lol. Noone ever hired me and put me under an NDA.

tfbFebruary 14, 2019 4:57 PM

Mark M: yes, I agree. But the wifiness of this then doesn't really matter that much: a 'cable' which simply records everything you type and which someone swaps in & out is already nasty enough. Not keeping track of what is physically attached to machines is the underlying problem.

(Related: how hard would it be to design some kind of challenge-response protocol based around secret keys baked into the peripheral (including the cables) that let machines actually know that the USB cable plugged into them was one they had already seen?)

James BabcockFebruary 14, 2019 5:02 PM

Operating systems need to stop accepting keystrokes from unauthenticated USB keyboards. This is actually easier than it sounds, since normally the first thing users do with a keyboard is type their local login password. A rule that any keystroke from a newly-connected keyboard locks the desktop, until that keyboard has been used to successfully log in, would be a great step towards reducing the impact of malicious USB devices.

(Not a complete solution, mind you; operating systems would still have to do something about USB devices pretending to be obscure printers with buggy kernel-mode drivers, storage devices with vulnerable filesystem drivers, etc. But it would be a start, and, having ruled out keyboard-based attacks, prompting the user to confirm that a device really is the type that it claims to be would become viable.)

WinterFebruary 14, 2019 5:58 PM

"Shields only work if they're grounded"

I thought that too. But everyone is selling shields for RFID cards. And if I wrap my phone in tin foil, I won't receive any calls.

So I must assume the tinfoil does block at least some of the signal.

Clive RobinsonFebruary 15, 2019 12:33 AM

@ All,

Shields only work if they're grounded

First define what ground is...

Ground is just a refrence point that is assumed to have a low "resistance" where "current summation" produces --little or-- no voltage that would be "ground noise"

However when you start talking about "ground impedence" (resistance to AC not DC) it's a whole different can of worms. Firstly you have currents at different frequencies which by definition have different and continuously changing phases. You also get reactive components that change their impedence with frequency. Capacitors are effectively open circuit at DC but their impedence drops with increacing frequency. Inductors are effectively short circuit at DC and their impedence increases with frequency. Their reactences are opposit, and effectively cancel when the same which will happen at a "resonant frequency". There are two types of resonance when the effective reactances are in parallel and in series. As reactive components are not perfect the two frequences are only approximately the same. There is also the "Quality factor" or Q that is related to the loaded and unloaded impedences at any given frequency. Whilst Q is most definitely not an indicator of frequency stability as a rough rule of thumb the higher the unloaded Q of a resonant circuit the more likely it is to be frequency stable, because it is often based on the physical charecteristics of the reactive components or resonators and that is important to remember when talking about sheilding components.

Shielding works by the abscence or nulling of currents. In a pure theoretical conductor the "H component" (magnetic) of the EM field induces a current in the conductor which in turn creates in antiphase it's own field, which in effect reflects the field. As part of this the depth to which the current can penetrate the conducter is not just inversely related to frequency it is also quite shallow. Thus a high quality conductor such as silver can be plated onto a very low quality conductor like iron, or even plastic... If such a surface encapsulates an object like a tuned circuit then any radiation from the circuit will be kept inside the box. Importantly any EM radiation outside the box stays outside the box.

Things get a little more interesting when you realise that you have one set of alternating currents on the inside of the box that are unrelated to alternating currents on the outside of the box and that they can not see each other through the box unless the skin depths are insufficient.

Now the next obvious question is what happens when the box is not a box but a tube or tunnel? Well provided you are sufficient distance from the ends of the tube then it behaves in the same way as the box, what is inside stays within, what is outside stays outside.

However at the ends all sorts of things can happen, and you can look them up in an amature radio book that explains the use of coax cables as "phasing harnesses" and the like for antennas (Yes I can explain it but certain people will complain I am taking up to much thread space as it is).

However what you need to know is that in an unbalanced transmission line such as a coax line there is an outbound current on the outside of the center conductor, a return current on the inside of the outer conductor and a third current on the outside of the outer conductor. In part the third current may contain components of the other two currents depending on how you terminate the coax at either end. One way to reduce any component of the first two currents in the third current is to inductively "choke them off" this can be done in a number of ways including the use of ferrite materials, resonant circuits and lengths of transmission line that are multiples of a quaterwave or halfwave depending on if they are short or open circuit at the distant end. Knowing which is the best to use, when, why and how is a bit of a black art even for those that know the theory.

WaelFebruary 15, 2019 4:59 AM

@Clive Robinson,

why and how is a bit of a black art even for those that know the theory.

Ain't no black art, ma man! Reminds me of:

You could use the Robinson Family motto,
We only drop our jaws to swap feet

:)

and lengths of transmission line that are multiples of a quaterwave or halfwave

So is 1.85 correct?

(Yes I can explain it but certain people will complain I am taking up to much thread space as it is).

... and the cyber-horse they came in on ;)
I'll take the Clive's notes, please :)

65535February 15, 2019 7:18 AM

@ Winter

"Shields only work if they're grounded"

“I thought that too. But everyone is selling shields for RFID cards. And if I wrap my phone in tin foil, I won't receive any calls. So I must assume the tinfoil does block at least some of the signal.”-winter

I fund that fact also when testing blocking cell phone calls.

[old squid post]

“I experimented with a thin stainless steel pot with lid and found that cell phones could be called even when they were in a metal pot with a ceramic dish [you can search this site for the thread].

“To my surprise even a grounded stainless steel pot with the cell phone in a ceramic dish let RF signals through the stainless steel and the cell phones could be dialed and they would ring in the thin metal pot.”-65535

https://www.schneier.com/blog/archives/2018/04/friday_squid_bl_620.html#c6773855

I did find both think metal cooking pots worked and so did heavy aluminum foil wrappings. This stops cell phone from ring or allowing a call in I am not sure of location tracting.

Clive Robinson is on to something:

“Shields only work if they're grounded”

“First define what ground is... Ground is just a refrence point that is assumed to have a low "resistance" where "current summation" produces --little or-- no voltage that would be "ground noise"…”-Clive Robinson

Good question

Now to be bigger and uglier picture and the “bar condinues to drop.

I have a relative is an lawyer who frequently uses “Licedsed Private Investigators” and he says some large PI firms are getting full conversation on cell phone calls on individuals. That is G3 to 4LTE cell phone conversations. Exactly, how that is done he did not know and I don’t know.

Clive RobinsonFebruary 15, 2019 9:53 AM

@ Celos,

So in the future, we have to x-ray cables we buy before we can trust them?

The short answer is "No".

The long answer depends on how good you are using various test instruments, from simple ohm meters upto Time Domain reflection instrumentation etc.

A USB to USB cable is generally three or four wires and or a screen. The individual wires have no reason to be connected to each other (except -DC supply to scrern in some cables).

This means the +DC supply, Data+, and Data- should be issolated from each other. That is the use of an Ohm meter using fairly high voltage (Megger or Hi-Pot tester) will indicate if as well as probably frying any "hidden electronic circuits"...

It would not be very difficult to design a little electronics box to do this (which from a Health and safety point of view would be better). In fact there has been the inverse designed some time ago the so called USB-Killer[1].

It is very simple to design a low (5V) voltage to high voltage (150V plus) generator or just rip them out of a disposable camera flash unit. The hard part is usually finding and using an appropriate trigger device (gas filed spark gap) so that both the voltage and energy dumped into the "offending" hidden electronics is not just sufficiently high but pulsed sufficiently fast, so the hidden circuit is damaged beyond repair, even if the designer has had the brains to use an AC capacitive charge circuit to power it.

Personally I'm not keen on anybody having X-Ray kit around, because at some point some joker is going to do the equivalent of "Photocopy their or somebody elses bum". Likewise meggers and hand cranked "ring voltage" generators because some idiot will always find it funny to shock somebody for a laugh and in some cases end up killing someone. However I suspect even a carefully designed box will still get an idiot sticking some part of their anatomy in like their finger, toung, or worse. After all if a chainsaw manufacturer sees the need to warn about keeping it away from your crotch, you can almost bet that in the past some idiot has not...

[1] Now into version three atleast, it is apparently not selling well... https://en.m.wikipedia.org/wiki/USB_Killer

UntitledFebruary 15, 2019 10:26 AM

We're surely not talking about USB-to-USB cables only. If your target uses a desktop PC, take a keyboard like they use (MS, Dell ...), and get the wifi chip into its USB plug. Substitute your enhanced keyboard for the target's own keyboard, and off you go. Nobody will ever notice, even if the plug on the back of the PC looks a bit different. Of course, physical access to the PC is required, but as mentioned above, a 'janitor' or similar could easily do that.

JonFebruary 15, 2019 11:30 PM

@ Clive on USB cable testing:

USB is four wires. The shield should not be counted as a wire because it should only be connected at one end.

This means the +DC supply, Data+, and Data- should be issolated from each other. That is the use of an Ohm meter using fairly high voltage (Megger or Hi-Pot tester) will indicate if as well as probably frying any "hidden electronic circuits"...

Very much so. In fact, what you want to test is grounding the DC+ line and putting power on the data lines, because pretty much every chip (it's sorta inherent in the manufacturing (although it can be avoided if you try really hard)) has reverse diodes on their output pins. Any conductivity to the DC+ rail indicates there's a chip in there (or there was, depending upon how much power you tested it with).

Any chip powered by parasitic AC would do horrible things to the data waveforms, and would be a terrible cable. It might still work, but it would be ridden with errors. I would not hang my hat on that idea.

And finally, yes, ground is relative - that's the point. If you have no ground (or DC- rail), you have no voltage differential, therefore no current will flow, and nothing is going to happen. Even antennae work because there's a ground out there somewhere.

J.

PS - Yes, I do this sort of stuff for a living. ;-)

Long time since studentFebruary 16, 2019 7:35 AM

Even antennae work because there's a ground out there somewhere.

Feel free to explain how I am wrong but I don't see how dipole antennas depend on the concept of ground. Particularly in the case where both transmitting and receiving antenna are dipole.

Clive RobinsonFebruary 16, 2019 4:26 PM

@ Jon,

Yes, I do this sort of stuff for a living. ;-)

Yes so did a lot of people a while ago...

But as "work is outsourced" abroad, it's not just money and the very important economic churn that follows it. So does the "home knowledge" required to do the job, once that is gone, the work can not come back...

Which means the number of people with the knowledge in the general population shrinks rather rapidly to a fraction of a percent at best.

Oh and is further not helped by the level of education and intelligence required. For instance to be an accountant, MBA, lawyer etc the levels required according to University entry requirments are considerably less than for high end engineering subjects... Even a lot of medical subjects require less on the entry requirments than engineering. But... of course engineering pay in comparison is a fraction of those other subjects, which is another reason why the engineering subjects are getting studied less and less.

Thus explaining what are simple concepts to trained engineers can be almost impossible to otherwise intelligent and well educated individuals.

Try having a go your self and explain not just why the shield should be connected at one end in some cables and both in others oh and also which end it should be when it is only in one end...

Trust me it's an uphill strugle explaining "earth bonding" issues with many electricians, especially when you are talking of having 10-50KW of HF or VHF equipment for such mundane tasks as drying of food and welding of plastics. But then with actual TX sites... you don't need a PhD but you do need to know rather more than "that's what the book says" for "basic safety", otherwise people will get hurt and RF burns can take years to heal properly (I've got one thats fourty years old and it's still quite visable unlike some surgery scars less than a third of it's age).

But if you feel like pushing a very large rock up hill with your nose... so called "domestic heating engineers" ask them where they are putting "the master thermostat" for central heating and why in domestic dwellings... Trust me when I say you will find that they place them "where they have always placed them". Which in the UK is "in the hallway" which might be valid for many semi-detached or end of terrace houses from after the 1930s but totally wrong for most other domestic dwellings especially those built since the 1980's...

There is a story that goes around about the real reason a UK Gov initiative to make domestic property more energy efficient failed miserably. The answer they could not find enough people with the simple abilities required to meet the minimum standards to pass the exams so there were never going to be enough inspectors to work at the low level of income envisaged to make the costs of the tests viable...

Clive RobinsonFebruary 16, 2019 5:46 PM

@ Long time since student,

Feel free to explain how I am wrong but I don't see how dipole antennas depend on the concept of ground.

First explain what your "concept of ground" is? Otherwise you will end up in a circular argument about who's definition of a ground is relevant or not. It's kind of important when discussing various types of dipole such as a quaterwave vertical above a quaterwave ground plane.

Better still explain how an EFHW radiator fed from a quaterwave tapped feed line works, that will involve you explaining your "concept of ground".

Daniel SFebruary 17, 2019 2:08 AM

It seems to me that the main problem is not that the cable has the properties it’s got, but that any device plugged in to the port automatically gets privileges to send input. I guess this is in the standard and that it all is handled on driver level. Would it be possible for an OS to implement a pairing process before accepting an input device without breaking the USB standard?

I have not read the long comment thread on shielding above so please forgive me if my question has already been addressed in between these messages.

Daniel SFebruary 17, 2019 2:15 AM

Now I found the comment from James Babcock above. It seems this should be a huge priority for any OS.

Clive RobinsonFebruary 17, 2019 3:25 AM

@ Daniel S,

It seems to me that the main problem is ... that any device plugged in to the port automatically gets privileges to send input.

The problem is a bit more subtle than that which is,

    "The plug in hardware and it's firmware can not be trusted."

It's actually the same problem those "walled garden" "app stores" have.

It's one of those problems that anybody who knows of it generally does not like to talk about it, because they usually have skin in the game[1] which is how they found out, and they can not think of any reliable way to fix the issue (there actually may be none).

Think of it in more human terms,

    You are not a murderer untill you have killed someone.

That is simple logic but it shows that there is a before and after time for any event.

In human terms on meeting someone for the first time "what you see is what you get" because you can not "see into the mind" of that potential XXX (where you can substitute just about any descriptive noun you care to chose for XXX). It's why we look for "refrences and referals" from others we either trust or have a reputation that can be trusted.

But even refrences and referals are based on incomplete past knowledge and no future knowledge. Therefore, sometimes you just have to "implicitly trust". Our host @Bruce used the example of a plumber as the first example of this in one of his books.

And because humans have to trust to get things done, implicit trust can and has been abused. Which is why we have sayings about gift and Trojan horses. It is believed that various countries have as a matter of espionage planted "sleeper agents" in other countries. That is people with background stories or "legends" that as far as can be checked are solid. However at some appointed time, place, or command they will become active agents again.

The problem is there is only so much you can reasonably check about a persons background[2]. Importantly though past is usually a poor indicator of future as well, so even if a person has been trustworth untill today, that is no reason to assume the same will be true tomorrow or the day after.

Getting back to technology, the same set of rules applies in that you can only check so far. Which unfortunately combined with the limits of what you can actually check are very very limited, means that there is actually little point checking. Because it is extreamly unlikely that it will tell you anything of use. This has been the case since before the earliest PCs and is unlikely to change at any point in the near future.

So to recap, you can not check for trust, therefore there is little or no point doing so, which is the default position for by far the majoriry of systems, including USB.

[1] This is becoming less true as time goes on, people are starting to learn about the problem of trust through various people who have decided to discuss it openly. Part of this is the huge problems of App Stores and IoT, we have to pull our heads up and face reality as the consequences of not doing so are already public...

[2] It has been suggested that this might also be a reason for "collect it all" in that it builds a "virtual time machine" that allows those that want to check people the opportunity to go back far enough in time to look for anomalies etc.

269841February 18, 2019 7:02 AM

google up Bash Bunny. It can emulate things like 2 gigabit Ethernet, serial, flash storage and keyboards. You can emulate any USB device you want, only limitations are space and your imagination.

CelosFebruary 19, 2019 12:13 AM

@Clive Robinson:

As unfortunately is the norm when it comes to more intricate matters of technology, your advice is worse than useless. Of course any sane secure revision of this attack device is going to not be detectable with simple instruments. For example, isolating the data-lines from the chip when there is no power is trivial. Doing some high-resistance line snooping before connecting to them is a bit more difficult but also not hard to do at all. Getting such a device to withstand, say, 1000V across the power lines is harder, but still doable.

WeatherFebruary 19, 2019 2:10 AM

Celos
The chip can say its a keyboard, so send instrument,
It can say after its Ethernet,and send payload, based on firewalls down, ans port 145,355 open, ie sh, what I like is they can fit a 2.4ghz in a USB cable

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.