Exposing Malicious USB Cables: Hardware Detection of Embedded Implants

hello everyone I'm Janie shorb and I'm here to talk about malicious USB cables so a little bit about me I have a hardware background I worked at xylog with uh analog interfaces to microprocessors I also worked at broadcom working on content addressable memories which is like a reverse memory you can give it the data and you get the address back instead of the other way and I'm also working at presently at Microsoft as a silicon architect I work in the Enterprise Security Group there I work on what their Azure sphere product which is their secure iot device that was actually designed with security in mind in the beginning so that was quite a fun project so this

project is on USB this is my Master's project so I got a master's in cyber security this year so I just graduated and my advisors my advisors are Brent Lagasse and Arnie Berger and yang pink okay so um today we're going to talk about spying and extracting Secrets which is so cool to understand the problem with USB cables I will provide a hardware solution some test results and then talk a little bit about my contributions here so back in the 80s um the Russia was spying on the U.S embassy and um this project is so cool because they Declassified it as um it wasn't clear from U.S intelligence you know where the leak was coming from

and so they have no idea and they're you know checking with the staff and they're sweeping the offices and it's just like I don't know what's happening and so they had this project called project gunman and they just grabbed all of their hardware and they put it in a an off-site location and they just looked at every little thing and from that they were able to find a hardware implant inside the IBM typewriters and um this has been happening had been going on before they found this for eight years so this is a really good example of an advanced persistent threat and um it's so good like the target of a keyboard is so perfect because then you

have no encryption that you have to deal with and you're just taking the letters out and in this case the letters were transmitted from the typewriter to a sensor that came was outside the embassy so malicious actors have found a new way to hide implants inside the USB housing uh so many of you probably have heard about the USB ducky and this is a common thing so people hear about flash drives that are compromised you know never pick up a flash drive you know but as it turns out people actually do pick up flash dies and plug them in mostly because you know they want to find out who the owner is or or whatever there's

always some reason but they do have these malicious flash drives and what they have is a keystroke injection attack and so when you plug it in the USB negotiates and says oh I'm a keyboard but it's not it's a flash drive and then it types whatever it wants into your system and then it can launch programs it can do whatever whatever it wants on your system when it's plugged in well um like will had said earlier you have to know your attacker or your victim because um you could do things that maybe everybody would have like I know I'm gonna probably get a window system so you know maybe I'll I'll launch Edge or something but

if you're targeting maybe um mobile systems and and they plug in the USB cord to maybe charge their um Android device then you know they're going to be targeting uh Chrome you know so you have to know a little bit about the system in order to make these work but um people are a little bit worried about the attack that comes from the um flash drives but they haven't really thought about the USB cable I mean everybody thinks the USB cable is like this cable is just some passive wire you know I don't I don't have any concern about it you know that's just a cable right but it's not because the the same types of compromises that could happen

with with the drive are can be implanted in this little cable on you just you know you just can't tell so I want to raise an alarm that this is like a snake right so we have some challenges here okay so I will start with a survey on Owen all the cables that that we have and we'll start with the with the OMG cable so this cable um is quite is more expensive than the other cables that I have looked at uh they're they run around 200 it requires you to um program the cable to to whatever it is that you want to use it has two different uh ways that it will attack you so one of them is

the keystroke injection attack just like the the rubber ducky it just injects whatever code it wants and pretends to be a keyboard and the other one is a key it logs keystrokes so you could have um I've for example like my um mechanical uh keyboard Horizon keyboard and it has a detachable USB and it's kind of nice if you're traveling or whatever but if you if someone sees you and they have an OMG cable and they have a key logger they can just take your cable replace it with theirs like on you know you're sitting on an airplane airplane or something and you wouldn't necessarily know it because they look the same right so that is one of the

challenges so this one um just like the um just like the ducky it has one way going in but it also has just like the IBM typewriters where your letters are being kept are going out through Wi-Fi so this is just a sampling of the OMG cables that I that I tested they have the C to C style cable which would like mimic the power delivery cables they have the A2 micro b and a to c they also have an adapter and so all of these cables are are just you know they also have the white versions of these but I just tested the black ones they also have the lightning cable but I'm not an

apple person so I didn't test them I don't I don't have an Apple device um okay so the next the next offering is an electrowear key demon and so this one is a key logger so you can for this one they have two different styles one of them is um is an extension cable and how I would picture that one is you would come into somebody's office somehow maybe have a reason to have a mem some kind of meeting with them and they could put this cable on the back of from your keyboard to the back of your computer it's a long extension cable but it's it's an a to a like a receptacle to

a cable it comes already pre-programmed so you have all of the stuff already embedded in so it's really easy to deploy it's not as expensive to use the one that's long you have to actually it it doesn't have the long one doesn't have any Wi-Fi so you have to actually come back and get the cable once you deploy it so that's kind of a challenge there but but they also have a Wi-Fi version which is a smaller dongle that I'll show you right now here so this is the electro wear version so they have this nice this long cable that you know maybe you would notice right so this is not this would be attached to

your already to your USB cable and then just run all the way to your computer and then they created this smaller one that also has Wi-Fi that is just this so if you see one of those see they're kind of suspicious they hang out there they are just this little this is an a to a adapter it's not doing anything so let's be kind of questionable I think thank you so another cable is a USB Ninja so these these cables you change them into programming mode using a magnet and then you program them using the Arduino interface and so they they're like a medium range in cost so they cost a hundred dollars and that's actually the cable that I

have here this is the this is the um this is the USB Ninja um so what happens to this is that you plug this in and now you need a Bluetooth connection and you Bluetooth in and say okay I want to inject the attack right now so this is a delayed deployment which is really interesting to me um so they um they could they have their own app that you can download but if you're kind of suspicious of maybe their app then they also have a hardware thing where you can just push a button and it'll go through so this is my USB ninja which comes in white

all right so the next the next thing now this is not really a cable so we call it the USB Samurai um you have a Logitech dongle that a lot of people have where they have their keyboards and their my salt to on this little Bluetooth dongle here and so you can take that dongle you break it apart it's cheap you break it apart then they have new code that you can reprogram it and then you have to somehow build your own cable from it you have to you know buy these little adapter things and and build the cable or or an adapter and then you can get an attack that's very similar to the USB ducky in a

different medium so this is my my attempt at this very exciting thing where okay I broke this this Logitech device and I broke it apart and of course I I had a hard time you know feeding this you know Atlant I programmed it had a hard time feeding the the USB into into some housing that made sense so this was a little bit of a failure on my part but I'm very persistent so I will I will get this one but I I don't quite have this one together yet so um the next offering is demon seed EDU so the person that made the OMG cables he came up with this demon seed edu which a bunch of

um it's a kit and uh and what you have is you can assemble the programming jig and then you assemble the implant and then um they have this YouTube video series where you can watch the series and it tells you step by step how to build these things um they're not um the same as the OMG cable so the mg cable is like more like a hub you know where it actually behaves as a USB cable so it's kind of hidden from from the user they can use the cable as normal because it's like a hub it has multiple um operations these demon seeds don't so once you put the once you put the compromise Cable in it's like that cable

does not work so it it maybe could be figured out in that well I have a broken USB cable but also you can they are sniffing data so they're just it's just a you know I want to see you know what's happening on that USB line so that's what they're doing so one thing that was really interesting as I was going through this project I'm looking for all these bad cables because I want to compare them right and so uh I I found that that one of the the offerings came up and said oh watch out for our counterfeit you know you must you know measure it correctly and it's this this is you know counterfeits don't

have our small size uh and I thought that was pretty funny because uh I know that there must be counterfeits out there at this point just because the people are complaining about them but um I didn't have any so I I'm not going to uh to have those in my in my talk but I just wanted to bring it up that people are counterfeiting them so there might have there might be some that maybe have different qualities to them so here's my eye test of the day um I really like this table doll so I really wanted to to put it in um it's important you know an opportunity for you to look at the

different cables that are available and what the different things that they can do are so the first uh these are all in order of the way that I presented them so I started with the OMG cables and then I moved to the electorware and then ninja samurai and Demon seeds so you know the top are our cables the samurai D Miss seeds are not actually cables but they're in this anyway um so on the color when you look down the color um the color of these cables are black and white on OMG the color of the electro wear are black and white the ninja cable is only in white and so one thing that I

think is you should just get yourself a different color okay because I think everybody could be compromised by this so you know get a different color cable because so they can go out and buy these you know and they're going to Target you know the big you know most people have black and white but if you have a different color now they're gonna have to make a color make this just for you which is they probably will do but it'll take them longer so you know I like to have different colored cables that means that they open up their little Arsenal bag you know and they're like shoot I don't have a match so I

like that um okay the next thing is the current so uh each each of these have a have a little bit of current draw and I noticed it's like this is actually significant this this is you know this is not like they're trying to hide they're not trying to hide yet because nobody really is looking at them very closely but I'm thinking as a I'm a Defender you know I'm a builder I look at this and say you screwed up you know look at this you got 60 milliamps of current I mean like people aren't going to see that well they don't so I built a current sensor to just you know pick up the fact that okay I've got

a bad cable suit I can't see it because the cables just look like every other cable I mean there's there's no way to actually look inside it without breaking it open but but I can see this current and I like that signal so uh I I'm targeting that column and then the cost so this is um you know something people talk about all the time like well you know How likely is it that someone's going to spend you know 55 on attacking me probably they would you know I think they would you know but you know would they spend 180 they might you know I might be that good they might want to spend that money on

me so I don't think the cost is necessarily something that is going to stop somebody I really don't I mean I bought these cables and who am I right so um another note just at the bottom is that you know the reason why I say it's about two hundred dollars for the OMG cable it's because there's this extra cost Adder for the programmer you have to buy a special programmer to get it to to work and that's that's kind of built in but you know you could buy multiple cables and use them so all right so um there's a list of benign cables um the first one is Led cables those are four to six milliamps so I don't want

the the hardware solution to say that this is a a bad cable it's not it's four to six milliamps on LEDs we've got a these other cables that you can like change the end on and and they have magnet cinnamon you can just change it from USBC to you know you uh to lightning cable or whatever so they have those they have these really long cables like I I'm uh an I.T person and I want to connect to a printer across the room and it's got active uh boosting signal stuff in those and then you have the um the power delivery cables so those are like 100 watt power delivery that could deliver power to your laptop that can

deliver power to your high-end tablets uh so they they have active circuitry in there it's one milliamp of current that goes to support that and certainly you don't want to you know sometimes people say oh well just put high voltage on your cables to find out well you don't want to break these nice you know expensive um cables for power delivery okay so I made a hard Hardware design and uh it wanted to make it open source anybody can use it limit the amount of soldering and I want to catch all the known Hardware implants support all of the USB cables and because I'm Hardware I like to fight Hardware with Hardware so I didn't look at the software

solution so given that I have created a design to uncover the malicious cables that has four separate blocks so you got a power block up at the top that just runs off a nine volt battery it transfers that to five volts with a 7805 then you have your USB it has a whole bunch of connectors because you don't know what connectors you're going to need so I used all like USB a and USB C that you can plug in all of these and then you have a current sensor which I got from uh spark fund just it's got a share and share like license open source and then it goes into uh driver and drives these

red LEDs that light up when it's malicious so um if you were to go through the design where okay I have the 100 watt power cable you know I would plug that plug it into here the power delivery will show a one milliamp and then I get a voltage out which is that signal out and then that would not light any LEDs because it's not malicious and similarly with the OMG then it would light many LEDs because it's got 60 milliamps so the signal would be much bigger foreign so um one of the issues with the current sensors is that the the supply and stuff I I started with this uh this other sensor Uh current

sensor it's a classical current sensor um and I liked it but when I came to do the project they retired it and so I couldn't use it so I moved I moved over to this to trying to think of what other things I could possibly do and I go well they can retire things at any time how frustrating I'll just do a reference design because then they'll probably keep it but I went to the reference design and you know the qualifier was you just had to get their parts in order to use it and of course their parts weren't available so I went back to SparkFun and I ended up with a hull effect sensor

so um this is what the total cost of the solution is I'm including the breadboard because I don't assume you have one um so you just you have the breakout boards you have the the current sensor which is unfortunately a little more expensive than the one I had originally and the power Delivery Systems and really the only thing you have to solder in order to do this project is the the headers so you just have a little hat for your sensor foreign

that says when it is uh when it's active and then um in this particular case you the USB uh board is down here so I I plug in uh um that demon seed one and then up in the top right is where you have the driver a little bit below and then at the very top right you will see the LEDs so the first the first solution when you plug in the design should light the LED it's very difficult for me to tell if this is running so that's kind of interesting see if I can fast forward this video because I'm getting a Time crunch but I wanted to show you something shoot okay I'll just move to results so um

so I have 130 cables that I uh tested with this design and I only had one false negative which is that USB Samurai which was not working um I couldn't get that the compromise to to happen but I show it as a negative so out of nine malicious cables I was able to trap eight um

so a couple of considerations is that those long active cables that I talked about where you go across the room that's like 26 milliamps and I don't catch those it's only designed for room temperature and because I moved to a hall effect sensor and now orientation is a problem and also the magnetic field of those magnetic ones you have to take yes it'd be five inches away which is fine because the board can move uh further away but I just wanted to mention and so I think that's about it I wanted to expand the temperature range support because it has resistors in there and it changes the design on wide temperatures but it always works in

an office environment so that's fine um but basically I wanted to let you know that USB cables are not always safe it's great to be at besides porcelain and this is my first presentation here [Applause]

I hear that there's a few minutes if anybody has questions okay I don't know that's all so

yeah cool that's cool I haven't thought of that nice yeah I don't like that sensor because um because it because of the orientation problem really um but it is very accurate so I like that

are you finding that the malicious components are being included on the dies for the uh he is like a circuit forward to themselves where are they being like added on and uh kind of like the way that micro USB components on top of the board but you know so the um the USBs he's asking is that is that put into the die or is that a board that is made and put into the um into the USB and what I've seen is it's a board and made and put into the USB also I just want to mention that this the Electoral where people they also have a keyboard you could buy the keyboard with it just embed it without a

cable just embedded inside the keyboard itself and then that's like the IBM typewriter example right so any other questions oh I have a wave way in the back I hope I can hear you so uh um

these are being sold through mainstream channels you can get them at hack five if that's mainstream enough hard work hacker Warehouse as well has them and then the other ones I had to go off of other sides to get uh good question all right oh one more do you have any thought to malicious USB charging station say like at an airport or something like that yeah um so he asked uh what about using USB charging stations um yeah uh those could be a problem and I don't use them for that reason it's like I'm always thinking someone's trying to attack me so anyway thank you [Applause]