New USBHarpoon attack installs malware through USB charging cable

Security researchers have created a new version of the infamous BadUSB attack that was in the headlines in 2014. While BadUSB made use of USB sticks, this new version uses USB charging cables. The attack has been called USBHarpoon. Charging a smartphone through the USB port of a computer can be sufficient to become the victim of such an USBHarpoon attack.

Security researcher Vincent Yui describes in a blog how a modified firmware can be used to make the computer recognize the cable as a Human Input Device (HID). On an unlocked computer, the HID can send keystrokes or mouse movements to computer and this way automatically download and install malware in the background. Simply sending Windows Key + R triggers the Run prompt, and with other keystrokes any kind of command can be entered.

On Mac a similar method can be used to open the terminal and send any command. Obviously the idea is that with the proper commands, malware such as Trojans can be installed in a fully automated manner, just like how the BadUSB attack works.

Besides a USB charging cable, also cables or devices with Firewire, Bluetooth or other protocols could be used, as long as the firmware can be modified. The real is issue is that there is no security functionality implemented in the protocols and devices.

It should also be a warning for users to never insert media (optical media, USB sticks and devices, Firewire cables etc. etc.) from unknown and/or untrusted sources, without proper security measures.