BadUSB gets flexible!
Gary Taylor
If its broke, I can help you fix it. If it's working I can help you improve it. If it's perfect you don't need me.
I've just attended a webinar presented by KnowBe4's Kevin Mitnick in which he demonstrated a version of the BadUSB concept using a USB cable. The security professionals probably remember BadUSB (developed by security researcher Karsten Nohl in 2014) as the USB key that could inject keystrokes directly into the user session.
Recently there have been developments using that initial research which incorporate the concept into a simple USB cable (it's being called USBHarpoon - https://youtu.be/6mDspyi5ROw).
The potential issues caused by the BadUSB vector have never really been resolved (hardware such as "USB condoms" that disable the USB data lines but leave the charging lines live so you can "safely" charge devices sound great but in reality those devices can be compromised as well. AntiVirus is often not capable of discerning valid from invalid user activity and keyboard logging / user activity monitoring has privacy concerns and needs to be implemented, configured and monitored correctly to be effective.)
BadUSB isn't a hacking silver bullet but it's easy to see how with the right approach and malware it's a powerful tool in the blackhats arsenal.
We really need to start thinking about how we can audit/validate and "approve" hardware as well as software before it's used in our environments.
Senior Data Scientist & Cybersecurity SME
6 年Uh... that’s a SATA data cable in the picture!