Plugging a USB cable into your PC may seem like a harmless affair. But not if the cable has been made by a hacker.
On Sunday, the security researcher Mike Grover demonstrated the threat by creating a malicious USB cable that can receive commands from a nearby smartphone and then execute them over the PC it's been plugged into.
His USB-to-Lightning cable looks pretty generic, but Grover actually fitted a Wi-Fi chip inside one of the sockets. Unsuspecting users will think they've plugged a simple cord into their PC. But in reality, the computer will actually detect the cable as a Human Interface Device akin to a mouse or keyboard.
Grover uploaded a video, showing the attack in action. In it, he plugs the cable into a MacBook. Then he uses his smartphone to remotely trigger the laptop to visit a malicious Google login webpage that can secretly collect the owner's password.
In an interview over Twitter, Grover said he developed his USB cable attack to work on Windows, Mac, Linux and iOS systems. All the attacker would have to do is trick the victim into plugging in the cord.
"It 'works' just like any keyboard and mouse would at a lock screen. You can type and move the mouse," Grover said. "If you get ahold of the password, you can unlock the machine." The same cable can also prevent the affected device from falling back to sleep by simulating tiny cursor movements.
In addition, the malicious USB cable can be programmed to connect not just to a nearby smartphone, but also to a network, such as a Wi-Fi or a cellular hotspot. Doing this could expand the range of the attack.
To develop the cable, Grover used a $950 CNC milling machine to manufacture the needed Wi-Fi chips. He now plans on producing more malicious USB cables and putting them up for sale. But his goal isn't to cause mayhem.
"Showing attacks in an engaging way allows a wider audience to be aware of threats," he told PCMag. "Getting this cable into the hands of other researcher allows new uses and attacks to be explored. In the end, it leads to improved security."
Grover is among the security researchers who've developed demos over the years showing the dangers of USB-style attacks. For instance, a thumb drive can secretly contain malware. One Hong Kong-based company has even created a USB drive that can potentially fry computers that've been built with inadequate surge protection.
Grover's new attack is a reminder to be careful around USB peripherals that've been provided from unknown sources. To protect yourself, you can consider buying a "USB condom." The device works by only allowing a connected USB cable or device to exchange power — not data — with your computer.
"There are tools out there that can alert you when a new USB device is plugged in or even block new devices. But it's not built into the operating systems by default. That would be nice to see," Grover added.
At the moment, he isn't sure how much his malicious USB cable will cost. But Grover told PCMag, "Trying to turn a profit isn't my priority. I'd rather just get it into the hands of everyone doing security."