USB condom. Malware via USB
When you connect a portable drive, tablet or smartphone via USB, for example for charging, there is a non-zero probability that the device will be infected with malware. Many, knowing that the system will ask for confirmation to communicate with the computer, without even thinking about it, charge their smartphone anywhere. But very few people know that the hardware, which is responsible for communication, also has loopholes. Sometimes these are backdoors specially left by the manufacturer for debugging or restoring devices, sometimes it's just a vulnerability in the protocol, software or hardware of the system.
For example, in certain circles, rumors persistently ply (IMHO until absolutely unconfirmed) that for root access (unrestricted access to the device) to some models, for example from Samsung, with Android on board, quite a certain set of signals "knock" on USB.
But real proofs of hacking smartphones are also known - at the Black Hat 2013 conference held in Vegas, security specialist Billy Lau successfully demonstrated the hacking of the iPhone when the phone connected to USB charging to his mini-computer made a call. In principle, he could install on the phone any program (not from the Apple Store) that could deeply integrate himself into the operating system of the device and, for example, allow him to track the user's actions on the smartphone (typing on the keyboard, including the password), his location ( GPS coordinates), take screenshots and send screenshots, etc.
This autopsy process can be fully automated: detecting a device, opening it in an appropriate way for it, and launching a virus compatible with the device. Practically, such a mini computer can be hidden installed, for example, in public places equipped with charging boxes via USB, or even installed in a power supply unit and sold to you through an online store (the same eBay, Amazon, etc.). It is theoretically possible that in the near future the home computer may also be infected with such malicious software hacking through mobile devices via USB.
')
Below are several ways to prevent from such a "hacking". Honestly, I didn’t think of it myself - peeped on the Internet .
It should be noted that it all started with this: having heard on the radio about the invention of the USB condom (the original name of the authors), having calmed down its sense of humor under the table, with the words “people don’t earn money on anything”, he began his little investigation on the Internet. Not to say that what was read in me woke up paranoid, but to think about it made me unequivocally.
So, USB condom. This device, corresponding to the name, is put on the USB cable and tritely cuts off the data bus at the input (leaving only the contacts of the mass and + 5V for charging), which accordingly makes it impossible for any connection to the device. There is not a lot of original in the original - 10 dead raccoons.
This method is closer to “condoms” and on some USB plugs it is very easy to implement: we have four contacts, the left one is mass, the right one is 5 volts, we leave them, the internal ones for data are sealed, although with scotch tape (it can erase from frequent use, here is again an analogy with a condom ).
Everything, such USB-cable can now be used only as a charger. In the USB3.0 plug (type A), you must also glue all the internal contacts (farther from the end of the plug). You can see the pinouts here and here (USB 3.0) .
In many USB plugs, the left and right pins are longer, i.e. If you carefully and slowly insert the plug before the charging signal appears, the data contacts will not close and the connection will not occur, respectively.
For safe charging, you can use the so-called. Y-cable (branching USB-cable), after making sure that one of the plugs of which initially does not have data contacts. This cable is also convenient because, if necessary, it can also be used to communicate with a computer by simply inserting the other end of the cable (with data contacts). In addition, the Y-cable can be bought in online stores much cheaper than 10 modes (well, I ruined the business for sellers of USB condoms).
So please defend yourself and do not pop unprotected plugs into places without falling into other people's nests.
For example, in certain circles, rumors persistently ply (IMHO until absolutely unconfirmed) that for root access (unrestricted access to the device) to some models, for example from Samsung, with Android on board, quite a certain set of signals "knock" on USB.
But real proofs of hacking smartphones are also known - at the Black Hat 2013 conference held in Vegas, security specialist Billy Lau successfully demonstrated the hacking of the iPhone when the phone connected to USB charging to his mini-computer made a call. In principle, he could install on the phone any program (not from the Apple Store) that could deeply integrate himself into the operating system of the device and, for example, allow him to track the user's actions on the smartphone (typing on the keyboard, including the password), his location ( GPS coordinates), take screenshots and send screenshots, etc.
Warned - Armed
This autopsy process can be fully automated: detecting a device, opening it in an appropriate way for it, and launching a virus compatible with the device. Practically, such a mini computer can be hidden installed, for example, in public places equipped with charging boxes via USB, or even installed in a power supply unit and sold to you through an online store (the same eBay, Amazon, etc.). It is theoretically possible that in the near future the home computer may also be infected with such malicious software hacking through mobile devices via USB.
')
Below are several ways to prevent from such a "hacking". Honestly, I didn’t think of it myself - peeped on the Internet .
USB condom
It should be noted that it all started with this: having heard on the radio about the invention of the USB condom (the original name of the authors), having calmed down its sense of humor under the table, with the words “people don’t earn money on anything”, he began his little investigation on the Internet. Not to say that what was read in me woke up paranoid, but to think about it made me unequivocally.
So, USB condom. This device, corresponding to the name, is put on the USB cable and tritely cuts off the data bus at the input (leaving only the contacts of the mass and + 5V for charging), which accordingly makes it impossible for any connection to the device. There is not a lot of original in the original - 10 dead raccoons.
Sticking of contacts
This method is closer to “condoms” and on some USB plugs it is very easy to implement: we have four contacts, the left one is mass, the right one is 5 volts, we leave them, the internal ones for data are sealed, although with scotch tape (it can erase from frequent use
Everything, such USB-cable can now be used only as a charger. In the USB3.0 plug (type A), you must also glue all the internal contacts (farther from the end of the plug). You can see the pinouts here and here (USB 3.0) .
There is a contact or a method of "not full sucking"
In many USB plugs, the left and right pins are longer, i.e. If you carefully and slowly insert the plug before the charging signal appears, the data contacts will not close and the connection will not occur, respectively.
Y-cable
For safe charging, you can use the so-called. Y-cable (branching USB-cable), after making sure that one of the plugs of which initially does not have data contacts. This cable is also convenient because, if necessary, it can also be used to communicate with a computer by simply inserting the other end of the cable (with data contacts). In addition, the Y-cable can be bought in online stores much cheaper than 10 modes (well, I ruined the business for sellers of USB condoms).
So please defend yourself and do not pop unprotected plugs into places without falling into other people's nests.
Source: https://habr.com/ru/post/194316/
All Articles