Can Malicious Hardware Be Hidden Inside a USB-C Cable?
- Thomas Neuburger
- 2 hours ago
- 4 min read
It’s hard to forget last year’s Lebanon pager attack. CNN:
Thousands of explosions struck Hezbollah members last week, targeting their pagers on Tuesday, and then walkie-talkies a day later. In all, the blasts killed at least 37 people, including some children, and injured nearly 3,000, according to Lebanese health authorities, many of them civilian bystanders. The attack blindsided the group, which had opted for analogue technologies after forgoing cell phones to avoid Israeli infiltration. … CNN has learned that the explosions were the result of a joint operation by Israel’s intelligence service, Mossad, and the Israeli military.
Deadly stuff. Israel most likely pulled off the attack by infecting the manufacturing supply chain:
Deepa Kundur, professor of electrical and computer engineering at the University of Toronto, said she suspects it was a “supply chain deployment.” In such an attack, she said, the perpetrator would infiltrate the pager’s upstream supply chain to manufacture a critical component with a built-in explosive charge, without the final vendor knowing. The explosive component could sit in a pager for months or years before being detonated on receipt of a message that triggers the modified part.
This has many people worried about their own supply chains, and for good reason.
Something as simple as a USB-C cable can hacked, not to explode, but to spy on or take over your computer as the cable’s manufacturer chooses. Worried? Read on.
Exploiting the USB Cable
The method of exploiting a USB-C cable is explained in a well-illustrated thread on Twitter/X by Jon Bruner. The full thread with video illustrations is here. Click here for the TreadReaderApp version.
Much of the thread is replicated below. Feel free to click through for the rest.
Bruner also has made a video with the cable’s manufacturer, a small cyber-security company called O.MG. (The hacked cable was made, not to sell to bad actors, but as a test to see if the hack was possible, and if so, to what extent. You’ll be surprised at the extent.)
Almost makes you not want to be modern. Protection against this kind of hackery is almost impossible. Know your supplier, but know also that this may not be enough. Note that it takes a state actor to do stuff like this. Do you trust the state actors near you?
Thread with selected illustrations appears below.
This looks like an ordinary USB-C connector, but when we CT scan it, we find something sinister inside…🧵
Last year we CT scanned a top-of-the-line Thunderbolt 4 connector and were astonished to find a 10-layer PCB [printed circuit board] with lots of active electronics. A lot of people saw the scan and wondered whether malicious electronics could be hidden in a tiny USB connector.
The answer is yes. This is an O.MG cable created by @_MG_, a security researcher and malicious hardware expert. It looks like an ordinary USB cable, but it can log keystrokes, inject malicious code, and communicate with an attacker via WiFi. Let’s see inside…
We put an OMG cable in our @lumafield Neptune CT scanner. It captures hundreds of X-ray images from different angles, then we reconstruct them into a 3D model that includes both external and internal features. (The color coding in the 3D model indicates relative density.) [See image at top.]
For context, here’s a typical USB-C connector from Amazon Basics. It has a PCB, but no active electronics; the PCB is just used to connect the pins to the right wires in the cable.
Inside the ordinary-looking OMG connector we can immediately spot an antenna and a microprocessor. While high-end Thunderbolt connectors have some ICs, you won’t find an antenna like this in any normal USB connector.
On the other side of the connector is its most interesting feature: a USB passthrough module. When the malicious features of the OMG cable are deactivated, this passthrough links the connector’s pins directly to the cable without sending any signals through the microcontroller, effectively hiding its intent. When a hacker turns on the malicious features, this passthrough connects the microcontroller.
2D X-ray images can detect major deviations from an expected design, like the presence of an antenna and an IC, but it’s easy to slip other features past a simple 2D X-ray scan…
The microcontroller looks like an ordinary IC when we view it as a 2D X-ray image, but when we look at a 3D CT scan and adjust the visualization parameters, we can see another detail emerge: a second set of wire bonds, connected to a second die that’s stacked on top of the main processor. This hidden die could be an enormous security risk–and it’s completely hidden in an ordinary 2D X-ray image.
Complex, global supply chains carry enormous risks, as we were reminded during October’s supply chain attack in Lebanon–a story that @_MG_ has been thoughtfully following and analyzing since it happened.
Hidden explosives in electronics have been used before–for instance, in a USB thumb drive, which @_MG_ was able to reproduce. But as complex, active electronics make their way into corners of our lives that were previously dumb, the surface area for attacks becomes larger. And as devices become more complex, it’s harder to keep track of them during every stage of their manufacturing and distribution.
[…]