Watch your USBs: Ahoy, USBHarpoon!
You would be hard pressed to find a person who has not in the least seen a USB. Most people have probably used a USB with their phones, to charge an accessory, attach a printer to a laptop, transfer a file, or any other various activities with these. As the users take these and use them for their specific use, in nearly all of the cases the USB is generally fine and creates no issues. The USB works as expected.
Researchers decided to see what else could be done with these. To meet the challenge the researchers created a modified USB with an unpleasant surprise for the user. In short, this is a programmable USB. This is normally not experienced with a USB. The modified USB appears in every form, just like any other simple USB.
The user receives the USB. The user may have been given this, by someone with a misguided sense of humor, may have found this on the ground, or given away by a vendor who purchased this from another vendor in a batch. The user unlocks their computer and plugs the USB into their computer. The user’s excitement, unbeknownst to them, ends after a few seconds.
Once the adulterated USB is plugged in, the USB goes into action. This is coded to type and launch commands for its malware payload. The SUB inputs these commands automatically. On a Windows machine, the malware runs from the Run prompt. On a Mac or Linux machine, these are run from a terminal.
This malware is built on the BadUSB prior research and implementation. This is done via reprogramming the controller on the chip on the USB. In theory, this could be coded to complete very detrimental tasks to the user’s computer.
The important lesson, in this case, is not to plug just any USB into your computer. These USBs are not the ones purchased from the local office supply store. These have been purchased, removed from their packaging, modified and passed onto the unsuspecting user. Users shouldn't have to plug any USB into their computer, and only use ones that you are completely confident with.
Ilascu, I. (2018, August 20). USBHarpoon is a BadUSB attack with a twist. Retrieved from https://www.bleepingcomputer.com/news/security/usbharpoon-is-a-badusb-attack-with-a-twist/ Threat Brief. (2018, August 21). USBHarpoon is a BadUSB attack with a twist. Retrieved from https://threatbrief.com/usbharpoon-is-a-badusb-attack-with-a-twist/
Yiu, V. (2018). USBHarpoon. Retrieved from https://vincentyiu.co.uk/usbharpoon/
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.