An Open-Source Justification For USB Cable Paranoia (Evil Crow Cable-Wind)

469

•

An Open-Source Justification For USB Cable Paranoia (Evil Crow Cable-Wind) (hackaday.com)

I think I need to buy/build a home x-ray machine just to check cables I buy. Maybe I can get one decommissioned from a dentists office. You know they can use a USB device now and don't need film?

I also have said this a million times to everyone. DONT PLUG RANDOM USB STUFF INTO YOUR COMPUTER. I don't care if you got some "pretty lights or some gadget from the internet" If it has a USB plug, DO NOT PLUG IT INTO A COMPUTER. If nothing else it could screw up your computer. It could also be a "bad" device that actively attacks your computer(s).

Archive: https://archive.today/8rGem

From the post:

>Most people know that they shouldn’t plug strange flash drives into their computers, but what about a USB cable? A cable doesn’t immediately register as an active electronic device to most people, but it’s entirely possible to hide a small, malicious microcontroller inside the shell of one of the plugs. [Joel Serna Moreno] and some collaborators have done just that with their Evil Crow Cable-Wind. This cable comes in two variants: one USB-A to USB-C, and one with USB-C to USB-C. A tiny circuit board containing an ESP32-S3 hides inside a USB-C plug on each cable, and can carry out a keystroke injection attack. The cable’s firmware is open-source, and has an impressive set of features: a payload syntax checker, payload autocompletion, OS detection, and the ability to impersonate the USB device of your choice.

I think I need to buy/build a home x-ray machine just to check cables I buy. Maybe I can get one decommissioned from a dentists office. You know they can use a USB device now and don't need film? I also have said this a million times to everyone. DONT PLUG RANDOM USB STUFF INTO YOUR COMPUTER. I don't care if you got some "pretty lights or some gadget from the internet" If it has a USB plug, DO NOT PLUG IT INTO A COMPUTER. If nothing else it could screw up your computer. It could also be a "bad" device that actively attacks your computer(s). Archive: https://archive.today/8rGem From the post: >>Most people know that they shouldn’t plug strange flash drives into their computers, but what about a USB cable? A cable doesn’t immediately register as an active electronic device to most people, but it’s entirely possible to hide a small, malicious microcontroller inside the shell of one of the plugs. [Joel Serna Moreno] and some collaborators have done just that with their Evil Crow Cable-Wind. This cable comes in two variants: one USB-A to USB-C, and one with USB-C to USB-C. A tiny circuit board containing an ESP32-S3 hides inside a USB-C plug on each cable, and can carry out a keystroke injection attack. The cable’s firmware is open-source, and has an impressive set of features: a payload syntax checker, payload autocompletion, OS detection, and the ability to impersonate the USB device of your choice.

(post is archived)