brachiosaurusTIL for at last 15 years US government has been able to implant hardware into USB cables to turn them into hacking devices with wireless capability.
You might be interested in the full Snowden leak
Yeah, it’s scary how much people don’t remember/don’t know
And don’t care.
d-RLY?Maybe, might also be that since tech literacy has degraded since his leak. Which means that they don’t care because they are overwhelmed with the information that they don’t understand. Hell, I imagine that a lot of the press that where sent the information didn’t fully understand.
The average person likely defaulted to what they always do, and just assumed that the leak meant the feds had to stop and treat it like any other historic reveal (example being stuff like COINTELPRO and believing that it was bad but isn’t done anymore). Hell, a shocking amount of libs honestly thought that Biden was going to bring Medicare for All (even though he said he wasn’t) just because he said “the Democratic Party is the party of healthcare” a few times.
I’m sure it’s a spectrum, and some people may legitimately not be aware, but its been 13 years. As a society, we’ve had ample time to get literate and develop knowledge. Instead we’ve had three presidents from both major parties hold the line that Snowden was a criminal for blowing the whistle on rampant illegal surveillance, and all 3 of them just stepped on the gas.
Voters don’t even see the irony in the pedophiles’ ramping up the surveillance apparatus in the name of protecting the children.
assange, chelsea manning, the msm crucified these 2 as well. funny enough putin allows him to stay because hes useful propaganda.
I wouldn’t include Assange in that list honestly. He was just out for himself in the end as he did muddy the waters in the 2016 election and was easily cajoled by the FSB to leak falsified documents and misinformation.
Chelsea however was a fucking patriot who was pillaried by the state to be made example of. She literally did her patriotic duty and was imprisoned for it.
Bad_EngineeringYou can now buy one for yourself online. https://shop.hak5.org/products/omg-cable
JessicaThat is amazing. The x-ray of it is kind of scary, honestly. That little chip could be all it would take to get into an air-gapped machine.
There are a ton of different payloads that can be run on these, for everything from simple keylogging, to root access, to network backdoors. I've only recently gotten into pentesting but with something like this there's no real limit to the damage that could be done with only a few seconds of physical access.
Honestly, as a Systems/DevOps engineer it’s always been well know that if you have physical access, you have zero chance of security. Sure it might take more time if precautions were followed, but you will be owned eventually, that’s guaranteed.
This is one of our most frustrating fights I have with our security design reviewers. Effectively functionless mitigations that create extra obstacles for our service reps to deal with during troubleshooting. One example is our equipment is installed in access restricted areas, in a locked rack. We don’t need to disable unused Ethernet ports on our networking equipment that exists in a locked cabinet and it will take away our ability to repatch equipment to a different switch in the system to assist in troubleshooting.
Let me guess, they do allow ai traffic from everyone and their mum for the sake of uhh… innovation?
Crazy that the USB-A housing is big enough for that. Makes me want to avoid anything that’s not C to C.
C-to-C is even worse because Usb-C requires a chip in the connector, and you never know what that chip is capable of. Usb-A would only have a chip in it if it’s been tampered with.
Yeah I was hoping the smaller form factor would make it difficult to fit in extra malicious hardware.
This was the smallest Bluetooth chip back in 2017. I can’t even imagine what else they can fit into the form factor of a USB-C plug nowadays.
Released last year, TI MSPM0C1104
The MSPM0C1104 is a 24 MHz Arm Cortex-M0+ based device with up to 16 KB of flash and 1 KB of SRAM. It has a 12-bit ADC with three channels, six GPIO pins, and typical communication interfaces like UART, SPI, and I²C. It is an ultra-low-power 32-bit MCU well suited for compact battery-powered designs.
There’s a USB-C option for the active end.
muusemuuseThis is both incredible and horrifying at the same time
That’s the tradeoff yes
darknetdiaries.com/episode/161/
There’s a darknet episode about these cables
「黃家駒 Wong Ka Kui」 | (aka: 鳳凰院 凶真 Hououin Kyouma)Pro Tip: Leave a unique mark somewhere on the cable so if someone switches it, you can tell it apart. Always check for the mark before you use the cable, every time.
(Yes I actually do this, I’m paranoid)
If you’re really paranoid you should buy all your stuff in a brick and mortar store. You’d have to be high up on a list for it to even be worth someone’s time, but intercepting a package and swapping the contents is pretty easy to do, typical Tuesday multi-agency gun ring bust for some postal inspectors
My older brother is abusive, and I need precautions to be safe.
That’s my threat model.
I actually would rather run a phone with stock OS with verified boot, rather than LineageOS but with bootloader unlocked. Evil Maid from someone you know wanting fuck around with you is more scary to me than government tbh
(I don’t have a pixel for graphene)
Edit: Also these cables cost like $200 online from HAK5. My brother definitely can pull some shit if he tried. He’s in Computer Science in college.
Only with a few rare phones… most phones just gets bricked if you attempt to lock it under a custom os because they don’t support custom keys.
Pixel supports it, but I don’t have a pixel. (If I did I would just use Graphene lol)
New is expensive
and I really distrust the used market… feels very sketchy and it could have hidden damage that doesn’t manifest itself until the return window is already passed (if they even allow a return at all), also I have a paranoia about getting an IMEI that a criminal have used and then cops come knocking thinking its ME doing the illegal activity (cuz you know they do the “oops wrong address” thing often and they’ve shot people to death over it )
America has a governmental deparment of CSS? No wonder your government is causing a Constant State of Suffering
OtterYou can see a CT scan of one of these
damn i though they would use the type A connector because it’s bigger but it can be fit even into usb C
Apple did it with lightning.
fallaciousBasisAnyone can do this.
Possibly linuxFast charging won’t work without a proper connection
WiddershinsI’ve been using wireless chargers for years. I find it “more secure” in the sense that my phone’s port is full of gunk and if I want to wake up with full batteries I can count on wireless a lot more.
I like wireless and magnetic mainly because fucking up the cable is like the most common thing I might do to a device. not saying I do it all the time but its the most likley break to happen.
I am not terribly worried about USB/thunderbolt attacks since Android requires authentication before it does anything.
Lol, plug a usb mouse or keyboard into your android and it will just work. Anything you can do these things can do.
My phone still requires auth to use plus there is no way for them to get what’s on the screen. I’m also pretty sure that typing a pin requires the screen but I could be mistaken.
Even if there was a way to attack from USB, I still wouldn’t be that worried. USB attacks typically are only used against targeted individuals not some rando. The reason why you see warnings about chargers is because it makes easy clickbait.
No permission needed for a keyboard to open up a malicious webpage.
Yes a keyboard. Your USB cable wears a trench coat that says “Hey I’m a Keyboard, lemmy in”
Last time I checked a keyboard can’t just open up a web page. That’s not how it works.
Shortcuts…
A human on a keyboard attached to a device while its unlocked can navigate to a webpage just bypressing keys, so malicious USB can just do what a person can do, but automatically.
It probably works much better on a computer after the user walks away, it’s a bit harder on a phone since most people instinctively presses the power button to turn off the screen so it autolocks (since you usually put it away in your pocket, so its muscle memory), but for a computer, there are certain people that just walks away to the bathroom or something and leave their device unlocked… so a person with access to a keyboard connected to that computer can do stuff on it… same as a script on a chip that sends keystrokes to the computer…
This is pretty much the reason I exclusively use dollar store cables and/or dedicated chargers. Saw a yt video about these things at an airport. The more I learn about tech, the more it makes me wanna uncle Ted the fuck out.
all my family thinks I’m overzealous against tech. I work in tech industry, I know security and vulnerabilities. I know software and hardware.
if anything, I’m underzealous.
I’m actually looking at deep woods properties to build an off-grid home. somewhere I can take the family to get away from everything and just disappear into a void for vacations.
Bruh, real talk! I did some limited packet tracking. But going deep I learned about the occilation of the fan attack on air gapped machines a few years ago. I’m just done at this point. They gunna get your info regardless.
Every time I learn something about modern living
Funny enough, im reading up on timber frame houses.
Ok, granted. Maybe not THAT Uncle Ted out. But it is kinda fucked how the CIA used his professor to manipulate homie.
I do call center work in a health care environment. We get lots of scams. Most of them are bad and obvious but someone recently did the math and figured out the don’t need to be good to work.
Follow me for a moment.
Call comes in. It’s a recording. You know this recording. It’s a busy office environment. Part rustling, typing, annoyed sigh exactly the same number of seconds in every call.
There is no response to your voice. But you have to say the same thing 3 times with no response before you can disconnect the call. So the recoding loops and you continue talking to the bot.
Why?
Well on my side, I know it’s dumb but I have to do it because metrics mean I can continue to almost afford to do things like eat food or masturbate in a warm house in the winter.
They do it because this bot lets them map out our IVR (whatever, it sucks now that it’s AI) and capture voice samples from people who are forbidden to hang up.
Now in years past this wouldn’t be all that useful. The samples are of reps saying basically the same damn thing. But we now live in the era of lifeless AI. So the bar has been lowered for what a legit interaction is. (Seriously, some places paid extra for a more “lifelike” AI that did everything the old EVA bot did but in an Indian accent with the sound of crumpling paper in the background and the occasional “um” thrown in.)
So those voice samples can be used to create a fake call center based on real employee voices. This is a known attack vector that is being used against us in health care right NOW.
But AI needs to profitable so nothing is done about it.
Seriously, they protect AI to such a ridiculous extent they know the scam is happening from the same phone number and they won’t block it or even issue it a challenge.
Yachts at sea.
Yas Queen!