The Hidden Dangers of USB Drives and Charging Cables: A Cybersecurity Warning (Full Transcript)

Speaker 1: As a person that doesn't use computers much, do you know that you're not ever supposed to plug in a USB drive that you find on the ground or that someone sends you in the mail, that if when you plug that into your computer, it could install malicious software? Did you know this? Of course. Okay, great.

Speaker 2: No, I didn't know that, but I've never done that. I would never pick something up and plug it in, because I mean. A lot of people do. I would never want to put something in, I didn't know what was on the stick.

Speaker 1: Yeah, but people go to conferences and there's jars of USB drives and people just usually plug it in and don't think the better. But people have known for years, you never do this. Yeah. But you have to think about, how have hackers evolved in their trade craft to even do this with something that's so simple that anybody would fall for it? So think about, do you have an iPhone or an Android? I do. You do. So you charge it with the cable. I'm not telling you which. So you charge the phone, right, with the cable? Yes, right. What if I could tell you we could modify that cable so when it's plugged into your computer, that we could remotely command the cable to install malware on your computer? The cable? The cable itself. And I'm gonna show you in a second. You're talking about a little white? Yeah, right here. Doesn't that look like an ordinary charging cable to you? Yeah. How do you get the cable to the victim? Well, if you have on-site access, you're in a company and you could swap it out. Or we could do what we call a social engineering attack and send a device with a cable, like a new iPhone or a new Pixel 4, and it comes prepackaged in the box. And when you open the box and take the shrink wrapping off, it looks exactly like it came from factory. But what the target doesn't know is that the cable has been modified. So let me show you actually how it works. Yeah. Do you have any questions for us?

Speaker 2: Yeah, I wonder how this works.

Speaker 1: Okay, all right. So we're gonna plug this in. What we have here on this white screen, this is the hacker and this computer is sitting in Virginia. It's not even in this room. So this is the hacker. This here is the victim. This is us. We've plugged in the cable. And now what the attacker is gonna do is command the cable to install malware, malicious software on the computer so the hacker has complete control. So this device is a Bluetooth transmitter. I could be within about 300 feet of the computer. I could push a button on here. And then what's gonna happen, if you look at the lower left-hand corner of the Windows computer where it says types here to search, in about five seconds you're gonna see it like magically type. It's gonna be a split second. And then what's gonna happen over here, we're gonna gain control of the computer. So what I want you to do, Phil, is see that A button? You can walk over there back to your chair. See the A?

Speaker 2: Sort of.

Speaker 1: Yeah, just.

Speaker 2: Yeah, it's the bottom one.

Speaker 1: Press the A button. Stop. Okay, and then we should look at the lower left-hand part of the screen. There it goes. That's the malware being injected. And that's it. That's all the victim sees. And I don't see it up on screen. It happened that fast?

Speaker 2: That fast. So right now you're controlling this computer from here.

Speaker 1: From Virginia. Yeah, I'm connected to a computer in Virginia. This has malware installed now because of the cable. And now I'm able to take full control of this computer as the hacker. So I could go through all the files on the computer. I can turn on the microphone and listen to the conversations in the room. Or what is really scary is I could turn on the victim's webcam. And now I could spy on you.