In at present’s installment of Betteridge’s regulation enforcement, right here’s an evil USB-C dock proof-of-concept by [Lachlan Davidson] from [Aura Division]. We’ve seen malicious USB gadgets aplenty, from cables and chargers to flash drives and even suspicious USB followers. However a dock, nonetheless, is new. The gist is straightforward — you’re taking a inventory dock, discover a Pi Zero W and wire it as much as a USB 2.0 port tapped someplace contained in the dock. Discovering a Pi Zero is certainly the toughest half on this endeavor — on the software program facet, the whole lot is prepared for you, simply flash an SD card with a pre-cooked malicious picture and go!

On the floor degree, this may appear to be a cookie-cutter malicious USB assault. Nonetheless, there’s a non-technical ingredient to it; USB-C docks have gotten increasingly widespread, and with the distinctive degree of comfort they supply, the “plug it in” temptation is way greater than with different gadgets. For example, in shared workspaces, having a USB-C cable with charging and typically even a second monitor is changing into a norm. For those who use USB-C day-to-day, the comfort of simply plugging a USB-C cable into your laptop computer turns into too good to move up on.

This hack doesn’t precisely use any USB-C particular technical options, like Energy Supply (PD) – it’s extra about exploiting the comfort issue of USB-C that incentivizes you to plug a USB-C cable in, amplifying an outdated assault. Now, BadUSB with its keystroke injection is not the restrict — with a Thunderbolt-capable USB-C dock, you possibly can join a PCIe system to it internally and even get entry to a laptop computer’s RAM contents. After all, fearing USB-C cables is just not a viable method, so maybe it’s time for us to begin defending from BadUSB assaults on the software program facet.