I think the device featured in the article "merely" appears as a keyboard to the victim machine. The attack can then transmit keystrokes over WiFi. (This is still sufficiently dangerous. Essentially, it's "open terminal, download evil.exe, execute evil.exe, minimize/close" and escalate from there. So, not something you want to happen.)
That said, if you click the link next to BadUSB, they detail attacks whereby the device pretends to be a USB Ethernet adapter instead. And while you're right that stuff typically wants user input prior to connecting to WiFi networks, I don't think anything prompts before connecting to wired networks. The onboard WiFi could even make it appear to work, so as to not arouse suspicion (by simply bridging the pretend-ethernet to the WiFi), but now your attack has a MitM and a keyboard…
Needless to say, you don't want random USB devices getting plugged into your machine.
I’m sure there are some secure networks that require 802.1x authentication against a specific certificate authority, which would ensure devices only connect to a trusted network. That’s definitely an exception rather than the rule though - I’ve never worked anywhere that does anything more than limiting which device can connect to a particular switch port.
I've also seen wired network authentication, but that's typically the network authenticating the devices that connect to it. This is more like the need for the device to authenticate the network that it's attached to, or really, to authenticate the USB devices attached to it. This is somewhat problematic: I feel like most employees/people want to go to a coffee shop and do work, or work at home, etc. How does one distinguish between those networks and the rouge ones?
(I think ideally, you don't distinguish. Every network is equally untrusted, and you rely on good end-to-end encryption. That doesn't address the rouge HID attack, however.)
I've also seen unauthenticated corporate networks where STP packets reach the end user ports, and AIUI, the right response packet would direct the network to start sending all traffic my way…
Via the microcontroller embedded with the wifi adapter in the cable. It can effectively operate as a separate computer which uses the host PC parasitically for power and I/O.
A secretly-IoT keyboard that shares your key presses and may "type" malicious stuff when you're not looking at it; the OS wouldn't be able to tell it's not you doing the typing. Not scary at all, no sir.
So long as it can simulate them, installing a keylogger that can read them too is a matter of a few seconds (to "type" a PowerShell script that will download and execute the desired payload).
Hid usually ok with systems and hence a wireless mouse and keyboard pretended.
A windows hack may be - The “mouse” would ask to move to leftmost bottom corner then click. Type searching terms like Cmd<r>. Then if can get hold of the windows one is in ...
I took GP to be speculating about a hypothetical secretly-IoT-keyboard, not the cable being discussed. Similar thoughts are explored in the comments on TFA.
You can do all of that without WiFi. How is an attacker with no vision of the screen any more useful than a script that can auto type a command to get remote access?
A script that can autotype a command to get remote access needs to be able to communicate over your network, and it can be detected or blocked by your network security infrastructure.
A device like this packages its own covert communications channel together with the exploit dropper; it provides an entry point to your network (and exfiltration channel) that bypasses all your filtering, logging, scanning, etc.
The 'ESPloit v2' [1] appears on USB as both a keyboard and a serial port, and any data sent on the serial port can be exfiltrated by the ESP8266 over its own wifi connection.
You can also imagine a loop where first you install a keyboard logger and exfiltrate the user's password, then later you want to update the exploit scripts to make use of the password. Or hell, maybe this is a prank product and having a wireless button to rickroll your victim on demand makes you laugh.
With that said, the first person to make a fake USB keyboard had a much bigger and more exciting trick than this incremental change.
Edit: Or to put it another way, this is like the NSA's "Cottonmouth" bug, which "will provide air-gap bridging, software persistence capability, 'in-field' re-programmability, and covert communications with a host software implant over USB" [2] but 10 years later and without charging a million dollars for 50 units.
Long story short, underclocking the ESP12 compresses the RF envelope for 2.4GHz . It also means the RF energy is in what looks like 1/3 a normal 2.4GHz channel.
The awesome side effect is that this device's SSID is completely hidden from regular 2.4GHz radios. You need another ESP12 with the same underclock ratio... and then need the SSID (if hidden), and the password.
You'd be able to find it using an ADALM-PLUTO. It'd stick out like a sore thumb, but it still wouldn't make sense what's going on unless you build a decode stack in Gnu Radio.
If it is, then the computer doesn't connect to a router at all. The USB cable could make itself available as a network that you remotely connect to then execute commands. The cable then types out your commands as it imitates a USB keyboard. Have you ever seen a device or PC that randomly trusts a USB keyboard you plug into it?
Sorry, I was trying to reply to the above comment by structuring it in the same way, but making one minor switch to show how severe the issue can be. Trusting a router may not happen, but trusting a keyboard (as you've pointed out) almost always does.
Not without notice. Your computer won't connect to a wirless network automatically. So in order for this to work, the USB-device needs the same SSID and key. Then, in order to make it not suspicious (and get your data) you need to actually forward traffic to the internet. Not sure if those devices can repeat.
Emulating an USB ethernet might help you, as those will connect, but without uplink it's still suspicious.
The "cable" has WiFi, so it's probably possible to set up a hidden WiFi network around the premises of the target and have the implant connect with that. With the right type of antenna you can set up a WiFi connection to a specific device from quite a way away. Then tunnel the connection from your malicious AP and emulate ethernet on the USB side of the implant.
Or, search for open/guest networks and use those as an uplink. There's plenty of possibilities for this to work as a malicious network adaptor.
However, I think the network example is just a proof of concept and the remote connectivity is much more interesting to any real attacker.
Doable with an ESP chip, monitoring for open WiFi network and connects to whatever is available. Then you could have it await further instructions from a C&C.
That wouldn't need further actions from the victim.
