Websites like Amazon and eBay sell USB data cables for a pittance, often of unknown or dubious provenance.
Should I be wary of using these cables to transfer data to or from my devices? Is it possible (and plausible) that they have a malicious payload that can compromise the security of the host device?
It's reasonable to assume that random cheap cables sold in large scale generally aren't modified to include offensive hardware, mostly for two reasons:
However, if you have some reason to expect targeted, expensive attacks aimed to compromise you by people who have no qualms to perform illegal actions, then it certainly is a possibility that the hardware you receive is "special". However, that's not limited in any way to cheap USB data cables, or USB data cables - reasonably similar attacks would apply for any device you purchase in the same way, from mice/keyboards to laptops or server hardware. How do you know that your computer didn't have a hardware / firmware backdoor installed when you bought it?
If you have reason to expect such risks, you have to treat your USB data cable purchases in a similar manner as all other sensitive hardware; for example, ensure that you buy an item that cannot possibly be "adjusted" especially for you, e.g. random purchase of a generic item from a store shelf instead of a remote order that will be mailed to your address.
Security issues with cables? No.
It's technically possible to have a hidden/embedded device in which case all the caveats of an untrusted USB device apply.
However the cost of a device, especially one small enough to be hidden in a cable, would be quite a bit higher than the cable itself so you probably don't need to worry about this.
I really cannot imagine that the cable itself contains a malicious device as explained by @GeorgeBailey. So I would say that those cables are harmless when confidentiality or integrity is considered.
But if you consider that security also encompasses disponibility (availability), chances are that the contacts are of poor quality and that you experience occasional loss of connection when using them. Whether it is a real problem depends on actual usage...
I'd agree that the potential for malicious access is rather low, and if you are really worried about it you can always buy one more cable than you need and rip it apart to verify that nothing is in the housing that shouldn't be. I do want to note that while I wouldn't be overly concerned with potential security issues the potential for physical damage to the devices being charged is real, many of the lower-end cables available do not fully meet the USB spec and are often missing features required to correctly set the output power of a port, most likely not an issue if being used as a data cable but could be a problem if a device expects very low power input and is plugged into a USB port that is designed to be used to rapidly charge devices.
Cables are incredibly simple things. You are suggesting that the cheaper models house electronics for the purpose of compromising your security? That would only cost the supplier extra money.
What you should really be wary of is paying too much for a $5 product. Cables are not expensive. You should be paying no more than what you call "a pittance" for them.
If you are a person of interest, then anything is possible I suppose. I doubt the cable shipped from e.g. Amazon is not trustworthy, but shipments can be intercepted and what arrives in your mail box could have been tampered with. Unlikely to happen to 99.9% of us.
A bigger problem is that many USB 3 cables have been shown to be of very poor quality.
The problems stem from manufacturers not complying with the interface's specifications, specifically the use of resistors: a 56kΩ pull-up resistor should be connected to the Vbus pin to signal that one end of the cable or converter is a legacy USB device that can't handle a 3A current draw.
(http://www.theregister.co.uk/2015/11/05/google_engineer_ids_dodgy_usbs/)
The same engineer later reported frying some of his equipment due to a faulty cable:
Further analysis showed that the advertised SuperSpeed cables were missing entirely, and a 10 kΩ resistor was used instead of the 56 kΩ resistor the spec calls for. Needless to say, by the time the checks were done all of Leung's testing equipment was fried.
(https://www.engadget.com/2016/02/03/benson-leung-chromebook-pixel-usb-type-c-test/)
If the cable supplier has no way to guess at the purchaser's identity, chances for exploits are low.
However, I seem to remember that a German computer magazine had acquired and tested cheap USB3 cables that were wired wrong enough to potentially destroy devices.
There are also intentionally computer destroying USB devices around. If someone is just being an asshole, such things might get into circulation even though it is more expensive to produce than a proper cable.
And the first waves of computer viruses had no commercial payload, so assholery is not all that unheard of.
That depends on your definition of "safe". It's unlikely that such a cable will contain a malicious payload, but it is possible for such a cable to spy on you. There's an old Powerpoint presentation floating around the Internet, supposedly used at an internal meeting by a government espionage agency, discussing a way of spying on your monitor through your cables. This presentation claimed that this device, the size of a few rice grains, was in use already, and that some cable manufacturers agreed to put this device in the cables they sold. It claimed that it beamed back your red VGA signal when a radio beam hit a small radio dish in this spying device. It seems plausible enough, RFID and NFC chips are powered in a similar way.
The good news is, if a strange truck isn't sitting outside your house, this method can't work. If it works with digital signals at all.
Full disclosure, this Powerpoint may have been a hoax. Hardware is not my strong suit, nor is electronics, especially not anything related to modulated waves.
If you want to do anything malicious, except for killing the device, you nead power supply for your tool.
The USB A-B, A-mini, A-micro, A-Olympus, A-lightning cables are only conductors. Whole comunication is done by USB dirver in your computer and the device. In the cable, there can be resistors and passive filters only.
The cable, and hypothetical TLA device, are designed to operate with 5 VDC power supply and digital signals.
If you connect 20 VAC between any pair of pins, icluding shielding, and something blows up, the cable was TLA-modified and it drew power from USB.Building something capable to fully operate with power supply ranging from 0-1 kV, both AC and DC is impossible.
If you are suspicious of self-powered TLA-device, you can use good ol' X-Ray. Buy Photographic paper, keep it in dark envelope, put the USB ports on it and place uranium ore ontop of it. Develop the photograph next day and you will get X-Ray shadow of the interior. If it is TLA-modified, you will see extra circuitry.
If you think it is still not enough, you can apply really strong and dynamic magnetic field to it. EMP (nuke) or magnetic resonance (NMR) are capable of such magnetic shocks. Every circuit will induce enough current to fry itself. If the cable survives, you are sure, it wasn't TLA-modified.
In the real world, device, that is capable of anything malicious and is that small costs a lot of effort (= money) to be used as a random device. There is no way the atacker has ide wht are you about to do with the cable - they are Universal (Serial Bus cables) -, you can use them to charge your bike light, for example.
Therefore thay are useful for targetted attack only. In that case, TLA will more likely replace cable you already use with the TLA-enhanced one. If you are paranoid enough, using randomly bought cheap USB cables is the way to be sure, you are not TLA-monitored via USB plug listen-and-report technique. The procedure is: Buy, use, dispose. No re-use, no storage.
tl;dr:
Using cheap USB cables is, with respect to TLA-infestation only, completely safe.
