Does that phone charger perform more tasks than you might think?
Before attending Def Con, I never thought I’d be afraid of a USB cable. The O.MG Cable, though, was something I first heard about there. The Elite cable, unveiled at the infamous hacker conference, amazed me with a mix of technical mastery and its incredibly stealthy design.
Simply put, a cable that behaves in a way that is unexpected by your target might cause a lot of damage.
It is what?
According to what a hacker would like you to believe, the USB cable is simply an average, unimpressive USB cable.
The cable’s designer, MG, adds, “It’s a cable that looks exactly like the other cables you already have.” “However, I inserted an implant with a web server, USB communications, and Wi-Fi access within each cable. Therefore, it plugs in, powers on, and allows for connection.
In other words, this seemingly common cable is actually intended to eavesdrop on the data that travels through it and transmit commands to the phone or computer it is linked to. Yes, the cable itself has a built-in Wi-Fi access point. That function was present in the original cable, but the most recent model has improved network capabilities that enable bidirectional internet communication, allowing it to send information from whatever device it is connected to back to the attacker while listening for incoming commands from a control server.
At Def Con, MG, the O.MG Cable’s inventor. Corin Faife/The Verge image
What is its scope?
Again, I must emphasise that this USB cable looks quite normal, but it has incredible power and stealth.
The O.MG cable can perform keystroke injection attacks, tricking a target machine into thinking it’s a keyboard and then entering in text commands, just like the USB Rubber Ducky (which I also tried at Def Con). It now has a wide variety of potential attack routes at its disposal: by accessing the command line, it might run programmes, download malware, or steal saved Chrome passwords and send them over the internet.
Additionally, the cable has a keylogger built in that, when used to connect a keyboard to a host computer, may record each keystroke that is sent through it and store up to 650,000 keystrokes in onboard memory for later retrieval. Your user ID? Logged. Account information? Logged. Unwanted unwanted tweets that were poorly written? Also recorded.
(An “evil maid attack” can be carried out in real life in a variety of methods, but it would most likely involve physical access to a target machine.)
And last, regarding the built-in Wi-Fi. Many “exfiltration” assaults, like the aforementioned Chrome password theft, rely on transferring data across the target computer’s internet connection, which increases the likelihood that it may be prevented by antivirus software or the setup restrictions of a corporate network. By providing the cable with its own communications channel to send and receive data as well as a mechanism to steal data from targets that are “air gapped,” or fully cut off from external networks, the onboard network interface gets around these safeguards.
In essence, this wire has the ability to reveal your secrets without your knowledge.
What level of threat is it?
The O.MG cable’s extraordinary covertness is what makes it so frightening. There wasn’t much to worry me while I was holding the cord in my palm. I wouldn’t have given it a second thought if someone had suggested using it as a phone charger. It may be customised for practically any target device, including Windows, macOS, iPhone, and Android, and has a choice of connections from Lightning, USB-A, and USB-C. As a result, it is appropriate for a variety of contexts.
Your secrets may be revealed through this cable.
However, the likelihood of being targeted is generally very minimal. Since the Elite edition is so expensive, it is clear that this is a tool for professional penetration testing rather than something a low-level con artist could afford to leave laying around in the hopes of catching a victim. Even Nevertheless, costs usually decrease with time, especially when the production process is optimised. “I originally made these in my garage, by hand, and it took me four to eight hours per cable,” MG informed me. Years later, the assembly is now done in a factory.)
In general, unless there is something that makes you a valuable target, it is unlikely that you will be hacked with an O.MG cable. However, it serves as a helpful reminder that anyone with access to private information should exercise caution when connecting anything to a computer, even something as simple as a cable.
Can I use it on my own?
Although I didn’t have a chance to try the O.MG cable in person, based on my knowledge of the Rubber Ducky and the online setup instructions, I believe that anyone can use it.
The cable requires some initial setup, such as flashing the device with firmware, but after that, it may be programmed via a web interface that is accessed from a browser. When I tried the USB Rubber Ducky, I found the programming language to be simple enough to grasp, but I also spotted a few elements that could trip up a novice programmer. Attack scripts can be written in a customised version of DuckyScript.
This wouldn’t make sense given the cost as a first hacking tool for most people, but someone with a solid technical foundation may find a variety of uses for it with some time and motivation.