I didn’t think I’d be afraid of a USB cable until I went to Def Con. But that’s where I first heard about the O.MG cable. Released at the infamous hacker conference, the Elite cable stunned me with a combination of technical prowess and its extremely unobtrusive design.
Simply put, you can do a lot of damage with a cable that doesn’t behave the way your target expects.
What is it?
It’s just a regular, unobtrusive USB cable – or that’s what a hacker would want you to think.
“It’s a cable that looks identical to the other cables you already have,” explains MG, the cable’s maker. “But in each cable I placed an implant with a web server, USB communication and Wi-Fi access. So it plugs in, boots up and you can connect to it.”
That means this plain-looking cable is actually designed to snoop through the data passing through it and send commands to any phone or computer it’s plugged into. And yes, there is a wifi access point built into the cable itself. That feature existed in the original cable, but the latest version comes with expanded networking capabilities that allow it to communicate bidirectionally over the Internet — listening for incoming commands from a control server and sending data from whatever device it’s connected to, back to the attacker.
What can it do?
Stressing again that this is a perfectly normal looking USB cable, the power and stealth are impressive.
First, like the USB Rubber Ducky (which I also tested at Def Con), the O.MG cable can perform keystrokes, tricking a target machine into thinking it’s a keyboard and then entering text commands. typing. That already gives it a huge range of possible attack vectors: Using the command line, it can launch software applications, download malware or steal saved Chrome passwords and send them over the Internet.
It also includes a keylogger: when used to connect a keyboard to a host computer, the cable can record every keystroke that passes through it and store up to 650,000 key entries in its internal storage for later retrieval. Your password? logged. Bank details? logged. Bad draft tweets you didn’t want to send? Also logged in.
(This would most likely require physical access to a target machine, but there are many ways an “evil maid attack” can be performed in real life.)
Finally, about that built-in Wi-Fi. Many “exfiltration” attacks — such as the Chrome password theft mentioned above — rely on sending data over the target machine’s Internet connection, which risks being blocked by antivirus software or a corporate network’s configuration rules. The onboard network interface bypasses these protections, giving the cable its own communication channel to send and receive data and even a way to steal data from targets that are “air gapped”, ie completely disconnected from external networks.
Basically, this cable can reveal your secrets without you ever knowing.
How much threat is it?
The scary thing about the O.MG cable is that it is extremely hidden. As I held the cable in my hand, there was really nothing to make me suspicious. If someone had offered it as a phone charger, I wouldn’t have thought about it. With a choice of Lightning, USB-A and USB-C connections, it can be customized for almost any target device, including Windows, macOS, iPhone and Android, so it’s suitable for many different environments.
However, for most people, the threat of being targeted is very low. The Elite version costs $179.99, so this is definitely a professional penetration testing tool, rather than something that could leave a low-level scammer lying around hoping to catch a target. Still, costs tend to come down over time, especially with a streamlined manufacturing process. (“I originally made these in my garage, by hand, and it took me four to eight hours per cable,” MG told me. Years later, a factory is now doing the assembly.)
In general, unless there is something that makes you a valuable target, chances are you won’t get hacked with an O.MG cable. But it’s a good reminder that anyone with access to sensitive information should be careful about what they plug into a computer, even something as innocuous as a cable.
Could I use it myself?
I didn’t get a chance to test the O.MG cable directly, but judging by the online installation instructions and my experience with the Rubber Ducky, you don’t have to be an expert to use it.
The cable requires some initial setup, such as flashing firmware to the device, but can then be programmed via a web interface accessible from a browser. You can write attack scripts in a modified version of DuckyScript, the same programming language used by the USB Rubber Ducky; when I tested that product, I found it easy enough to master the language, but I also noticed a few things that might trip an inexperienced programmer.
Given the price, this wouldn’t make sense to most people as a first hacking gadget – but with a little time and motivation, someone with a basic tech base could find many ways to put it to work.