The O․MG Elite cable is a creepy and stealthy hacking tool

I didn’t think I was afraid of a USB cable until I went to Def Con. But that’s where I first discovered the O.MG cable. Released at the famous hacker conference, the Elite cable won me over with a combination of technical prowess and its extremely stealthy design.

Simply put, you can do a lot of damage with a cable that doesn’t behave as your target expects.

What is that?

It’s just an ordinary, unremarkable USB cable – or so a hacker would have you think.

“It’s a cable that looks like other cables you already have,” says MG, the cable’s creator. “But inside each cable, I put an implant that has a web server, USB communications, and Wi-Fi access. So it plugs in, turns on, and you can connect to it.” .

This means that this plain-looking cable is actually designed to snoop on the data passing through it and send commands to whatever phone or computer it’s connected to. And yes, there is a Wi-Fi hotspot integrated into the cable itself. This feature existed in the original Cable, but the latest version comes with expanded networking capabilities that make it capable of two-way communications over the Internet – listening for incoming commands from a control server and sending data to the attacker from any device it is connected to.

MG, creator of the O.MG Cable, at Def Con.
Photo by Corin Faife/The Verge

What can it do?

Emphasizing, again, that this is a perfectly normal looking USB cable, its power and stealth are impressive.

First, like the USB Rubber Ducky (which I have also tested at Def Con), the O.MG Cable can perform keystroke injection attacks, tricking a target machine into thinking it’s a keyboard and then typing text commands. This already gives him a huge range of possible attack vectors: using the command line, he could launch software applications, download malware or steal saved chrome passwords and send them over the Internet.

It also contains a keylogger: if used to connect a keyboard to a host computer, the cable can record every keystroke that passes through it and save up to 650,000 keystrokes to its onboard storage for later retrieval. Your password? Connected. Bank account details? Connected. Bad drafts of tweets you didn’t want to send? Also connected.

(This would most likely require physical access to a target machine, but there are many ways a “evil girl attack” can be performed in real life.)

An x-ray of the O.MG cable showing the chip layout.
Image via O.MG website

Finally, about that built-in Wi-Fi. Many “exfiltration” attacks – like the Chrome password theft mentioned above – rely on sending data over the target machine’s internet connection, which may be blocked by anti-virus software or corporate network configuration rules. The onboard network interface bypasses these protections, giving the cable its own communication channel to send and receive data and even a way to steal data from “out of the way” i.e. completely disconnected targets. external networks.

Basically, this cable can reveal your secrets without you knowing.

How much of a threat is that?

What is scary with the O.MG cable is that it is extremely discreet. Holding the cable in my hand, there was really nothing to make me suspicious. If someone had offered it as a phone charger, I wouldn’t have hesitated. With a choice of connections from Lightning, USB-A, and USB-C, it can be adapted to almost any target device, including Windows, macOS, iPhone, and Android, so it’s suitable for many different environments.

For most people, however, the threat of being targeted is very low. The Elite version costs $179.99, so it’s definitely a tool for professional penetration testing, rather than something a low-level scammer could afford to leave lying around in hopes of trap a target. Still, costs tend to come down over time, especially with a streamlined production process. (“Initially, I made them in my garage, by hand, and it took me four to eight hours by cable,” MG told me. Years later, a factory now does the assembly. )

All in all, chances are you won’t get hacked with an O.MG cable unless there’s something that makes you a valuable target. But it’s a good reminder that anyone with access to sensitive information should be careful what they plug into a computer, even with something as innocuous as a cable.

Could I use it myself?

I haven’t had the opportunity to directly test the O.MG cable, but judging by the online setup instructions and my experience with the Rubber Ducky, you don’t have to be an expert to use it.

The cable requires initial setup, such as flashing firmware to the device, but can then be programmed through a web interface accessed from a browser. You can write attack scripts in a modified version of DuckyScript, the same programming language used by the USB Rubber Ducky; When I tested this product, I found it fairly easy to get to grips with the language, but I also noted a few things that might trip up an inexperienced programmer.

Considering the price, it wouldn’t make sense as a first hacking gadget for most people – but with a bit of time and motivation, someone with a basic tech background could find plenty of ways to put it on. implemented.

Leave a Comment