Before I went to Def Con, I thought I wouldn’t be afraid of USB cables. But that’s where I first learned about O.MG cables. Announced at the infamous hacker conference, the Elite cable blew my mind with its combination of technical prowess and an extremely stealthy design.
In short, if the cable does not behave as the target expects, you can do a lot of damage.
what is it?
It’s just a plain, unremarkable USB cable — or that’s what hackers want you to think.
“It’s a cable that looks the same as any other cable you already have,” explains MG, the creator of the cable. “But within each cable, I put an implant that has a web server, USB communication and Wi-Fi access. So it’s plugged in, it’s powered, and you can connect to it.”
This means that this seemingly ordinary cable is actually designed to snoop on the data passing through it and send commands to whatever phone or computer it’s connected to.Yes, there is a Wi-Fi access point Built into the cable itself. The feature was present in the original cable, but the latest version has extended networking capabilities that allow it to communicate in both directions over the internet – listening for incoming commands from the control server and sending data back to the attack from whatever device it is connected to By.
What can it do?
Again, this is a completely normal-looking USB cable that’s impressively powerful and stealthy.
First, like the USB Rubber Ducky (which I also tested at Def Con), the O.MG cable can perform a keystroke injection attack, tricking the target machine into thinking it’s a keyboard and then entering text commands. This already gives it a plethora of possible attack vectors: Using the command line, it can launch software applications, download malware, or steal saved Chrome passwords and send them over the internet.
It also includes a keylogger: if used to connect a keyboard to a host computer, the cable can record every keystroke that passes through it, saving up to 650,000 key entries in its onboard storage for later retrieval. your password? recorded. Bank account details? recorded. Bad tweet draft you don’t want to send? also logged in.
(This will most likely require physical access to the target machine, but there are a number of ways in which an “Evil Maid Attack” can be performed in real life.)
Finally, about the built-in Wi-Fi. Many “penetration” attacks — like the Chrome password theft mentioned above — rely on sending data over the target machine’s internet connection, which runs the risk of being blocked by antivirus software or corporate network configuration rules. The onboard network interface bypasses these protections, giving the cable its own communication channel to send and receive data, and can even steal data from targets that are “air-gapped” (i.e. completely disconnected from the external network).
Basically, this cable can leak your secrets without your knowledge.
How big is the threat?
The scary thing about the O.MG cable is that it’s pretty stealthy. I have the cable in my hand and there’s really nothing that makes me doubt it. I wouldn’t have a second thought if someone offered it as a phone charger. With a choice of Lightning, USB-A, and USB-C connections, it can adapt to almost any target device, including Windows, macOS, iPhone, and Android, making it suitable for many different environments.
However, for most people, the threat of being targeted is very low. The Elite Edition costs $179.99, so this is definitely a tool for professional penetration testing, not something a low-level crook can afford in hopes of snaring targets. Still, costs tend to drop over time, especially if the production process is simplified. (“I started by hand in the garage, and each cable took four to eight hours,” MG told me. Years later, it’s now assembled in a factory.)
In general, unless something makes you a worthy target, you won’t be hacked by O.MG cables. But it’s a good reminder that anyone with access to sensitive information should be careful about what they plug into their computer, even something as innocuous as a cable.
Can I use it myself?
I didn’t have a chance to test the O.MG cable directly, but from the online setup instructions and my experience with Rubber Ducky, you don’t need to be an expert to use it.
The cable requires some initial setup, such as flashing firmware to the device, but can then be programmed via a web interface accessible from a browser. You can write attack scripts using a modified version of DuckyScript, which is the same programming language used by the USB Rubber Ducky; when I tested the product, I found it easy to grasp the language, but also noticed some programs that might make inexperienced staff trips.
Given the price, this won’t make sense for most people as a first hacking gadget – but with a little time and motivation, there are plenty of ways that someone with a basic technical foundation can make it work.