Upgraded version of O.MG hacking cable packs nefarious new capabilities
A new version of the O.MG hacking tool, which looks like an unassuming Lightning cable, can compromise a range of devices and inject commands, log keystrokes, and more.
Credit: Hak5
The O.MG Elite was recently showed off at the DEFCON cybersecurity conference in Las Vegas, and The Verge recently took a look into the nefarious accessory's capabilities.
"It's a cable that looks identical to the other cables you already have," creator MG said. "But inside each cable, I put an implant that's got a web server, USB communications, and Wi-Fi access. So it plugs in, powers up, and you can connect to it."
Although the cable looks innocuous enough, it actually has the ability to covertly harvest data from devices, log keystrokes on computers, and carry out other attacks.
Compared to previous versions of the O.MG cable, the new O.MG elite packs expanded network capabilities that allow for bidirectional communication. In other words, it can listen for incoming commands from an attacker and send data from a device that it's connected to back to a control server.
Like other products sold by penetration testing tool company Hak5, the OM.G Elite has a range of capabilities. It can inject keystrokes -- or keyboard commands -- that allow it to launch apps, download malware, or steal passwords saved in Chrome.
Because of its new network features, it can then send any data that it has stolen back to an attacker. Additionally, the cable can function as a key logger that can capture the words, numbers, and characters that a user types on a machine.
The types of attacks that the cable can carry out rely on being plugged into a machine. However, that physical access could allow an attacker to compromise a range of devices, from a Mac to an iPhone.
The O.MG Elite also costs $179.99, which likely puts it out of the price range of low-level scammers. It's a tool for professionals, in other words.
With that being said, a mitigation tactic would include only using cables that you purchased yourself -- and to just generally not trust random accessories that you find or someone gives you. But, this has been good advice for more than a decade.
Read on AppleInsider
Credit: Hak5
The O.MG Elite was recently showed off at the DEFCON cybersecurity conference in Las Vegas, and The Verge recently took a look into the nefarious accessory's capabilities.
"It's a cable that looks identical to the other cables you already have," creator MG said. "But inside each cable, I put an implant that's got a web server, USB communications, and Wi-Fi access. So it plugs in, powers up, and you can connect to it."
Although the cable looks innocuous enough, it actually has the ability to covertly harvest data from devices, log keystrokes on computers, and carry out other attacks.
Compared to previous versions of the O.MG cable, the new O.MG elite packs expanded network capabilities that allow for bidirectional communication. In other words, it can listen for incoming commands from an attacker and send data from a device that it's connected to back to a control server.
Like other products sold by penetration testing tool company Hak5, the OM.G Elite has a range of capabilities. It can inject keystrokes -- or keyboard commands -- that allow it to launch apps, download malware, or steal passwords saved in Chrome.
Because of its new network features, it can then send any data that it has stolen back to an attacker. Additionally, the cable can function as a key logger that can capture the words, numbers, and characters that a user types on a machine.
The types of attacks that the cable can carry out rely on being plugged into a machine. However, that physical access could allow an attacker to compromise a range of devices, from a Mac to an iPhone.
Who's at risk
As with most sophisticated penetration testing or hacking tools, the average iPhone or Mac users has little to worry about. Unless you're a high-value target, it's unlikely that you'll be compromised with an O.MG cable.The O.MG Elite also costs $179.99, which likely puts it out of the price range of low-level scammers. It's a tool for professionals, in other words.
With that being said, a mitigation tactic would include only using cables that you purchased yourself -- and to just generally not trust random accessories that you find or someone gives you. But, this has been good advice for more than a decade.
Read on AppleInsider
Comments
https://shop.hak5.org/products/omg-cable?variant=39808315490417
It will become a concern as soon as the costs go down enough that there's no difference in cost between OMG and nonOMG cables and by then, it's likely USB standards will require implementations to counteract those kind of attacks.
Also, the article and some of the comments here suggest that the price will deter some people, but as the article states, "it's a tool for professionals." Well, there are enough of these "professionals" out there that put card skimming devices on ATM and gas pumps or who use key fob relay devices to break into your car. To them, less than a couple hundred bucks is no big deal. So while it's probably true that most of us don't need to be overly concerned, especially as long as we're being diligent, there's still plenty to be concerned about. The fact that some "low level scammers" would be deterred is no comfort.
What real life situations are you going to use this? Hope there is free wifi nearby as you are unlikely to know the person't wifi passwords? Have another device nearby to capture the wifi? The cable must be plugged in to even get power and according to documentation, requires only 5v, otherwise you can fry it, even on USB-C. Sending these out randomly to people isn't going to work, as there is no way to get the payload out, unless the wifi can connect. Best case is having physical access to the person and able to follow them. Nearby apartment, cafe, airport, or someplace they charge at, within range.
The main problem is there is no security with cables. Most people will never be affected. Buy your own cables from known brands, from known good stores. Don't hookup unknown usb cables, devices, or chargers.
Regardless of this product's intent, this is a warning to the computer consuming public that yet another security threat genie is out of the bottle. We all need to be cautious about what we connect to our devices, whether SD cards, USB thumb drives, USB I/O devices (keyboards, mice, tablets, cameras, audio devices, etc.), USB toys/lights/etc., and now, any cable that supports any sort of communication protocol, even when there appears to be only a single connection endpoint, like with a charging cable.
Not only do we have to be careful about what we plug into our devices, e.g., don't stick a USB thumb drive you found in the parking lot outside your workplace into your computer, like anyone would ever do that - ha ha Stuxnet. We have to be very careful about where we source the things we purchase that we plan to plug into our devices. It's not like the maker of this Lightning hacking cable is going to start selling these at truck stops for $10 USD, at least not yet, but there are a wide range of connected products at all price points that could present similar threats to what this cable presents.