I didn’t think I would be scared of a USB cable until I went to Def Con. But that’s where I first learned about the O.MG Cable. Released at the notorious hacker conference, the Elite cable wowed me with a combination of technical prowess and its extremely stealth design.
Put simply, you can do a lot of damage with a cable that doesn’t behave the way your target expects.
What is it?
It’s just an ordinary, unremarkable USB cable — or that’s what a hacker would want you to think.
“It’s a cable that looks identical to the other cables you already have,” explains MG, the cable’s creator. “But inside each cable, I put an implant that’s got a web server, USB communications, and Wi-Fi access. So it plugs in, powers up, and you can connect to it.”
That means this ordinary-looking cable is, in fact, designed to snoop on the data that passes through it and send commands to whatever phone or computer it’s connected to. And yes, there’s a Wi-Fi access point built into the cable itself. That feature existed in the original cable, but the newest version comes with expanded network capabilities that make it capable of bidirectional communications over the internet — listening for incoming commands from a control server and sending data from whatever device it’s connected to back to the attacker.
What can it do?
Stressing, again, that this is a totally normal-looking USB cable, its power and stealth are impressive.
Firstly, like the USB Rubber Ducky (which I also tested at Def Con), the O.MG cable can perform keystroke injection attacks, tricking a target machine into thinking it’s a keyboard and then typing in text commands. That already gives it a huge range of possible attack vectors: using the command line, it could launch software applications, download malware, or steal saved Chrome passwords and send them over the internet.
It also contains a keylogger: if used to connect a keyboard to a host computer, the cable can record every keystroke that passes through it and save up to 650,000 key entries in its onboard storage for retrieval later. Your password? Logged. Bank account details? Logged. Bad draft tweets you didn’t want to send? Also logged.
(This would most probably require physical access to a target machine, but there are many ways that an “evil maid attack” can be executed in real life.)
:no_upscale()/cdn.vox-cdn.com/uploads/chorus_asset/file/23970273/OMG_Cable_Xray.png?w=788&ssl=1)
Lastly, about that built-in Wi-Fi. Many “exfiltration” attacks — like the Chrome password theft mentioned above — rely on sending data out over the target machine’s internet connection, which runs the risk of being blocked by antivirus software or a corporate network’s configuration rules. The onboard network interface skirts around these protections, giving the cable its own communications channel to send and receive data and even a way to steal data from targets that are “air gapped,” i.e., completely disconnected from external networks.
Basically, this cable can spill your secrets without you ever knowing.
How much of a threat is it?
The scary thing about the O.MG cable is that it’s extremely covert. Holding the cable in my hand, there was really nothing to make me suspicious. If someone had offered it as a phone charger, I wouldn’t have had a second thought. With a choice of connections from Lightning, USB-A, and USB-C, it can be adapted for almost any target device including Windows, macOS, iPhone, and Android, so it’s suitable for many different environments.
For most people, though, the threat of being targeted is very low. The Elite version costs $179.99, so this is definitely a tool for professional penetration testing, rather than something a low-level scammer could afford to leave lying around in the hope of snaring a target. Still, costs tend to come down over time, especially with a streamlined production process. (“I originally made these in my garage, by hand, and it took me four to eight hours per cable,” MG told me. Years later, a factory now handles the assembly.)
Overall, chances are that you won’t be hacked with an O.MG cable unless there’s something that makes you a valuable target. But it’s a good reminder that anyone with access to sensitive information should be careful with what they plug into a computer, even with something as innocuous as a cable.
Could I use it myself?
I didn’t get a chance to test the O.MG cable directly, but judging by the online setup instructions and my experience with the Rubber Ducky, you don’t need to be an expert to use it.
The cable takes some initial setup, like flashing firmware to the device, but can then be programmed through a web interface that’s accessible from a browser. You can write attack scripts in a modified version of DuckyScript, the same programming language used by the USB Rubber Ducky; when I tested that product, I found it easy enough to get to grips with the language but also noted a few things that could trip up an inexperienced programmer.
Given the price, this wouldn’t make sense as a first hacking gadget for most people — but with a bit of time and motivation, someone with a basic technical grounding could find many ways to put it to work.