Mike Peterson
A new version of the O.MG hacking tool, which looks like an unassuming Lightning cable, can compromise a range of devices and inject commands, log keystrokes, and more.
The O.MG Elite was recently showed off at the DEFCON cybersecurity conference in Las Vegas, and The Verge recently took a look into the nefarious accessory's capabilities.
"It's a cable that looks identical to the other cables you already have," creator MG said. "But inside each cable, I put an implant that's got a web server, USB communications, and Wi-Fi access. So it plugs in, powers up, and you can connect to it."
Although the cable looks innocuous enough, it actually has the ability to covertly harvest data from devices, log keystrokes on computers, and carry out other attacks.
Compared to previous versions of the O.MG cable, the new O.MG elite packs expanded network capabilities that allow for bidirectional communication. In other words, it can listen for incoming commands from an attacker and send data from a device that it's connected to back to a control server.
Like other products sold by penetration testing tool company Hak5, the OM.G Elite has a range of capabilities. It can inject keystrokes — or keyboard commands — that allow it to launch apps, download malware, or steal passwords saved in Chrome.
Because of its new network features, it can then send any data that it has stolen back to an attacker. Additionally, the cable can function as a key logger that can capture the words, numbers, and characters that a user types on a machine.
The types of attacks that the cable can carry out rely on being plugged into a machine. However, that physical access could allow an attacker to compromise a range of devices, from a Mac to an iPhone.
Who's at risk
As with most sophisticated penetration testing or hacking tools, the average iPhone or Mac users has little to worry about. Unless you're a high-value target, it's unlikely that you'll be compromised with an O.MG cable.
The O.MG Elite also costs $179.99, which likely puts it out of the price range of low-level scammers. It's a tool for professionals, in other words.
With that being said, a mitigation tactic would include only using cables that you purchased yourself — and to just generally not trust random accessories that you find or someone gives you. But, this has been good advice for more than a decade.
Amber Neely
Andrew O'Hara
William Gallagher
Christine McKee
Andrew Orr
Charles Martin
Marko Zivkovic
10 Comments
A Thunderbolt/USB-C version of this would be interesting. It should be able to extract quite a bit more
This is cheap and will only get cheaper. I don't understand anyone arguing it's too expensive to be of concern. (The seller might have an interest in downplaying the threat, though, to avoid scrutiny and keep selling the device.)
Also, keep in mind that consumers will unlikely get OMG cables on Amazon or BestBuy or anything of that sort as the cost of cable is high. Consumers would not buy a cable that would be worth that much money. A victim would have to be of a high value and the attacker would have to physically give them the cable making it more difficult.
It will become a concern as soon as the costs go down enough that there's no difference in cost between OMG and nonOMG cables and by then, it's likely USB standards will require implementations to counteract those kind of attacks.
I have seen on a few occasions a charging cable being made available to passengers in a Uber or Lyft car. I think I used one once a few years ago, but when I first heard about these hacking cables, never again will I plug into a cable in a ride-share or in public phone charging facilities.
Also, the article and some of the comments here suggest that the price will deter some people, but as the article states, "it's a tool for professionals." Well, there are enough of these "professionals" out there that put card skimming devices on ATM and gas pumps or who use key fob relay devices to break into your car. To them, less than a couple hundred bucks is no big deal. So while it's probably true that most of us don't need to be overly concerned, especially as long as we're being diligent, there's still plenty to be concerned about. The fact that some "low level scammers" would be deterred is no comfort.