USB O.MG cable opens up Wi-Fi to remote attacks. Take a look at one of your USB cables and you’ll probably see an icon. It might look like a trident, with a vector, circle and square stemming off the main branch. (see image below)
What do those three symbols mean? You can find multiple suggestions online. Suggestion that the icon likely indicates that the cable delivers three things: data, power, and audio/video.
Well, thanks to a tinkerer, that USB icon is going to need a fourth branch, perhaps ending in an image of a burglar – because a USB cable has been rigged to allow remote attackers to attack via Wi-Fi. Security researcher Mike Grover, who goes by the alias MG, has implanted this open door into a USB cable that looks like any other innocuous cable you’d see lying around in a conference room.
Why bother with USB drives? They’re already suspicious enough.
The cable, dubbed the O.MG Cable, can be plugged into a Linux, Mac or Windows computer and allows attackers to execute commands over Wi-Fi as if they were sitting in front of the system, issuing commands with a mouse and keyboard.
That’s because the operating system detects the cable as part of an input device, or what’s known as a human interface device (HID). Because operating systems consider HID devices to be input devices, they can be used to input commands as if those commands are being typed on a keyboard.
A video showed a plugged in O.MG Cable into a target computer, stepped away, and sent instructions from his mobile phone. First step: open a phishing site on the system…
Next, he instructed the remotely controlled computer to navigate to the cable’s project page. Grover says the rigged cable can be used to do all these things and more:
- Update and trigger malicious payloads
- Kick other systems of Wi-Fi networks
- Reflash systems
The cable can even be configured to overcome a computer’s inactivity lock, by, for example, imitating tiny mouse movements:
It ‘works’ just like any keyboard and mouse would at a lock screen, which means you can type and move the mouse. Therefore, if you get access to the password you can unlock the device. Also, if the target relies on an inactivity timer to auto lock the machine, then it’s easy to use this cable to keep the lock from initiating by simulating user activity that the user would not notice otherwise (tiny mouse movements, etc).
Attackers don’t necessarily have to be located close to the cable to issue commands over Wi-Fi. Grover told Bleeping Computer that the Wi-Fi chip in the cable can be preconfigured to connect to a Wi-Fi network, where an attacker could potentially open a reverse shell to a remote computer, enabling commands to be executed from remote locations.
A rigged cable could be neutered with what’s known as a USB condom: a small dongle that blocks data transmission but allows for recharging. However, that wouldn’t stop the potential for a de-authentication attack.
He suggested that the de-authentication attack could enable an attacker who can’t get into the vicinity of the targeted computer – but who’s managed to get the O.MG cable in there – to shove a victim off the Wi-Fi and onto the cable:
You aren’t in range of a wireless target, but the target person is. Using this cable, you can get them to carry the attack hardware inside a controlled area. Maybe to disrupt a camera? Maybe a fun disruption/diversion for another attack. (Imagine distributing a dozen inside an office and suddenly IT/Sec is focused on the chaos).