Evil USB O.MG cable opens up Wi-Fi to remote attacks

Take a look at one of your USB cables and you’ll probably see an icon. It might look like a trident, with a vector, circle and square stemming off the main branch.

What do those three symbols mean? You can find multiple suggestions online. We’re less inclined to believe that it was created by Al Gore to represent a three-pronged attack on the earth, and more comfortable with the suggestion that the icon likely indicates that the cable delivers three things: data, power, and audio/video.

Well, thanks to a tinkerer, that USB icon is going to need a fourth tine, perhaps ending in an image of a burglar – because he’s rigged a USB cable to allow remote attackers to attack via Wi-Fi. Security researcher Mike Grover, who goes by the alias MG, has implanted this open door into a USB cable that looks like any other innocuous cable you’d see lying around in a conference room.

Why bother with USB drives? They’re already suspicious enough. Go for the cable instead, his thinking was.

The cable, dubbed the O.MG Cable, can be plugged into a Linux, Mac or Windows computer and allows attackers to execute commands over Wi-Fi as if they were sitting in front of the system, issuing commands with a mouse and keyboard.

That’s because the operating system detects the cable as part of an input device, or what’s known as a human interface device (HID). Because operating systems consider HID devices to be input devices, they can be used to input commands as if those commands are being typed on a keyboard.

Grover tweeted a video of himself as he plugged an O.MG Cable into a target computer, stepped away, and sent instructions from his mobile phone. First step: open a phishing site on the system…

Next, he instructed the remotely controlled computer to navigate to the cable’s project page. Grover says the rigged cable can be used to do all these things and more:

  • Update and trigger malicious payloads
  • Kick other systems of Wi-Fi networks
  • Reflash systems

Grover told Bleeping Computer that the cable can even be configured to overcome a computer’s inactivity lock, by, for example, imitating tiny mouse movements:

It ‘works’ just like any keyboard and mouse would at a lock screen, which means you can type and move the mouse. Therefore, if you get access to the password you can unlock the device. Also, if the target relies on an inactivity timer to auto lock the machine, then it’s easy to use this cable to keep the lock from initiating by simulating user activity that the user would not notice otherwise (tiny mouse movements, etc).

Attackers don’t necessarily have to be located close to the cable to issue commands over Wi-Fi. Grover told Bleeping Computer that the Wi-Fi chip in the cable can be preconfigured to connect to a Wi-Fi network, where an attacker could potentially open a reverse shell to a remote computer, enabling commands to be executed from remote locations.

A rigged cable could be neutered with what’s known as a USB condom: a small dongle that blocks data transmission but allows for recharging. However, that wouldn’t stop the potential for a de-authentication attack, Grover said.

He suggested that the de-authentication attack could enable an attacker who can’t get into the vicinity of the targeted computer – but who’s managed to get the O.MG cable in there – to shove a victim off the Wi-Fi and onto the cable:

You aren’t in range of a wireless target, but the target person is. Using this cable, you can get them to carry the attack hardware inside a controlled area. Maybe to disrupt a camera? Maybe a fun disruption/diversion for another attack. (Imagine distributing a dozen inside an office and suddenly IT/Sec is focused on the chaos).

Indistinguishable from normal USB cables

Grover’s been working on nefarious cables for a while. Earlier prototypes from last year were born from Mr. Self Destruct: a self-destructing USB keystroke injector that can be programmed to do things on a computer and then to explode. In a Hak5 video posted in May 2018, he shows how he put one of those early prototypes together.

That prototype was practically indistinguishable from cables you see lying around in conference rooms. It did have a repair cap on the business end that was fatter than an unadulterated cable, but you’d likely have needed to put the two side by side to notice any difference.

Now that Grover has refined his design, that difference has vanished. He says the bad and the good cables are now indistinguishable.

Oh, and about that condom…

Sorry, but Grover popped a hole in that safety dongle …by creating a BadUSB Condom.

You may ask, how practical is it to get both the bad cable and the popped USB condom into the vicinity of a target system? Let’s hope we never find out.