If you weren’t scared of USB cables before, you should be now. The O.MG cable (or Offensive MG kit) from [MG] hides a backdoor inside the shell of a USB connector. Plug this cable into your computer and you’ll be the victim of remote attacks over WiFi.
You might be asking what’s inside this tiny USB cable to make it susceptible to such attacks. That’s the trick: inside the shell of the USB ‘A’ connector is a PCB loaded up with a WiFi microcontroller — the documentation doesn’t say which one — that will send payloads over the USB device. Think of it as a BadUSB device, like the USB Rubber Ducky from Hak5, but one that you can remote control. It is the ultimate way into a system, and all anyone has to do is plug a random USB cable into their computer.
In the years BadUSB — an exploit hidden in a device’s USB controller itself — was released upon the world, [MG] has been tirelessly working on making his own malicious USB device, and now it’s finally ready. The O.MG cable hides a backdoor inside the shell of a standard, off-the-shelf USB cable.
The construction of this device is quite impressive, in that it fits entirely inside a USB plug. But this isn’t a just a PCB from a random Chinese board house: [MG] spend 300 hours and $4000 in the last month putting this project together with a Bantam mill and created his own PCBs, with silk screen. That’s impressive no matter how you cut it.
Future updates to this cable that will hack any computer might include a port of ESPloitV2, an Open Source WiFi controlled USB HID keyboard emulator. That will bring a lot of power to this device that’s already extremely capable. In the video attached to this tweet you can see the O.MG cable connected to a MacBook, with [MG] opening up a webpage remotely.
It’s a good package for tricking the user into plugging it in, and it’s impressive to fit wifi into the small volume this way, but is it made any more dangerous by virtue of being sneaky?
I’m not afraid of boogymen with this cable, they need both physical access and either my passwords or an exploit.
do you require a password every time you plug in a USB device? If so, the OPSEC is strong with you! and you hope that you never need to plug in a USB keyboard. Other than that this seems as if the most probable use case is being plugged in while the user is logged in and physical access is not required as it is a wifi device.
That’s what usbguard is for.
Great. But how exactly did he spend $4K on something thats just a tiny PCB in a cable?
Probably an audiophile. :)
good one! ahahah
WHiFi ?
WHY-FI :D
According to the article he bought some tools as well, then it can make sense depending on what they are.
Looks like he bought a 4000$ mill to make his pcbs. Could be done way cheaper of course.
The Bantam mill is a $4,000 mill for hipsters into electronics. Absolutely nothing in that machine is worth $4,000.
He’s making PCBs from scratch. HIs twitter talks about resin curing so presumably he’s fabricating the FR4?
Plot twist: the cable was made by Monster and sold at Best Buy, so it gives extra high quality packets
Are such devices capable of attaching to a computer without announcing their connection?
It could be designed to monitor the USB voltage with a say a 16-bit SPI ADC chip, centre tapping between two 10 mega ohm resistors across the USB Vcc and GND. With the processor entering deep sleep between each sample say every 5 or 30 minutes, monitoring the peak, average and minimum voltages for a number of days, slowly characterising the usage profile of the computers owner(s). It could monitor the USB voltage and not initiate it’s own USB functionality until the power usage was at a minimum (voltages at maximum, i.e. no one is using the computer.). At 16-bits, even if there was a dedicated LDO (Low-dropout regulator) for every USB port in the computer, some side channel usage information would still leak and could be monitored.
Would you notice if a new device was connected to your computer if you were not there to see the device connected ?
I was thinking along these lines for some sort of basic OPSEC, that each connection needs to be authorized along with providing details about what the device announces itself to be.
But in the case of a USB keyboard being used as an attack vector, placing it in a keyboard would break this model.
For highly secure systems, it seems that these needs to be a procedure to validate the hardware that will be connected then disallow any new hardware from being used. I think this would be pretty easy at the OS level and that may be enough for most cases. That wouldn’t stop the USB Killer or something that tries to exploit a USB host controller but I guess it would be a start.
https://usbguard.github.io/
these devices have programmable vid and pid.. borrow a valid device for a sec, plug it in to get its id and your good. Bypasses usbguard and most other protections
Not surprising. I have a TP-LINK TL-WN725N WiFi dongle that’s just a USB Type A connector with a 6.63 x 7.1 x 14.93 mm plastic housing. Wouldn’t be surprised to find the actual PCB and electronics are no taller or wider than the dimensions of the metal part.
Last time I got one of those marketing “Plug me in” USB devices that just spew “WIN+r http:///www.example.com” from a HID device. Linux blocked it completely. Which was annoying as I wanted to subvert it to doing something else.
“I also wanted to do as much as possible on the mill instead of sending the boards off to be professionally made. ”
And spend 4k$ instead of 10$ and get it within a week (not counting CNY)?!? WHY so much pain?
Perhaps he is a fan of “No pain, no gain”? :-) I still prefer the least painful way to achieve something.
Are you forgetting the Hacker’s Creed – ANY excuse to buy more tools is a good excuse.
‘But honey – I NEED those’.
The homeowner’s corollary, “no project is worth doing if it doesn’t ‘justify’ a new tool purchase”.
Because you get a mill out of it, too!
And for free, too! Who doesn’t want a free CNC mill?!? Sure, you have to buy the $4,000 PCB first…
Who will be the first with a Hackaday high-voltage ‘USB’ socket, into which we can plug any unknown cables to fry anything connected across the conductors inside?
Now this seems like a fun project. Marx generator onto a USB socket.
https://www.youtube.com/watch?v=7lTw7boxGdk
https://www.youtube.com/watch?v=hKEwupvwwdI
If WiFi hotspots in the area are locked down, what does such a device have the ability to do?
Another excuse to run your computer in user mode and only use admin when you know what you’re doing.
This has been around for what, over a year now, and didn’t you actually publish a blurb on it back than? Again is this a slow news day or what?
I’ll admit this post might be somewhat behind the ball for something that got so popular on social media, but [MG] unveiled the completed project only 10 days ago.
If you’re referring to BadUSB, then that’s been covered on HaD in the past. But this project is certainly worthy of its own post.
maybe we require a new bios feature or OS feature since the bios is unlikely to have control over this, but ..
a simple function to allow us to WHITELIST one USB keyboard that is allowed for input, by serial or whatever ..
all other connected keyboards won’t enumerate, period.
Linux has usbguard (https://usbguard.github.io/)
And now we finally have a case against USB keyboards and mice … PS/2 and AT keyboard connectors could not be used in such a way because there was only one and it was in use all the time!
Take that, 21st century!
Instead of showing up as a new HID device, the device can simply inject keystrokes when the real keyboard is not in use. You could put a logger inline real keyboard and would play back stored keystrokes when a special command string is received. Here is the first one I found on amazon. https://www.amazon.com/KeyGrabber-PS-KeyLogger-4MB-Purple/dp/B0076QL44W
Would a USB condom stop this?
4K$ search on Ebay wifi usb and will get mini dongles for 1.3$ and fits inside usb cable , only loading a new fw to those mini chinese dongles, a nice looking usb cable and should works , then 3998$ extra to buy a new laptop :)
Impressive work within the size constraints of the average USB A plug, but given that entire SoC systems can be fit on what used to hold a 16gb nand IC and aggregate controller in a flash drive, there’s a whole new world that could be created, given the need to do so.
My only question at this point would be…
Have they done so already, and to what benefit?
Would it
Would it be stopped by the Penteract Disguised Keyboard Detector or does it work on some driver bugs?