WiFi Hides Inside A USB Cable

If you weren’t scared of USB cables before, you should be now. The O.MG cable (or Offensive MG kit) from [MG] hides a backdoor inside the shell of a USB connector. Plug this cable into your computer and you’ll be the victim of remote attacks over WiFi.

You might be asking what’s inside this tiny USB cable to make it susceptible to such attacks. That’s the trick: inside the shell of the USB ‘A’ connector is a PCB loaded up with a WiFi microcontroller — the documentation doesn’t say which one — that will send payloads over the USB device. Think of it as a BadUSB device, like the USB Rubber Ducky from Hak5, but one that you can remote control. It is the ultimate way into a system, and all anyone has to do is plug a random USB cable into their computer.

In the years BadUSB — an exploit hidden in a device’s USB controller itself — was released upon the world, [MG] has been tirelessly working on making his own malicious USB device, and now it’s finally ready. The O.MG cable hides a backdoor inside the shell of a standard, off-the-shelf USB cable.

The construction of this device is quite impressive, in that it fits entirely inside a USB plug. But this isn’t a just a PCB from a random Chinese board house: [MG] spend 300 hours and $4000 in the last month putting this project together with a Bantam mill and created his own PCBs, with silk screen. That’s impressive no matter how you cut it.

Future updates to this cable that will hack any computer might include a port of ESPloitV2, an Open Source WiFi controlled USB HID keyboard emulator. That will bring a lot of power to this device that’s already extremely capable. In the video attached to this tweet you can see the O.MG cable connected to a MacBook, with [MG] opening up a webpage remotely.

42 thoughts on “WiFi Hides Inside A USB Cable

  1. It’s a good package for tricking the user into plugging it in, and it’s impressive to fit wifi into the small volume this way, but is it made any more dangerous by virtue of being sneaky?

    I’m not afraid of boogymen with this cable, they need both physical access and either my passwords or an exploit.

    1. do you require a password every time you plug in a USB device? If so, the OPSEC is strong with you! and you hope that you never need to plug in a USB keyboard. Other than that this seems as if the most probable use case is being plugged in while the user is logged in and physical access is not required as it is a wifi device.

    1. It could be designed to monitor the USB voltage with a say a 16-bit SPI ADC chip, centre tapping between two 10 mega ohm resistors across the USB Vcc and GND. With the processor entering deep sleep between each sample say every 5 or 30 minutes, monitoring the peak, average and minimum voltages for a number of days, slowly characterising the usage profile of the computers owner(s). It could monitor the USB voltage and not initiate it’s own USB functionality until the power usage was at a minimum (voltages at maximum, i.e. no one is using the computer.). At 16-bits, even if there was a dedicated LDO (Low-dropout regulator) for every USB port in the computer, some side channel usage information would still leak and could be monitored.

      Would you notice if a new device was connected to your computer if you were not there to see the device connected ?

    2. I was thinking along these lines for some sort of basic OPSEC, that each connection needs to be authorized along with providing details about what the device announces itself to be.
      But in the case of a USB keyboard being used as an attack vector, placing it in a keyboard would break this model.

      For highly secure systems, it seems that these needs to be a procedure to validate the hardware that will be connected then disallow any new hardware from being used. I think this would be pretty easy at the OS level and that may be enough for most cases. That wouldn’t stop the USB Killer or something that tries to exploit a USB host controller but I guess it would be a start.

  2. Not surprising. I have a TP-LINK TL-WN725N WiFi dongle that’s just a USB Type A connector with a 6.63 x 7.1 x 14.93 mm plastic housing. Wouldn’t be surprised to find the actual PCB and electronics are no taller or wider than the dimensions of the metal part.

  3. If WiFi hotspots in the area are locked down, what does such a device have the ability to do?

    Another excuse to run your computer in user mode and only use admin when you know what you’re doing.

    1. I’ll admit this post might be somewhat behind the ball for something that got so popular on social media, but [MG] unveiled the completed project only 10 days ago.

      If you’re referring to BadUSB, then that’s been covered on HaD in the past. But this project is certainly worthy of its own post.

  4. maybe we require a new bios feature or OS feature since the bios is unlikely to have control over this, but ..

    a simple function to allow us to WHITELIST one USB keyboard that is allowed for input, by serial or whatever ..
    all other connected keyboards won’t enumerate, period.

  5. And now we finally have a case against USB keyboards and mice … PS/2 and AT keyboard connectors could not be used in such a way because there was only one and it was in use all the time!

    Take that, 21st century!

  6. 4K$ search on Ebay wifi usb and will get mini dongles for 1.3$ and fits inside usb cable , only loading a new fw to those mini chinese dongles, a nice looking usb cable and should works , then 3998$ extra to buy a new laptop :)

  7. Impressive work within the size constraints of the average USB A plug, but given that entire SoC systems can be fit on what used to hold a 16gb nand IC and aggregate controller in a flash drive, there’s a whole new world that could be created, given the need to do so.
    My only question at this point would be…
    Have they done so already, and to what benefit?

Leave a Reply to Squonk42Cancel reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.