A security researcher miniaturized a malicious Wi-Fi microcontroller inside the tiny housing of a USB connector. What looks like a regular phone cable actually pretends to be a keyboard that an attacker can remote-control.

Think of the possibilities: From the other side of the room—or of the planet—a hacker can: grab your passwords, steal your files, implant a persistent rootkit, or move laterally onto your corporate network. Anything at all.

And now the researcher is manufacturing these “O.MG” cables in quantity. But what if it gets into the supply chain?

What if something like it already has? In this week’s Security Blogwatch, we gently panic.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: SP networks.

HID-capable USB cable

What’s the craic, Zak? Mister Doffman reports—Warning As Macs Are Remotely Hacked By Malicious … Lightning Cable:

An iPhone Lightning cable that has been configured to enable remote, malicious access to a computer is not just on show at Def Con this year, it's on sale. … When it's used to connect a phone to a Mac, it enables an attacker to mount a wireless hijack.

…

It clearly has some frightening implications. Cables given as gifts, provided by hotels or airport lounges, swapped out … the options are endless.

…

The cables perform as expected—phones charge, iTunes opens, the usual dialog boxes appear. But the cable contains a wireless implant that can be accessed from an attacker.

…

Intel agencies around the world specialize in after-market adaptations of original equipment to ensure they pass muster and don't arouse suspicion. … It does provide some warning [about] the risk of using … accessories from anything but fully trusted sources.

“Some” warning? Joseph Cox klaxonifies—it will give an attacker a way to remotely tap into your computer:

I plugged the Apple lightning cable into my iPod and connected it to my Mac. [But] a short while later, a hacker remotely opened a terminal on my Mac's screen, letting them run commands.

…

One idea is to take this malicious tool, dubbed O.MG … and swap it for a target's legitimate one [or to] give the malicious version as a gift to the target. … The cable comes with various payloads … that an attacker can run on the victim's machine. A hacker can also remotely "kill" the USB implant.

Who is this cable-tampering hacker? Mike Grover, a.k.a. MG, ’fesses up:

O.MG started as a personal hardware learning project in February. … I wanted it to be capable for use in the field for things like Red Team exercises.

…

Target price: around $100. … The production cables will eventually be in the Hak5 shop. … We are going through the production process now.

Do you feel le déjà vu? This was Lisa Vaas, earlier this year—Evil USB O.MG cable opens up Wi-Fi to remote attacks:

Security researcher Mike Grover, who goes by the alias MG … rigged a USB cable to allow remote attackers to attack via Wi-Fi. [He] has implanted this open door into a USB cable that looks like any other innocuous cable you’d see lying around in a conference room.

…

The cable, dubbed the O.MG Cable, can be plugged into a Linux, Mac or Windows computer and allows attackers to execute commands over Wi-Fi as if they were sitting in front of the system. … Because operating systems consider [it’s a keyboard, it] can be used to input commands as if those commands are being typed on a keyboard.

…

Grover says the rigged cable can be used to do all these things and more: Update and trigger malicious payloads

Kick other systems of Wi-Fi networks

Reflash systems. … Attackers don’t necessarily have to be located close to the cable to issue commands. … the Wi-Fi chip in the cable can be preconfigured to connect to a Wi-Fi network … enabling commands to be executed from remote locations.

…

Grover’s been working on nefarious cables for a while. Earlier prototypes from last year were born from Mr. Self Destruct: a self-destructing USB keystroke injector that can be programmed to do things on a computer and then to explode.

This is frightening as all heck. Michael Khalili raises the stakes:

Even more frightening, people selling them as seemingly legitimate cables on Amazon? People will pay you and you get a new botnet.



How many could you sell before it's discovered? How can I, as a consumer, even tell?

Want even more déjà vu? Here’s Sean Gallagher from 2013—Your USB cable, the spy: Inside the NSA’s catalog:

In some cases, the NSA … has built and deployed its own USB cables at target locations—complete with spy hardware and radio transceiver packed inside. … The NSA uses an insider with a USB device … to gain access to computer systems, allowing the NSA to “reflash” their low-level BIOS firmware … to install backdoors that can survive a total operating system wipe.

…

There are a number of other implanted devices that the NSA has in its TAO arsenal, including USB and Ethernet implants, [which] create a shadow Internet that allows the NSA to move data … into its TURMOIL and X-KEYSCORE collection system. … The COTTONMOUTH series of implants are USB devices that provide a covert wireless bridge into a target network. They can be integrated into any USB plug.

Wait. Pause. If that was 2013, why is this still a problem? So asks James Babcock:

It's 2019. … It's a severe discredit to the major operating system vendors that plugging in a USB stick can still compromise a system. If a USB device identifies itself as a keyboard, the system shouldn't accept its keystrokes until either that keyboard has typed the user's login password, or the user uses a different input device to authorize it.

…

No one types their password into an iPhone cable. … The cable has no keys to type with. … Why the f* haven't Windows, MacOS and Linux all implemented these basic precautions?

Why indeed? Here’s a slightly more sympathetic bug_hunter:

If I designed the USB spec in 1996, I would not have thought that a complicated chip could be embedded into a charging cable with no noticeable visual indicator that could pretend to be a keyboard, [which] could then send input to run pre-defined malicious commands. It's a pretty clever hack.

…

I'm not sure what the cure is, I guess a pairing step similar to Bluetooth where the device also has to identify what kind of device it is. Even then half the people would just click yes to everything.

But what would be a legit use for this? couchslug blazes a slimy trail:

Pentesting. An untested defense is an unknown defense.

The moral of the story?

Your users are innocently picking up spare cables in conference rooms, or buying generic Chinese cables on Amazon. Think about that for a moment—now panic.

And finally

SP networks: The basis for almost all modern symmetric cryptography



You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or sbw@richi.uk. Ask your doctor before reading. Your mileage may vary. E&OE.

Image source: William Warby (cc:by)

Keep learning