
Malicious Charging Cable - vuln
https://shop.hak5.org/products/o-mg-cable
======
dijit
Shameless plug: the hak5 community[0] is super nice and while there are "can
you hack facebook" people around there is also a dearth of super kind people
who are willing to put in the time to teach people about computers.

I have been watching their shows since season two and recently was granted the
proud responsibility of hosting their IRC these days[1]. (which is the
shameless plug)

Obviously it's built for newbies but that's part of the charm and a lot of the
content gets new people interested in security and computers in general. :)

[0]: [https://forums.hak5.org/](https://forums.hak5.org/)

[1]: ircs://irc.hak5.org/hak5

~~~
onionisafruit
From context, I think you mean the opposite of dearth.

~~~
teachrdan
Heh, Steve Martin made the same mistake:

'I had developed a small reputation from my appearances at the Ice House, and
on May 6, 1969, I wrangled a meeting and auditioned in an office for Steve
Allen’s two producers, Elias Davis and David Pollock. They accepted me with
more ease than I expected, and when I spoke with them afterward, they
commented, “There seems to be a dearth of young comedians right now.” I looked
puzzled. I said, “That’s odd, I don’t think there are many at all.” Their
stares made me realize my blunder. I knew the word, but I had the definition
backward.'

From "Born Standing Up," an amazing memoir

------
h4waii
Wow, could those photos be any worse?

[https://mg.lol/blog/omg-cable/](https://mg.lol/blog/omg-cable/) and
[https://github.com/O-MG/O.MG_Cable-
Firmware](https://github.com/O-MG/O.MG_Cable-Firmware) have more information
about the cable, but is still severely lacking on technical details about the
hardware and software used to communicate.

~~~
tyingq
Based on the firmware[1], I'm guessing esp32.

[1] [https://github.com/O-MG/O.MG_Cable-
Firmware/blob/master/READ...](https://github.com/O-MG/O.MG_Cable-
Firmware/blob/master/README.md)

------
wfriesen
Similar to this is the USB Ninja, which delivers a remote payload like the
Rubber Ducky.

[https://hackerwarehouse.com/product/usb-ninja-
cable/](https://hackerwarehouse.com/product/usb-ninja-cable/)

~~~
kweks
For those who may be curious, how two very similar products (USBNinja and the
O.MG Cable) exist, there is a bit of history.

Both products are based on the concept of a HID attack: most modern OSs
(MacOS, Linux, Windows, Android...) trust HID (Human Interface Devices)
implicitly. This means that when you plug in a Keyboard, Mouse, Storage device
or Network device, they work instantly. You don't need to install drivers or
explicitly enable them. The newly attached devices work instantly - even on a
locked device.

The advantage here is obvious. The disadvantage is more subtle, but was
exploited by the Hak5 "Rubber Ducky". By emulating a HID device (or even
worse, multiple HID devices simultaneously..) - you could essentially control
a computer and deploy / execute anything, as if you had full control of the
device.

"The Classic" PoC is the Windows "Creds" attack [1] - which unlocks locked
windows machines - later turned very, very nuclear by Samy Kamkar with
PoisonTap [2], which essentially exfiltrates data, exfiltrates cookies and
credentials, and permanently backdoors a locked PC.

The idea of moving from a dedicated device (Rubber Ducky) to an embedded
device first came to surface with the BadUSB device [3].

The idea of moving it into a cable came from the NSA, a device called
COTTONMOUTH [4][6], which was leaked during the NSA document dumps [5]. MG,
the designer of BadUSB, built a prototype of this with today's resources.

RRG, the company behind the latest iterations of Proxmark 3, ChameleonTiny,
etc prototyped and built the USBNinja. Their device is built on the Arduino
(Ducky) framework, as opposed to the ESP32 Framework.

There is / was drama between MG (behind BadUSB) and RRG / Kevin Mitnik; MG
claimed that it was his prototyped device was brought to market first by RRG.

Drama aside, both products exist, both serve the same purposes, and from a
hardware point of view, they're both incredible devices that we could have
never imagined 10 years ago.

Personally, I find the framework of the USBNinja to be slightly better in
practical purposes, (Non-degraded USB-C charging and performance, non
detectable wifi etc). I believe there is also a "pro" version slated for
release that adds significant functionality.

Source / disclaimer for all of this: I source products for
[https://Lab401.com](https://Lab401.com) \- so we performed a deep dive on
both products before deciding which to stock. I also had the chance to visit
the factories and witness the prototyping - absolutely fascinating.

It's worth underlining that when the COTTONMOUTH device came out in 2009, it
had a value of over 1MUSD. 10 years later, arguably better and smaller devices
are literally 0.01% the price, and you can have one in your hand. Progress is
amazing.

[1] [https://shop.hak5.org/blogs/news/15-second-password-hack-
mr-...](https://shop.hak5.org/blogs/news/15-second-password-hack-mr-robot-
style)

[2] [https://samy.pl/poisontap/](https://samy.pl/poisontap/)

[3] [https://github.com/O-MG/DemonSeed](https://github.com/O-MG/DemonSeed)

[4] [https://arstechnica.com/information-
technology/2013/12/insid...](https://arstechnica.com/information-
technology/2013/12/inside-the-nsas-leaked-catalog-of-surveillance-magic/)

[5]
[https://en.wikipedia.org/wiki/NSA_ANT_catalog](https://en.wikipedia.org/wiki/NSA_ANT_catalog)

[6]
[https://en.wikipedia.org/wiki/File:NSA_COTTONMOUTH-I.jpg](https://en.wikipedia.org/wiki/File:NSA_COTTONMOUTH-I.jpg)

~~~
hackTP
Im not sure how you managed to get almost all of this wrong.

Network adapter attacks like poisontap are not even HID.

COTTONMOUTH was hardware added inside a USB cable with the type of attack not
detailed.

MG (twitter.com/_MG_) did not invent BadUSB. He was the first to put a HID
attack inside a cable.

Kevin Mitnick asked MG to build him one. Two months later, Mitnick announces
that he created the same cable with the help of RRD Group. In his first
announcement he even said “this took longer to ship than to make!”. His
collaborators (twitter.com/vysecurity) were sorely misinformed about the
internals of the cable they claimed to help build. They kept saying it was
totally different hardware but it ended up being the same as MG’s. Mitnick
started threatening MG for telling people that he had previously shown Mitnick
the internals of his prototype. MG eventually opensourced the prototype as
DemonSeed around the same time he released the OMG Cable that has much more
powerful hardware.

Stop shilling for crappy people. Stop shilling for an online shop that claims
to do research that most obviously it never did.

------
mynegation
At some point iOS started asking if I want to trust the device, so I suppose
if I use this malicious cable with charger and iOS asks me about computer or
accessory, I would know things are fishy, would not I?

~~~
lisper
Theoretically. Unfortunately, the device trust settings are not reliably
remembered. My phone regularly asks me if I want to trust my computer despite
the fact that I haven't made any changes to it. So it _might_ be an indication
that something is fishy, or (much more likely) it might just be that a trust
setting has expired. Also, no device fingerprint is displayed along with the
query, so there's no way to know which device the phone is actually asking you
to approve.

~~~
close04
Aren’t you asked every time you reestablish a connection? If I unplug my
iPhone (applies to Android too but with slightly different options) and plug
it back into the computer I simply get prompted again. I think the trust is
ephemeral and is forgotten the moment you disconnect from the USB port. From
the phone’s perspective there doesn’t seem to be a trust store where devices
are uniquely identified and remembered.

~~~
lisper
> Aren’t you asked every time you reestablish a connection?

No. Sometimes it asks, sometimes it doesn't. There doesn't seem to be any
pattern to it that I have been able to discern.

~~~
gruez
> There doesn't seem to be any pattern to it that I have been able to discern.

How often do you charge your phone? I only get those prompts when charging
with a computer, not with a charger. One explanation might be that it
remembers your computer for 1 week (random guess), but if you irregularly
connect your phone to your computer it might seem random to you.

~~~
lisper
I work from home, so my phone is plugged in more often than not. But I'll pay
more attention to how long it has been away the next time it asks.

------
donatj
Not sure I’m understanding what this does? The page lacks information in the
extreme. Can this keylog? Does other data just transparently pass through or
can this log it? Does it show up as an HID device when not activated? What
wireless bands does this operate on?

At the very least a list of specs would be greatly appreciated!

~~~
kweks
Imagine a Rubber Ducky crammed invisibly into a cable, with wireless
functionality.

Imagine what you could do on a terminal with keyboard mouse and storage, and
that's pretty much what this can do.

In theory undetectable while not activated.

------
forkexec
Almost as awesome as building it into a server's plastic case hardware at the
factory, but still awesome.

------
Wowfunhappy
What would the white-hat use case for this be?

~~~
sschueller
I have one with a GSM radio in it. I leave it in my bag so when someone
decides to steal it and the use it I can find my stuff.

~~~
radicaldreamer
It might lead you to the original person who stole your bag, but it likely
won't help you recover your devices because those are very quickly forwarded
onto organized crime networks which take stolen phones, reset and refurbish
them, and sell them overseas or via used goods channels.

~~~
snazz
How effective is this type of crime system with Activation Lock-secured
iPhones? You can't just wipe an iPhone from DFU mode and then set it up
normally without the owner's Apple ID information.

Do they try to sell to people who they know won't check if the device has
Activation Lock and then disappear when the buyer discovers it doesn't work?

~~~
rahimnathwani
There are very convincing phishing attacks used to get the original owner to
reveal their Apple password: [https://krebsonsecurity.com/2017/03/if-your-
iphone-is-stolen...](https://krebsonsecurity.com/2017/03/if-your-iphone-is-
stolen-these-guys-may-try-to-iphish-you/)

I know someone who fell for this. Even though they were skeptical when they
received the message, they thought there was a chance it was legit, and
therefore gave them some change to recover their stolen phone. I guess they
had nothing to lose, as the chance of recovering the phone was ~zero anyway.

~~~
sneak
Krebs really needs to stop publishing people’s PII.

------
nerfhammer
I wonder what it would look like if you tested these cables using something
like this:
[https://www.tindie.com/products/16907/](https://www.tindie.com/products/16907/)
[cough, cough]

Presumably it wouldn't look like data lines were present

------
MarkSweep
I wonder how it looks in an x-ray scanner. Some secured facilities x-ray
everything that comes in or out.

------
winrid
So this is for attacking a phone, computer, or both?

