Skip to content
Naked Security Naked Security

O.MG! Evil Lightning cable about to hit mass distribution

This malicious O.MG Lightning cable has come a long way, with extensive work on the kinds of payload it can deliver.

Remember the O.MG cable? Back in February, we covered its early development: A project by self-taught electronics hacker _MG_, it’s a malicious Lightning cable that looks just like the regular overpriced piece of wire that connects your iPhone to a computer.

Embedded in it is a tiny Wi-Fi transceiver that can operate as an access point or a wireless client. When the victim plugs it into their computer, an attacker within radio distance can connect to the cable with a mobile app and use it to manipulate the computer.

An attacker can access the O.MG cable from as far as 100 meters using Wi-Fi from a regular phone, but a suitable booster antenna connected to your computer or phone could enable a connection from even further away.

@_MG_ has been steadily working on it along with a team of fellow hackers, and says that he spent over $4,000 on what is effectively a “negative profit project”. He spent months hand-milling the tiny integrated circuit boards and then painstakingly putting them inside the ends of Apple lightning cables. He gave these prototypes away at DEF CON in August 2019. Now, having perfected the performance of the cable and created a design suitable for manufacturing, he is preparing to sell them through penetration testing hardware site, Hak5.

The project has come a long way, with some extensive work on the kinds of payload it can deliver.

Intercepting lock screen passwords

One of the most interesting is LockScream, a Mac-focused attack that intercepts the user’s lock screen password. The attacker sends the user a conventional text message to distract them from their Mac for a moment, and then quickly sends the LockScream payload. This runs in a small terminal window, password-locking their screen. When they look up from their phone and enter their password to unlock their Mac, LockScream sends the password back to the attacker’s phone. From there, the attacker can send a second-stage payload that unlocks the machine when the user is away. That would be handy if they left their machine on, but locked, while visiting the coffee shop restroom, for example.

The O.MG app brings up a menu with a selection of different payloads including opening a Terminal on the user’s machine. Another payload allows the attacker to kill the O.MG cable’s functionality remotely, perhaps to cover your tracks after an attack. Other goodies in the O.MG cable include the ability to reflash the computer, and to chain payloads together.

Custom payloads

There is also an editor and parser for Duckyscript – the scripting language used by the Rubber Ducky offensive USB drive – which acts as a virtual keyboard and launches keystroke injection attacks. That alone opens up a wide array of custom payloads for the O.MG cable. There also appear to be attack payloads for Windows and Ubuntu systems.

In April 2019, when the video was released, MG and the team of hackers working on the embedded cable were also developing extra functions such as detecting user activity/inactivity. According to the Hak5 listing, they also appear to have cracked another key problem: USB enumeration.

When you plug in a USB device, your computer normally tries to detect it and install drivers, which can involve displaying a window. If a victim plugged in the cable without a device connected to it, that would alert them that something was amiss. However, Hak5 says that O.MG features no USB enumeration until payload execution, suggesting that the design team has achieved true stealth mode.

When it becomes available, the cable will target red teams, the site blurb says. These are legitimate penetration testing teams sanctioned to carry out offensive security testing. Of course, there’s nothing to stop your average black hat buying them, which raises a pertinent question: How can you stop yourself falling victim to an attack using one of these cables?

What to do?

  • Beware offers for cables that seem too good to be true.
  • Don’t leave your bag or computer unattended in public places.
  • Keep your cables safe, and mark them somehow for extra-easy identification.
  • Exercise caution when using other people’s cables and chargers.

10 Comments

Should not phones etc. be displaying permission prompts, before pairing with a USB device? (Ignoring buggy software on the phone, that is.)

Hi NS. A small thing in an otherwise excellent article. Given that you have an international audience, is it possible to put your distance estimates in Metric for those of us who don’t have a clue what 300 feet means. Thank you! ☺️

Approximately 100 meters

Indeed. I changed it in the article on the grounds that, very loosely speaking, only Americans, airline pilots and a diminishing proportion of British people are still familiar with ‘feet’, but almost everyone knows what 100m is because of its global popularity as a sprint distance in athletics racing. (The fact that it is the only straight race in outdoor competition makes the distance fairly easy to visualise.)

No no. Most people have HEARD “100m” before. But even native SI users often don’t have a real idea of how far that is.

I’m often surprised at just how little people think about stuff like this. I’m rarely able to find someone who can answer simple questions like “Do you think that building over there is 100m or 800m away?”

If you are familiar with 100m in theory but you can’t tell the difference between 100m and 800m in practice then you are going to struggle with the difference between 110 yards and a furlong, too.

You could have googled it with less typing…

I think the point was to put the SI distance in the article so the next 101 people to whom feet aren’t a meaningful measure wouldn’t have to Google it too, thus saving a lot more typing overall.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?