Site icon Sophos News

O.MG! Evil Lightning cable about to hit mass distribution

Remember the O.MG cable? Back in February, we covered its early development: A project by self-taught electronics hacker _MG_, it’s a malicious Lightning cable that looks just like the regular overpriced piece of wire that connects your iPhone to a computer.

Embedded in it is a tiny Wi-Fi transceiver that can operate as an access point or a wireless client. When the victim plugs it into their computer, an attacker within radio distance can connect to the cable with a mobile app and use it to manipulate the computer.

An attacker can access the O.MG cable from as far as 100 meters using Wi-Fi from a regular phone, but a suitable booster antenna connected to your computer or phone could enable a connection from even further away.

@_MG_ has been steadily working on it along with a team of fellow hackers, and says that he spent over $4,000 on what is effectively a “negative profit project”. He spent months hand-milling the tiny integrated circuit boards and then painstakingly putting them inside the ends of Apple lightning cables. He gave these prototypes away at DEF CON in August 2019. Now, having perfected the performance of the cable and created a design suitable for manufacturing, he is preparing to sell them through penetration testing hardware site, Hak5.

The project has come a long way, with some extensive work on the kinds of payload it can deliver.

Intercepting lock screen passwords

One of the most interesting is LockScream, a Mac-focused attack that intercepts the user’s lock screen password. The attacker sends the user a conventional text message to distract them from their Mac for a moment, and then quickly sends the LockScream payload. This runs in a small terminal window, password-locking their screen. When they look up from their phone and enter their password to unlock their Mac, LockScream sends the password back to the attacker’s phone. From there, the attacker can send a second-stage payload that unlocks the machine when the user is away. That would be handy if they left their machine on, but locked, while visiting the coffee shop restroom, for example.

The O.MG app brings up a menu with a selection of different payloads including opening a Terminal on the user’s machine. Another payload allows the attacker to kill the O.MG cable’s functionality remotely, perhaps to cover your tracks after an attack. Other goodies in the O.MG cable include the ability to reflash the computer, and to chain payloads together.

Custom payloads

There is also an editor and parser for Duckyscript – the scripting language used by the Rubber Ducky offensive USB drive – which acts as a virtual keyboard and launches keystroke injection attacks. That alone opens up a wide array of custom payloads for the O.MG cable. There also appear to be attack payloads for Windows and Ubuntu systems.

In April 2019, when the video was released, MG and the team of hackers working on the embedded cable were also developing extra functions such as detecting user activity/inactivity. According to the Hak5 listing, they also appear to have cracked another key problem: USB enumeration.

When you plug in a USB device, your computer normally tries to detect it and install drivers, which can involve displaying a window. If a victim plugged in the cable without a device connected to it, that would alert them that something was amiss. However, Hak5 says that O.MG features no USB enumeration until payload execution, suggesting that the design team has achieved true stealth mode.

When it becomes available, the cable will target red teams, the site blurb says. These are legitimate penetration testing teams sanctioned to carry out offensive security testing. Of course, there’s nothing to stop your average black hat buying them, which raises a pertinent question: How can you stop yourself falling victim to an attack using one of these cables?

What to do?

Exit mobile version