Take a look at one of your USB cables and you’ll probably see an icon. It might look like a trident, with a vector, circle and square stemming off the main branch.
What do those three symbols mean? You can find multiple suggestions online. We’re less inclined to believe that it was created by Al Gore to represent a three-pronged attack on the earth, and more comfortable with the suggestion that the icon likely indicates that the cable delivers three things: data, power, and audio/video.
Well, thanks to a tinkerer, that USB icon is going to need a fourth tine, perhaps ending in an image of a burglar – because he’s rigged a USB cable to allow remote attackers to attack via Wi-Fi. Security researcher Mike Grover, who goes by the alias MG, has implanted this open door into a USB cable that looks like any other innocuous cable you’d see lying around in a conference room.
Why bother with USB drives? They’re already suspicious enough. Go for the cable instead, his thinking was.
The cable, dubbed the O.MG Cable, can be plugged into a Linux, Mac or Windows computer and allows attackers to execute commands over Wi-Fi as if they were sitting in front of the system, issuing commands with a mouse and keyboard.
That’s because the operating system detects the cable as part of an input device, or what’s known as a human interface device (HID). Because operating systems consider HID devices to be input devices, they can be used to input commands as if those commands are being typed on a keyboard.
Grover tweeted a video of himself as he plugged an O.MG Cable into a target computer, stepped away, and sent instructions from his mobile phone. First step: open a phishing site on the system…
https://twitter.com/_MG_/status/1094389042685259776Next, he instructed the remotely controlled computer to navigate to the cable’s project page. Grover says the rigged cable can be used to do all these things and more:
- Update and trigger malicious payloads
- Kick other systems of Wi-Fi networks
- Reflash systems
Grover told Bleeping Computer that the cable can even be configured to overcome a computer’s inactivity lock, by, for example, imitating tiny mouse movements:
It ‘works’ just like any keyboard and mouse would at a lock screen, which means you can type and move the mouse. Therefore, if you get access to the password you can unlock the device. Also, if the target relies on an inactivity timer to auto lock the machine, then it’s easy to use this cable to keep the lock from initiating by simulating user activity that the user would not notice otherwise (tiny mouse movements, etc).
Attackers don’t necessarily have to be located close to the cable to issue commands over Wi-Fi. Grover told Bleeping Computer that the Wi-Fi chip in the cable can be preconfigured to connect to a Wi-Fi network, where an attacker could potentially open a reverse shell to a remote computer, enabling commands to be executed from remote locations.
A rigged cable could be neutered with what’s known as a USB condom: a small dongle that blocks data transmission but allows for recharging. However, that wouldn’t stop the potential for a de-authentication attack, Grover said.
He suggested that the de-authentication attack could enable an attacker who can’t get into the vicinity of the targeted computer – but who’s managed to get the O.MG cable in there – to shove a victim off the Wi-Fi and onto the cable:
You aren’t in range of a wireless target, but the target person is. Using this cable, you can get them to carry the attack hardware inside a controlled area. Maybe to disrupt a camera? Maybe a fun disruption/diversion for another attack. (Imagine distributing a dozen inside an office and suddenly IT/Sec is focused on the chaos).
Indistinguishable from normal USB cables
Grover’s been working on nefarious cables for a while. Earlier prototypes from last year were born from Mr. Self Destruct: a self-destructing USB keystroke injector that can be programmed to do things on a computer and then to explode. In a Hak5 video posted in May 2018, he shows how he put one of those early prototypes together.
That prototype was practically indistinguishable from cables you see lying around in conference rooms. It did have a repair cap on the business end that was fatter than an unadulterated cable, but you’d likely have needed to put the two side by side to notice any difference.
Now that Grover has refined his design, that difference has vanished. He says the bad and the good cables are now indistinguishable.
Oh, and about that condom…
Sorry, but Grover popped a hole in that safety dongle …by creating a BadUSB Condom.
#3 - BadUSB Cables wouldn't be complete without BadUSB Condoms.
— MG (@_MG_) January 13, 2018
Tempted to get a run of these made for the vendor area at the next security con. pic.twitter.com/Iq8HHSV7qG
You may ask, how practical is it to get both the bad cable and the popped USB condom into the vicinity of a target system? Let’s hope we never find out.
THM_T (@THM_T17)
So how would I go about detecting one of these once it was plugged in?
Paul Ducklin
It would show up as a different device (or as a bunch of extra devices) that you didn’t expect – my guess is there’s a USB hub in the rogue cable, plus a keyboard/mouse you weren’t expecting.
On a Mac, you can use ioreg to show your “before and after” USB state. On Linux, there’s lsusb to give you similar feedback. On Windows you can use Device Manager, or find and download a tool called DevCon.exe from docs.microsoft.com.
For example, on my MacBook (the ultra-cool superslim sort with one USB-C port), I get:
# Nothing plugged in...
$ ioreg -p IOUSB
+-o Root
+-o AppleUSBXHCI Root Hub Simulation
# Plug in my Apple HDMI+USB-A dongle, which is actually a combined USB-3 and USB-2
# hub with a built-in HDMI adapter hooked up internally to the USB-2 hub...
$ ioreg -p IOUSB
+-o Root
+-o AppleUSBXHCI Root Hub Simulation
+-o USB2.0 Hub
| +-o USB-C Digital AV Multiport Adapter
+-o USB3.0 Hub
# Plug my wireless mouse dongle into the USB-A port, which is hooked up
# internally to the USB-2 hub...
$ ioreg -p IOUSB
+-o Root
+-o AppleUSBXHCI Root Hub Simulation
+-o USB2.0 Hub
| +-o USB-C Digital AV Multiport Adapter
| +-o USB Receiver
+-o USB3.0 Hub
But when I plug a vanilla USB-A-to-Lightning (iPhone) cable into the USB-A port instead, I would expect to see the same as having nothing plugged in, because the cable isn’t supposed to present itself as a device in its own right. And that’s what I see:
# Remove mouse receiver and plug plain USB-A cable
# into HDMI dongle instead
$ ioreg -p IOUSB
+-o Root
+-o AppleUSBXHCI Root Hub Simulation
+-o USB2.0 Hub
| +-o USB-C Digital AV Multiport Adapter
+-o USB3.0 Hub
And if I remove the HDMI dongle and just plug in my USB-C-to-USB-A adapter cable, I would expect the same as having nothing plugged in, as long as there’s nothing plugged into the converter cable. Which is what happens:
# Plug in USB-C-to-USB-A converter cable only
$ ioreg -p IOUSB
+-o Root
+-o AppleUSBXHCI Root Hub Simulation
Simon McAllister
So presumably this device, like other HID’s, is exempt from detection by Sophos’ Device Control?
Paul Ducklin
I think so – USBs currently don’t have any cryptographically (or even semicryptographically) sound way of telling them apart, so HIDs are HIDs. (Ironically, this is how products like the Yubikey work without drivers – your system accepts them as keyboards so they can enter data into any app that accepts keyboard input.)
You might like this podcast (first topic is USB-C authentication and identification, starts at 3’35”), by the way:
https://nakedsecurity.sophos.com/ep-015-usb-anti-hacking
Current proposals to make USB-C devices more cryptographically accountable are provoking a backlash of people saying that this system could also be used for DRM and to force you to buy “more expensive spare parts”… six steps forward, half-a-dozen steps back, as it were.
Anonymous
Interesting article Paul. Scary, but interesting. I guess you’d have to make sure you plug the cable into the computer USB port before connecting it up to a device (smart phone etc) to see if you get your tell tale “device detected” alert but that’s not a great defence. Or a defence at all if it comes to that.
Paul Ducklin
It’s a good enough defence, I guess – assuming that you have any and all operating system automount and autorun features turned off so that if there is a rogue device buried in the cable it doesn’t get to do anything without you realising.
Mahhn
So, maybe build a charger and load device (looks like a thumb drive) that you could plug these or any other USB cable into, that can run enough power to cook any circuit, but not enough to burn the wires. Call it a “O.MGCC” (CC for Cable Cooker). Send me a couple cables and I will build one on a weekend for you.
Sarah
Great article! I have a question, though. In the third paragraph you mention that Grover used a USB-C cable. Is it suppose to state USB-A? In the video it looks like a USB-A.
Paul Ducklin
Fixed, thanks.
Subito Piano
Didn’t Edward Snowden warn us of these years ago??