I wouldn’t give this cable to my worst enemy - O.MG Cable

[TannerMcCoolman]

The Rubber Ducky? Basic. The Flipper Zero? Child’s play. This is the O.MG Cable, a stealthy, powerful hacking tool that allows the attacker to log your keystrokes, access your device, and emulate both keyboard and mouse movements. It's priced accessibly for the average consumer, and could be used to juice jack your phone or laptop. How do you protect yourself from such a device?

Data Blocker Teardown: https://mg.lol/blog/data-blocker-teardown/

[filpo]

The name is the exact copy of my reaction

 

Oh.MyGod!

[SignatureSigner]

wouldn't your worst enemy be the kind of person you WOULD give this cable to ...

[darknessblade]

This makes the use of custom sleeved coiled cables even more enticing.

 

especially as you would notice almost right away if something is wrong.

 

unless they have a small adapter that sits between the port and the cable. then almost nothing can stop it.

[NF-A12x25]

2 minutes ago, darknessblade said:

unless they have a small adapter that sits between the port and the cable. then almost nothing can stop it.

that was my thought, aviator cables with that quick disconnect jack are very common with custom mech keyboards

[TannerMcCoolman]

36 minutes ago, darknessblade said:

This makes the use of custom sleeved coiled cables even more enticing.

 

especially as you would notice almost right away if something is wrong.

 

unless they have a small adapter that sits between the port and the cable. then almost nothing can stop it.

Can confirm, I did this to several business team members and had no problem logging their keystrokes. It's actually easier to hide it behind the tower underneath a desk. Even with 1 person's system where the back of the case faces the rest of the room and using the white adapter, I was able to hide it in there by just looping the adapter once and putting it in a port behind the only other white cable attached to their system. They did not find it until it was too late.

[SpudMuffin]

I'm glad that LTT is starting to play around with Hak5 products and other hacker tools. I own a WiFi Pinapple myself and tons of other toys.

 

There's some discussion on the FP and YT vids about potentially having cheap USB cables flood the market with these chips in them. The problem is that OMG cables are incredibly expensive and unless the payoff is huge, its silly to think about. That being said I'd be more concerned about the physical security like Linus mentioned. Having a proper security policy in place will easily thwart these attacks. However its a lot more complicated for a YT video.

 

Kinda wanna see Linus play with a Pineapple or CatSniffer next.

[poochyena]

This is likely something the FBI themselves would be using, or the military. Something like this could potentially be more valuable than guns to the military when fighting other countries.

[Zodiark1593]

2 hours ago, SpudMuffin said:

I'm glad that LTT is starting to play around with Hak5 products and other hacker tools. I own a WiFi Pinapple myself and tons of other toys.

 

There's some discussion on the FP and YT vids about potentially having cheap USB cables flood the market with these chips in them. The problem is that OMG cables are incredibly expensive and unless the payoff is huge, its silly to think about. That being said I'd be more concerned about the physical security like Linus mentioned. Having a proper security policy in place will easily thwart these attacks. However its a lot more complicated for a YT video.

 

Kinda wanna see Linus play with a Pineapple or CatSniffer next.

Quite the contrary, for targeted attacks against corporations, I feel the $120 apiece to be remarkably cheap, for the potential payoff of exfiltrating (or getting enough information to infer) trade secrets. 
 

While strong security policies are important, it should also be noted that an attacker need only get lucky once, a sole oversight, to inflict substantial damage.
 

And that’s really what these cables represent. While it’s unlikely we’ll see them deployed en masse, it is also an additional tool with which to exploit any openings. 

[AndreiArgeanu]

You could just set windows security policies that prevent you from using powershell or cmd all together, this should be general practice in most bussinessed for all users. You can even prevent windows from running software besides a given set of applications.

[Thomas A. Fine]

Good content, more of this please.

 

I commented on YouTube that it's only a matter of time before someone makes a fake data blocker that is actually an attack vector.  Most data blockers are farm more bulky than this cable is.

 

So here's my Big Idea of the week: Data Blocking Dongles Must Always Use Clear Housings.

 

Are any available already?  Any other thoughts?  (I'm not clear on wiring for fast charging compatibility, although if you're plugging into an untrusted port you already don't care about that.)

 

Editing to add: if this is a hard product to find right now, LTT Store should seriously consider such a product.  Linus always talks about only doing products if they can contribute something new to the field, and I think this falls into that category.

 

[Pitboy64]

Good content ... but:

So this MG guy is sitting there smiling while he describes his baby that attackers can use to attack companies that I'm using the services from, therefore at the end of the day, making my life difficult and eventually driving up the price of the services I will want to use in the future.

 

It is no excuse (as he says) that bad actors are more interested in national and multinationals they can hold for ransom, stealing my private or personal information as a data grab to sell if the company wont pay up, or nation states interested in harming our electoral system ... than my personal rig at home here ... but enough said ... a system hacked, affects us all, if not today, then one day when someone attacks somewhere that I (or you) are using.

 

No, I have no 'its complicated' relationship with this product or the maker of this product.

MG is an evil actor, empowering less smart bad actors with the tools to attack that which matters to me.

And his smug little smile makes me squirm.

 

His product should be illegal, and he should be charged for developing technology designed only to harm individuals and businesses. It is illegal to build, sell or buy those fake debit machines that can be attached to fuel pumps or those scanners that scans a crowd for card info and rips people off.

There is no viable non bad actor purpose for a product like this and the law should recognize that.

This is no different.

[atxcyclist]

1 minute ago, Pitboy64 said:

Good content ... but:

So this MG guy is sitting there smiling while he describes his baby that attackers can use to attack companies that I'm using the services from, therefore at the end of the day, making my life difficult and eventually driving up the price of the services I will want to use in the future.

 

It is no excuse (as he says) that bad actors are more interested in national and multinationals they can hold for ransom, stealing my private or personal information as a data grab to sell if the company wont pay up, or nation states interested in harming our electoral system ... than my personal rig at home here ... but enough said ... a system hacked, affects us all, if not today, then one day when someone attacks somewhere that I (or you) are using.

 

No, I have no 'its complicated' relationship with this product or the maker of this product.

MG is an evil actor, empowering less smart bad actors with the tools to attack that which matters to me.

And his smug little smile makes me squirm.

 

His product should be illegal, and he should be charged for developing technology designed only to harm individuals and businesses. It is illegal to build, sell or buy those fake debit machines that can be attached to fuel pumps or those scanners that scans a crowd for card info and rips people off.

This is no different.

Yeah, I don’t really understand why devices like this are sold, or even allowed to be marketed. No one is using them for anything but illegal actions. 

[M_G]

4 hours ago, Pitboy64 said:

Good content ... but:

So this MG guy is sitting there smiling while he describes his baby that attackers can use to attack companies that I'm using the services from, therefore at the end of the day, making my life difficult and eventually driving up the price of the services I will want to use in the future.

 

It is no excuse (as he says) that bad actors are more interested in national and multinationals they can hold for ransom, stealing my private or personal information as a data grab to sell if the company wont pay up, or nation states interested in harming our electoral system ... than my personal rig at home here ... but enough said ... a system hacked, affects us all, if not today, then one day when someone attacks somewhere that I (or you) are using.

 

No, I have no 'its complicated' relationship with this product or the maker of this product.

MG is an evil actor, empowering less smart bad actors with the tools to attack that which matters to me.

And his smug little smile makes me squirm.

 

His product should be illegal, and he should be charged for developing technology designed only to harm individuals and businesses. It is illegal to build, sell or buy those fake debit machines that can be attached to fuel pumps or those scanners that scans a crowd for card info and rips people off.

There is no viable non bad actor purpose for a product like this and the law should recognize that.

This is no different.

lmao wow

 

So I’m well versed in playing the villain. This type of response means I’ve done my job very well. But if you want to actually understand, please look up Red Teaming on Wikipedia. 

 

Most medium/large companies have them. We are tasked with committing the crimes before actual criminals can. Sort of like Minority Report, except instead of catching someone, we do the crime before they can. It’s exactly as fun as it sounds.  

 

Anyway, there are also tons of trainers and educators using my stuff. Lots of colleges are integrating the gear into their classes. Etc etc etc. Just because you don’t see the value doesn’t mean there isn’t one.
 

But I won’t fault anyone for not knowing or having such a negative reaction. Both of those things are *the point* and the entire reason I have a job as a professional boogeyman. Humans are hardwired for needing a boogeyman to make the most impactful & difficult changes. 

 

As for the “bad actors are more interested in multinationals” nah… what I said is that criminals don’t need tools like this unless it’s against significantly hardened targets. I can practically walk into most orgs. A well crafted phish or social engineering pretext has gotten me into almost everything I am tasked with breaking into. The only exception was a company that had almost all of their staff on vacation for the window of time I had to work. The extremely hardened places are where tools like this come into play. 

 

HOWEVER, this changes when things are like $2 per attempt. That’s when you get low sophistication adversaries like FIN-7 shipping hardware to people. (Massive props to LTT for knowing and mentioning this!) The only instance where this has changed is when the target is known to have very high value. The shoddy backdoored Ledger wallet is the only example of that. 

 

I have seen multiple malicious cables discovered in the wild. I have a bunch and I have trained the Malicious Cable Detector against them (along with some theoretical designs too). They are… not good. They kind of visually look like a cable but do not behave like one. Imagine a DIY ducky with a cable glued to the end. $2-4 in parts and they are targeting some very high value locations. Eventually that will evolve to lower price points and lower value targeting opportunities. 

 

 

 

 

[SignatureSigner]

10 hours ago, atxcyclist said:

Yeah, I don’t really understand why devices like this are sold, or even allowed to be marketed. No one is using them for anything but illegal actions. 

pen testing (when a business pays someone to try and infiltrate their company)

that and they can be just fun to mess around with. 

 

Just because it can be used for nefarious things doesn't mean it will. 

[tkitch]

13 hours ago, atxcyclist said:

Yeah, I don’t really understand why devices like this are sold, or even allowed to be marketed. No one is using them for anything but illegal actions. 

because if they exist in the public market:

They can be used and tested against, because if they were illegal, people wouldn't be testing against them. 

[Cameron Turner]

On 5/10/2023 at 9:06 AM, Thomas A. Fine said:

Good content, more of this please.

 

I commented on YouTube that it's only a matter of time before someone makes a fake data blocker that is actually an attack vector.  Most data blockers are farm more bulky than this cable is.

 

So here's my Big Idea of the week: Data Blocking Dongles Must Always Use Clear Housings.

 

Are any available already?  Any other thoughts?  (I'm not clear on wiring for fast charging compatibility, although if you're plugging into an untrusted port you already don't care about that.)

 

Editing to add: if this is a hard product to find right now, LTT Store should seriously consider such a product.  Linus always talks about only doing products if they can contribute something new to the field, and I think this falls into that category.

 

I think you are onto something with the clear housing. 

 

When really protecting the real secret information, there are organisation with cables that don't have sheathing, port plugs that are transparent and cable trays are visible in the open and the end user devices are stored in safes when not in use or on always on person. 

 

This idea seems like a nice easy option, the attacker could just as easily swap out the end user device (keyboard) for a custom compromised one.. makes you wonder if letting them think the cable trick has worked was the ideal way of showing their hand in a more detectable manner..

[CaptainDarkstar42]

On 5/10/2023 at 1:28 AM, M_G said:

HOWEVER, this changes when things are like $2 per attempt. That’s when you get low sophistication adversaries like FIN-7 shipping hardware to people. (Massive props to LTT for knowing and mentioning this!) The only instance where this has changed is when the target is known to have very high value. The shoddy backdoored Ledger wallet is the only example of that.

Fascinating.  I think this is a remarkable device and I appreciate you making it.  Who are FIN-7?

[JoeDeRogue]

My USB rubber ducky can do everything this can, wifi and remote payload included, for just $20
I get that the O.MG cable has more use cases since it's a cable and is more easily deployed, 
But it costs $120-170 for the cable, plus the recommended $25 O.MG programmer
I don't know if a 7-10X price increase is worth the utility of a smaller and different form factor though.

[UberGuidoZ]

On 5/13/2023 at 4:53 AM, JoeDeRogue said:

My USB rubber ducky can do everything this can, wifi and remote payload included, for just $20
I get that the O.MG cable has more use cases since it's a cable and is more easily deployed, 
But it costs $120-170 for the cable, plus the recommended $25 O.MG programmer
I don't know if a 7-10X price increase is worth the utility of a smaller and different form factor though.

I would be thoroughly impressed if you could keylog with your Rubber Ducky, as well as have multiple payloads you can edit (live, via wifi) for just $20! If so, you should hook up with MG and sell such tech. Would make a killing - I'll be your first customer.

[JoeDeRogue]

On 5/18/2023 at 7:34 PM, UberGuidoZ said:

I would be thoroughly impressed if you could keylog with your Rubber Ducky, as well as have multiple payloads you can edit (live, via wifi) for just $20! If so, you should hook up with MG and sell such tech. Would make a killing - I'll be your first customer.

It's called a Cactus WHID, I got mine for $20 years ago, but there are some available for 30-50. 
I just bought it from ebay back then, so you don't need to be my customer, you can get one yourself.
If you are able to make a killing by reselling these, I'd love some residuals from the profitable business that I've just hooked you up with.

[UberGuidoZ]

On 5/20/2023 at 9:18 AM, JoeDeRogue said:

It's called a Cactus WHID, I got mine for $20 years ago, but there are some available for 30-50. 
I just bought it from ebay back then, so you don't need to be my customer, you can get one yourself.
If you are able to make a killing by reselling these, I'd love some residuals from the profitable business that I've just hooked you up with.

Hmm, I'm failing to see the keylog capability in the Cactus WHID. Maybe it's just my own ignorance! (It's also good to note that the individual who made this has been on the OMG Team for about 4 years.)

[M_G]

Yep. He's been on the team for over 4 years now. There are a lot of really cool hobby-made devices out there. I made a few myself. I even sold some of them side-by-side with the OMG hardware. But the difference between a hobby-made device that takes a few months of work vs a legit product that has received years of daily refinement is pretty substantial. That's something we all learned quite a lot about. Nearly all of us, including myself, started with the "checkboxes on paper" with cheapest BOM approach. Turns out refinement, growing the feature-set, etc becomes an addiction. And something pretty cool comes out the other end. Not just a laundry list of unmatched capabilities, but also the usability. Both are huge for someone operating professionally, or even just looking for accessible tools for learning. 

One of the times it hit me was when people were buying the cables and cutting the tails off just to have access to a "thumb drive" style device. It's because the firmware grew so dramatically that people wanted the firmware regardless of the form-factor. I've since rolled out a keychain form-factor that's lower cost so people don't have to kill my babies like that . 

[M_G]

On 5/12/2023 at 9:07 AM, CaptainDarkstar42 said:

Fascinating.  I think this is a remarkable device and I appreciate you making it.  Who are FIN-7?

https://en.wikipedia.org/wiki/FIN7

They aren't the only ones doing malicious hardware. Just a common example of commodity attacks using malicious hardware. 
Malicious hardware as a commodity attack is starting to become more and more common though.