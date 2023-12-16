The world’s “most dangerous” iPhone charging cable has taken a turn for the worse. Nurfoto via Getty Images

Take a look at your iPhone charging cable—it doesn’t matter if it’s the new iPhone 15 USB-C version or the one with the traditional Lightning connection. Such a simple accessory. You would have never imagined the dangerous danger hidden inside that smooth, white covering. Unfortunately, if you’re unlucky enough to encounter weaponized cable, there’s no way to tell.

The OMG cable, dubbed the world’s “most dangerous USB cable”, has now been updated once again. For less than $200 online, one can purchase a device similar to a sophisticated release from Q-Branch, compared to a PayPal purchase, which would be limited to intel agencies and repel any potential buyer capable of purchasing thousands. Dollar.

This innocent-looking cable can capture keystrokes, steal credentials, exfiltrate data, even plant malware – and doesn’t need anything else besides the cable. An attacker can log right into the small device from anywhere, and you certainly won’t realize it if you’re under active attack.

“Nation state actors use a variety of techniques in highly targeted attacks to spy on their victims and these cables serve as another tool in their toolkit,” explains ESET’s Jake Moore. “If people in positions are in danger where they could be a high profile target, it would be recommended that they never use any cable or device that is not authorised.”

This isn’t the kind of device you’d expect to see sold online—but here we are. First launched in 2019 to widespread acclaim, the new OMG Elite now offers the kind of advancement over the original that we’re used to seeing from hyper-fueled PC and smartphone makers, with these cables aimed at smaller Instead we have to compromise. Expert white hat supply chain.

OMG’s cables hide processing, payload, and a WiFi access point in the same cable casing dimensions as original cables from Apple or elsewhere. “Really,” Forbes’ Davy Winder said of the original OMG release, “it’s a mini-computer strung on the end of a cable – it’s incredible.”

Now, the latest releases that haven’t been publicized yet push the potential much further. “Our newly released Elite Series highlights some fun things,” its inventor, Mike Grover, told me this week. “Since we last spoke we have put the OMG implant in a number of form-factors. USB-A cables, USB-C cables, USB-A to -C adapters, USB data blockers (yes, making data blockers malicious :D).”

The cables, which can be controlled remotely via an independent WiFi access point, have always enabled key logging to capture credentials and keystroke injection to compromise the devices and accounts they can access. Are. This is a new release that has added data exfiltration to the mix.

spot the difference? OMG the USB-C and Lightning “charging cables” are indistinguishable from the original. mike grover oh god

“This is a new bi-directional covert channel between the target host and the OMG cable,” Grover explained. “The cable proxies this tunnel over your WiFi – now you can get data out and even operate an entire remote shell on the target host without showing any external drives or network interfacing, because OMG The cable operates as nothing more than an HID device (as do all keyboards).”

Despite the aggressive cyber spec sheet, the cables are actually designed for the good guys – researchers and red-team pen-testing enterprise defenses, either by planting the device themselves or by dropping some random cable in or around a company location. Let’s see if there are employees or not. Take the bait.

Thus, it has built-in security measures. Geofencing enables a raid team to limit Cable’s capabilities to a specific location – take it offsite and it won’t attack or even self-destruct, although the spin side is that The cables essentially self-arm when on target. Grover has also set its cables to not sync and charge when armed, to reduce the window of unknown attack when plugged into a smartphone.

OMG Cable was originally designed to attack PCs and Macs when a smartphone’s charging cable is connected. But “people really wanted to attack the phone,” Grover told me. “Our first cables were not capable of this, but our Type C cable introduced it as a non-priority feature to enable researchers and teachers, while reducing utility for people trying to deploy spyware. Gave.”

But the tools can clearly fall into the wrong hands – they are readily available, and they demonstrate a technological “art of the possible” that is not limited to this level of openness.

“It seems like this is the kind of USB we might get for free at a convention,” explained Kate O’Flaherty of Forbes, “or at some hotel where a convention might be held.”

If threat actors “have the ability to install malware on a USB charging cable,” Moore says, “it could compromise electronic devices and their data during charging.”

Grover told me that some features have been “broken” by various OS updates since they first launched, “but so far we’ve been able to work on those as well.”

Of course, the better known risks here are so-called juice jacking and the alerts that come out regularly from various law enforcement agencies. “Bad actors have discovered ways to use public USB ports to introduce malware and surveillance software onto devices,” the FBI warned earlier this year.

Meanwhile, according to the FCC, “Experts have warned that bad actors could load malware onto public USB charging stations to maliciously access electronic devices while they are being charged. Installed via contaminated USB ports The malware carried can lock a device or export personal data and passwords… criminals can then use that information to access online accounts or sell it to other bad actors.’

Despite these warnings, “while the concept of juice jacking has proven technically feasible,” Moore says, “the risk it poses to the general public is extremely unlikely.”

Juice jacking implies that the socket into which you plug your charging cable has been damaged, thereby hiding a computer that can access your device through the cable and then plant or pull data. This is where the secret implications of the attack cable come to light. You plug the cable into something you own and that you don’t suspect is working, not into a third-party socket or adapter. You don’t see the attack coming.

The concept of maliciously attacking cables is not new. Intel agencies have developed and used such tools for years. But this level of capability was not previously available in the open market.

Now, Grover’s latest release pushes the scope of such attacks even further, adding server-based C2 control to its autonomous capabilities, “The cable will regularly connect to the server for instructions – you can control it from anywhere.” Can.” This is all reminiscent of planted malware, which infects a host and then takes external instructions to shape its attack. “You can also control an entire fleet of cables from one server, and you can queue control instructions if the cable goes offline.”

However, perhaps the biggest progress is in the speed available for agreement.

“For payloads,” Grover told me, “we’re going from 120 keys per second to 890 keys per second, so small payloads will run in less than a second. For huge payloads, it’ll be minutes or hours of wasted time. Can. And instead of 8,000 keystrokes per payload, we now support 32,000. And with the upcoming firmware, it will be over 1 million keystrokes. Huge payloads are not a common requirement for traditional hot-plug style attacks. But for an implant that remains connected to a computer and can be operated remotely at any time of the day, these larger payloads suddenly become much more useful.

All that is required to purchase this cutting-edge attack tool is a PayPal account. Hak5 Online Store

This is a significant advancement, meaning that a cable installed inside an enterprise can provide a long-term attack path using a seemingly standard peripheral. “After the initial payload, nothing is visible on the screen, and the attacker can still control the computer remotely or browse the file system.”

Secrecy is clearly important here. “The implant inside the cable remains invisible to the target host until the payload is launched.” Grover told me. “And payloads can be configured with different identities and behavior. I’ve heard of several raid teams that have successfully run long-term operations because they would run a payload, wait a few weeks, run a new payload, repeat.

This is also where the increase in I/O speed really matters. “Speed ​​reduces the amount of time the payload is visible on the screen,” Grover explained. “The capability allows for far more advanced payloads. For example, during a raid raid exercise, you can embed your malware in the payload itself. As opposed to downloading malware from the Internet.”

Should you worry about cables lying around at home or at work—almost certainly not. But I would think twice for several reasons before adding free cables, and more obviously USB sticks, to any device I own. And it’s good to be aware of the danger, especially if you travel for business, join trade delegations, work in law or government service, or enjoy celebrity status.

I would also avoid convenient direct USB charging ports in hotels abroad – they don’t charge very quickly and you have no idea what’s behind the socket. It makes more sense to use a charging power adapter. If you need to use direct sockets, get a data blocker – just not from OMG.

As a tool for red teams testing an organization’s security, Grover is pleased with the interest and positive feedback it has received. It has now become standard kit for countless professionals, he told me. “If an adversary sat on your system and started controlling it, how would you detect their malicious behavior? This is one of the big advantages of OMG cable… it makes people think about the opponent’s movements.

But Grover is also well aware of the shady aspect of providing the Red Team kit, which can be used for nefarious purposes. “That’s why,” he told me, “we don’t preload our equipment. [malicious] Payload. “Ease of use for professionals is one thing—selling a preloaded gun is another.”