It's a severe discredit to the major operating system vendors that plugging in a USB stick can still compromise a system.
If a USB device identifies itself as a keyboard, the system shouldn't accept its keystrokes until either that keyboard has typed the user's login password, or the user uses a different input device to authorize it. If it identifies itself as a storage device, the filesystem driver should be hardened. If it identifies itself as an obscure 90s printer with a buggy driver written in C, it should prompt the user to confirm the device type before it loads the driver.
It's 2019. Why the f* haven't Windows, MacOS and Linux all implemented these basic precautions?
>If a USB device identifies itself as a keyboard, the system shouldn't accept its keystrokes until either that keyboard has typed the user's login password, or the user uses a different input device to authorize it.
An interesting solution, it would definitely prompt the user to understand what the device is trying to do.
But I'm sure that it's extremely hard to prevent something malicious, once it has physical access to a port on your computer...
> One idea is to take this malicious tool, dubbed O.MG Cable, and swap it for a target's legitimate one. MG suggested you may even give the malicious version as a gift to the target
Even more frightening, people selling them as seemingly legitimate cables on Amazon? People will pay you and you get a new botnet.
How many could you sell before it's discovered?
How can I, as a consumer, even tell? Amazon will even allow you to sell your malcable under the Apple brand.
Your attack would need to be targeted since you can’t connect to your cable over-the-internet, only over the wifi interface, limiting you to that range.
Really need a setting “never trust any device ever”. I’ve never once had a use case with my phone to do anything but charge. Really hate when I plug in my phone to charge in a car and the car takes over my UI. All bad ideas. If I want to move photos I use the network.
Personal opinion: Charging only is what a cigarette adapter is for.
Allowing me to use the car's interface to control my phone is a nice tool. It probably adds to the safety of my driving, since I can skip audio tracks using physical controls on my steering wheel instead of a touch screen.
Really hate when I plug in my phone to charge in a car and the car takes over my UI.
For every phone owner who thinks this way, there are probably a dozen others who hate it when they plug in their phone and the car doesn't mirror the phone's UI. I'd be in the latter group.
Car takes over the phone's UI? Is that an Android thing? I've only ever heard of carplay/android auto taking over the Car's UI (and replacing it with a much better UI).
I've not found many details about how this is actually working — there's some info on his D̴̹̭͂ë̷̗́̃̿̓̾͜ṃ̸͔͚̗̙̪̎̄̋ȏ̸̝̤̱͜n̶͇͇͙̻̩͑͑S̴̳̩̮̥͚̥̚ė̸̟̃͋͂͝e̷̪̲̪̰̣̿̀͠d̵̡̂͗ cable here [1], but apparently the O.MG cable is "a very different piece of hardware that does a whole lot more."
Does anyone have any insight into how this attack works? My guess is that it acts like a hub that exposes both the iPhone lightning connector and a keyboard/mouse. And then the keyboard/mouse is controllable via some near-range wireless like WiFi or bluetooth? I suppose it could even scan for open networks and try to join to allow a more remote exploit. Anyone find more information anywhere?
I'm guessing the cable has an esp8266 on board which you can get cheaply and is only a few mm2. It has WiFi and WiFi direct support and is powerful enough to run a webserver. Probably there are plenty chips that do the job, but the esp8266 (and its successor esp32) is very popular for custom hardware due to being cheap and easy to program
It says it has a wifi chip. So the attack is limited by that distance.
It probably switches on the Keyboard/Mouse Logic as necessary.
But from there you could play an “Open Terminal” and be quite creative. Don’t know if you could send much information back, but I don’t see why it couldn’t have a few gb of flash storage to copy from/to, e.g. occasional screenshots to see what’s there. Or files.
I have this USB-C looking like this[0] (not the same one though). The thing is whenever it is plugged into my MacBook Pro, the hub starts to overheat, even when there is nothing connected to it. I once tried plugging it into the MBP adapter and charging my phone through the USB port on it, and it did not heat at all.
I am suspecting it is running some program in the background (a miner maybe). Is there a way I can check if such a program is running?
> Now MG wants to get the cables produced as a legitimate security tool
Can someone explain how these could be considered a "legitimate" security tool? What legitimate use would require the cable to look like a genuine Apple cable? (I'm honestly asking.)
onsite pentesting for example. You want to train your employees to be aware of random cables and usb drives laying around, this is a good test to ensure your training worked.
Ask your dentist to take an x-ray of the cable you may be concerned about. We're all digital and it only takes a second. If your guy is cool, he'll do it.
Where do you find these "cool doctors"? I once tried to bribe six different doctors in my area with $3000 in exchange for agreeing to allow me to get an exploratory MRI and they all said no.
Is there a piece of cheap validation hardware where you can plug in both ends of your cable and a little display will tell you what kind of cable it is and if it is legitimate?
Maybe just have something like the USB killer [1] to "sterilize" cables. Zap the cable with a high voltage/high energy pulse, beyond what normal on-die ESD protection could handle. A bunch of copper and plastic won't get damaged (unless you really get crazy and it arcs over and carbonizes or something), but it will probably burn out any covert semiconductors in the cable. It's hard to absorb high energy pulses in small packages.
which means 50 feet, which is still impressive in that it's a useful distance. I remember the earlier version being more like 5 feet, which sounds pitiful but is still enough. In fact no wifi at all (0 ft) is enough to plant software (CMD-space Terminal RET curl | bash && exit) if you take your chances that the target is inattentive.
I learned of the earlier version here on HN but I can't find the link now. It was maybe 4 months ago?
Given that the attack is that it's a USB keyboard, nothing to do with the lightning aspect, except that the victim is likely to need a lightning cable at some point, any USB dongle will do.
Given the attack methodology for this specific device, of being in visual distance of the victim, just use an unpaired apple keyboard. Macs will automatically pair to them, so you just need to turn it on when the victim looks away (a brief 2-second overlay appears on the screen upon connecting). You could force this by creating a distraction: drop a glass. No dependence then on the victim using the cable.
I saw Kevin Mitnik (FBIs most wanted hacker in the 1990s) at a conference plug one of these into laptop with a fully patched version of Windows 10 and one of the very common security suite of apps.
The laptop was completely compromised in seconds.
From a remote laptop, he had complete access to the target machines full filesystem, started the webcam and turned on the microphone without any notifications to the target user and connected a bluetooth hard drive remotely.
And this was using a rogue cable that he just bought off ebay.
I was honestly shocked at how easy it would be to compromise someones machine. I'll never look at a USB cable the same way.
I think it's just an accident of timing and history.
The old 30-pin connector (inherited from the iPod) had various issues so I think Apple was eager to replace it. The lightning connector was their solution. It predates USB-C by a few years, so that wasn't an option at the time (I guess it might have been on Apple's radar by the time the lightning cable was introduced, but if so, they must have made the call not to wait.)
Since USB-C has made its way to some iPads, my guess is Apple is in the process of phasing out lightning connectors entirely.
I don't see how Hak5 can create exact replicas of Apple Lightning cables with hacking tools embedded in them and NOT have Apples dream litigation team blasting down their doors
It's pretty amazing how technology has gotten so small we can hide a wifi chip and keyboard emulator into the end of a USB port plug.
[+] [-] jimrandomh|6 years ago|reply
It's a severe discredit to the major operating system vendors that plugging in a USB stick can still compromise a system.
If a USB device identifies itself as a keyboard, the system shouldn't accept its keystrokes until either that keyboard has typed the user's login password, or the user uses a different input device to authorize it. If it identifies itself as a storage device, the filesystem driver should be hardened. If it identifies itself as an obscure 90s printer with a buggy driver written in C, it should prompt the user to confirm the device type before it loads the driver.
It's 2019. Why the f* haven't Windows, MacOS and Linux all implemented these basic precautions?
[+] [-] gitgud|6 years ago|reply
An interesting solution, it would definitely prompt the user to understand what the device is trying to do.
But I'm sure that it's extremely hard to prevent something malicious, once it has physical access to a port on your computer...
[+] [-] thunderbong|6 years ago|reply
[+] [-] MichaelApproved|6 years ago|reply
Even more frightening, people selling them as seemingly legitimate cables on Amazon? People will pay you and you get a new botnet.
How many could you sell before it's discovered?
How can I, as a consumer, even tell? Amazon will even allow you to sell your malcable under the Apple brand.
[+] [-] Scoundreller|6 years ago|reply
[+] [-] misiti3780|6 years ago|reply
[+] [-] ikeboy|6 years ago|reply
[+] [-] unknown|6 years ago|reply
[deleted]
[+] [-] Proven|6 years ago|reply
[deleted]
[+] [-] paulsutter|6 years ago|reply
[+] [-] falcolas|6 years ago|reply
Allowing me to use the car's interface to control my phone is a nice tool. It probably adds to the safety of my driving, since I can skip audio tracks using physical controls on my steering wheel instead of a touch screen.
[+] [-] gambiting|6 years ago|reply
[+] [-] CamperBob2|6 years ago|reply
For every phone owner who thinks this way, there are probably a dozen others who hate it when they plug in their phone and the car doesn't mirror the phone's UI. I'd be in the latter group.
[+] [-] optimiz3|6 years ago|reply
"A new (unneeded if devices sufficiently uniquely identifiable?) keyboard has been plugged in, please type <random char sequence> to confirm"
[+] [-] excalibur|6 years ago|reply
[+] [-] judge2020|6 years ago|reply
[+] [-] NoodleIncident|6 years ago|reply
[+] [-] JustSomeNobody|6 years ago|reply
But, then, I am shifting trust to my data blocker...
[+] [-] 3JPLW|6 years ago|reply
Does anyone have any insight into how this attack works? My guess is that it acts like a hub that exposes both the iPhone lightning connector and a keyboard/mouse. And then the keyboard/mouse is controllable via some near-range wireless like WiFi or bluetooth? I suppose it could even scan for open networks and try to join to allow a more remote exploit. Anyone find more information anywhere?
1. https://github.com/O-MG/DemonSeed
[+] [-] tda|6 years ago|reply
[+] [-] Scoundreller|6 years ago|reply
It probably switches on the Keyboard/Mouse Logic as necessary.
But from there you could play an “Open Terminal” and be quite creative. Don’t know if you could send much information back, but I don’t see why it couldn’t have a few gb of flash storage to copy from/to, e.g. occasional screenshots to see what’s there. Or files.
[+] [-] ege_erdogan|6 years ago|reply
I am suspecting it is running some program in the background (a miner maybe). Is there a way I can check if such a program is running?
[0] https://www.amazon.com/Purgo-Adapter-2018-2016-Delivery-Thun...
[+] [-] Eric_WVGG|6 years ago|reply
IMO more likely that it's shoddy hardware; either way it's munching your battery, so I'd send it to the recyclers and find something more reputable.
[+] [-] jcheng|6 years ago|reply
Can someone explain how these could be considered a "legitimate" security tool? What legitimate use would require the cable to look like a genuine Apple cable? (I'm honestly asking.)
[+] [-] par|6 years ago|reply
[+] [-] kccqzy|6 years ago|reply
[+] [-] qrbLPHiKpiux|6 years ago|reply
[+] [-] lorenzhs|6 years ago|reply
You can find a few examples of x-ray images they took on their twitter feeds as well: https://twitter.com/FauthNiklas/status/1125606579540246528 and https://twitter.com/JanHenrikH/status/1127033349246279680 and https://twitter.com/FauthNiklas/status/1149386796352069633
[+] [-] ceejayoz|6 years ago|reply
[+] [-] HyperTalk2|6 years ago|reply
[+] [-] hansdieter1337|6 years ago|reply
[+] [-] ihuman|6 years ago|reply
[+] [-] tunesmith|6 years ago|reply
[+] [-] avian|6 years ago|reply
[1] https://usbkill.com/
[+] [-] dredmorbius|6 years ago|reply
Though checking to see what USB / PCI devices are advertised could be useful.
Device / USB whitelisting looks like it will need to be a default thing Real Soon Now.
[+] [-] jiveturkey|6 years ago|reply
which means 50 feet, which is still impressive in that it's a useful distance. I remember the earlier version being more like 5 feet, which sounds pitiful but is still enough. In fact no wifi at all (0 ft) is enough to plant software (CMD-space Terminal RET curl | bash && exit) if you take your chances that the target is inattentive.
I learned of the earlier version here on HN but I can't find the link now. It was maybe 4 months ago?
Given that the attack is that it's a USB keyboard, nothing to do with the lightning aspect, except that the victim is likely to need a lightning cable at some point, any USB dongle will do.
Given the attack methodology for this specific device, of being in visual distance of the victim, just use an unpaired apple keyboard. Macs will automatically pair to them, so you just need to turn it on when the victim looks away (a brief 2-second overlay appears on the screen upon connecting). You could force this by creating a distraction: drop a glass. No dependence then on the victim using the cable.
[+] [-] perfectphase|6 years ago|reply
[+] [-] digsy|6 years ago|reply
The laptop was completely compromised in seconds.
From a remote laptop, he had complete access to the target machines full filesystem, started the webcam and turned on the microphone without any notifications to the target user and connected a bluetooth hard drive remotely.
And this was using a rogue cable that he just bought off ebay.
I was honestly shocked at how easy it would be to compromise someones machine. I'll never look at a USB cable the same way.
[+] [-] lostgame|6 years ago|reply
[+] [-] jmull|6 years ago|reply
The old 30-pin connector (inherited from the iPod) had various issues so I think Apple was eager to replace it. The lightning connector was their solution. It predates USB-C by a few years, so that wasn't an option at the time (I guess it might have been on Apple's radar by the time the lightning cable was introduced, but if so, they must have made the call not to wait.)
Since USB-C has made its way to some iPads, my guess is Apple is in the process of phasing out lightning connectors entirely.
[+] [-] BluSyn|6 years ago|reply
[+] [-] scohesc|6 years ago|reply
It's pretty amazing how technology has gotten so small we can hide a wifi chip and keyboard emulator into the end of a USB port plug.
[+] [-] jagger27|6 years ago|reply