O.MG Cable Privacy Threat

How do you charge your wireless devices?

While wireless charging is gaining popularity as a way to charge up our phones, the vast majority of people still use cables. If you’re an iPhone or iPad user, then your cable of choice is likely the Lightning Connector.

The Lightning Connector was Apple’s replacement for their longstanding 30-pin dock connect used on iPods, iPhones, and iPads until 2012. Making its debut on the iPhone 5, Lightning was a massive upgrade for Apple users looking to charge or sync their devices. It was usable in any orientation, much smaller than the old connector, and was much more durable. Today, if you own an Apple device, you probably have a ton of Lightning Cables lying around your home or office.

However, a recent innovation called The O.MG Cable is a privacy nightmare for those who own Apple devices.

What is the O.MG Cable?

From the outside, the O.MG Cable looks and feels identical to the standard Apple-branded Lightning Cable. It uses the Lightning Connector to USB-A, is bright-white, and will charge and sync a phone, just like the real thing. It even opens iTunes automatically, giving nothing away to the computer’s user. However, inside, it holds a dark secret.

Unlike the usual Lightning Cable, the O.MG Cable packs in a web server, 802.11 radio, and lots of memory and processing power. In other words, it’s a physical trojan horse.

As most people don’t carefully examine a cable before they use it, this can be a tremendously effective means of attack. The O.MG Cable can be swapped out with an authentic Apple cable in seconds, or offered to you by a friend or co-worker who doesn’t (or does) know better. And once it’s plugged into your computer, it’s already too late.

Who Created the Cable?

The O.MG cables was created by a security researcher known as “MG”, and was meant for use by cybersecurity Red Teams.

Cybersecurity Red Teams are groups of white-hat hackers who will attack an organization’s entire network to find weaknesses and potential entry points. Corporations like Microsoft use them regularly to test their preparedness and make sure their security is air-tight, digitally speaking.

However, the O.MG Cable recently moved from project level into mass production, and now can be ordered online for $119.99. It doesn’t take a TSCM/Cyber TSCM expert to see how this security tool could quickly become a security nightmare for both individuals and corporations. But, it likely will take the expertise of a TSCM/Cyber TSCM expert to restore your privacy if you’ve been a victim of this threat.

How Does the Cable Work?

Once connected to a power source, such as a computer, the O.MG Cable broadcasts a wireless hotspot. Once a hacker connects to it, they will have a wireless connection to the target computer. Just as if it was a USB device like a keyboard or mouse, the hacker can then use a digital interface on their phone to input commands, go through and download files, or even execute payloads.

All of that sounds bad enough, but there is more. Typically, when you plug an input device into your computer, you get a notification that a new mouse or keyboard has been identified. The O.MG Cable changes the VID/PID so that warning doesn’t pop up. Even if you are reasonably computer savvy, there is no indication that you’ve been physically hacked. Even worse, as you were the one who likely plugged the cable in, you’d be technically hacking yourself!

By itself, the cable has a range of about 300m, but if configured to act as a client for a wireless network, the range would be potentially unlimited. So long as someone can configure the cable, anyone could have access to your computer so long as it’s plugged into a port (and many people never unplug their charging cables).

And that’s just the beginning. Security features on the cable include the ability to wipe the flash clean, convert it to an innocuous state (where it just acts as a lightning cable), flash new firmware, or even remotely “break” the cable so it can no longer pass any data.

Oh, and if you believe that you’re safe simply because you’re an Android user, think again. O.MG Cables are also available with USB-C and a USB Micro connectors, meaning that if you ever plug your phone into a computer, you’re at risk!

How to Protect Against O.MG Cable Exposures

Here’s where things get a little tricky.

First, you should only use your own cables and secure them after each use. If someone offers to let you borrow one of theirs, don’t take that risk. While it might be tempting to save a little money by ordering some knock-off Lightning Cables from Amazon, you should only be using cables that you’ve purchased from Apple directly. This safeguard not only ensures that it will be a legitimate cable, but will also be a reliable one.

If you are ever unsure if a cable is safe, you can use this guide from Apple to check and make sure it is a certified Lightning Connector. But to be 100% sure that the cable is both legitimate and yours, mark the cable with a tamper evident tag with serial number. That way, you can tell at a glance if it’s a safe cable to use on your computer.

If you are a victim of the O.MG cable please feel free to contact us today!

About the Author:

JD LeaSure ComSec LLCJ.D. LeaSure, CCISM, is the President / CEO of ComSec LLC, a global provider of world class counterespionage and TSCM / Cyber TSCM™ services. www.ComSecLLc.com