Now even your USB-C and Lightning cables can spy on you.
Hak5 has begun selling USB-C and USB-A cables that yes, work as cables—but they can also be used hack your laptop, tablet, or phone remotely.
The cable, first demonstrated by security researcher MG in late 2019, is designed to look like a standard USB cable. Lurking inside, however, is embedded Wi-Fi, web server, and keylogger functionality, along with the ability to remotely control the mouse and keyboard of the computer its attached to.
Called the O.MG Cable, it’s described by Hak5 as being “built for covert field-use, with features that enhance remote execution, stealth, forensics evasion, all while being able to quickly change your tooling on the fly.” MG built this as a penetration testing tool for security researchers.
In the older demonstration by MG for Motherboard’s Joe Cox, the original O.MG USB to iPhone Lightning cable was connected to his Apple Macintosh and iPod. Cox said the iPod charged as it would normally but shortly later, a terminal was opened on his Mac’s screen, letting the attacker run commands as if he or she were sitting in front of it.
That was just the proof of concept, but now O.MG and Hak5 have been able to mass produce the cable and add a few other features such as keylogging. The Keylogger Edition can store up to 650,000 keystrokes on the computer it’s plugged into, and it can inject smartphone and tablet keystroke scripts as well.
If the person just wants to take control of your computer, they can be within Wi-Fi range sitting in a nearby van with Flowers By Irene on its side too. The O.MG can be programmed to self-destruct, or hide evidence using a geofencing capability, Motherboard reports.
Various versions of the cable support different functions, but you can get an O.MG cable in USB-A to USB-C and Lightning, Lightning to USB-C, and USB-C to USB-C. Prices range from $120 to $160 with an additional $20 for an optional cable programmer at the Hak5 website.
If you’re creeped out, we do want to point out that such a cable is unlikely to be used on random people picked out of a crowd. Its expense and nature means it’s an up close and personal device—not a reach across the globe kind of thing. Anyone using this to spy on your devices would be targeting you for a reason.