A small package with a huge malicious potential.
Industrial CT scanner manufacturer Lumafield imaged an O.MG pen testing USB-C cable, revealing sophisticated electronic components secreted within the connector. Lumafield product lead Jon Bruner shared on X (formerly Twitter) a CT scan that revealed the interior of the O.MG cable, showing advanced electronics and an antenna — a much more complicated design versus the Amazon Basic USB-C cable that Lumafield scanned for comparison. Security researcher Mike Grover created this pen testing (penetration testing) cable for fellow security researchers and hobbyists, red teamers, and for awareness training, especially for highly vulnerable or targeted individuals.
[....] The O.MG Elite USB-C cable has several features that could allow anyone controlling it to take over any device plugged into it. Some of its features include keystroke injection, mouse injection, geo-fencing, keylogging, and more.
[....rest omitted....]
Don't pick up strange USB-C cables in the lobby, restroom or parking lot, unless it's at church.
(Score: 3, Insightful) by Rosco P. Coltrane on Monday December 09, @02:34AM (3 children)
You're probably a fine target for scammers.
(Score: 5, Insightful) by driverless on Monday December 09, @10:02AM
It's a pen-testing cable, it's supposed to have those things inside them. Also since it's a custom-built pen-testing cable you'd expect it to have that price. So the "news" is "product is exactly what it claims to be".
OK, for a Chinese-made product I guess that would be news.
(Score: 3, Interesting) by Rich on Monday December 09, @10:16AM
Or an audiophool. At the moment, I have to assist with an EMC issue where a USB connection is involved. I tried to look up whether special, well-shielded cables are available and came across a site that offered "high-end audio" USB cables. *facepalm*. And first google hit for "audiophile usb cable" is a 3m "Audioquest Diamond" A-B cable at the low, low price of 1259€, merely 10 times the price of TFAs active cable.
(Score: 3, Informative) by DannyB on Monday December 09, @03:18PM
Hak5 isn't for scammers, except they sell it for $179.99.
https://shop.hak5.org/products/omg-cable?srsltid=AfmBOorjjQr6jNgjRoJ1aHiG0ZoXfnFsKyWRfPe1ZjjbSWxIbf7en5_U [hak5.org]
Stop asking "How stupid can you be?" Some people apparently take it as a challenge.
(Score: 5, Insightful) by Gaaark on Monday December 09, @02:39AM (7 children)
If you pick it up at church, it may inject child porn into your hard drive. OMG-sus.
--- Please remind me if I haven't been civil to you: I'm channeling MDC. I have always been here. ---Gaaark 2.0 --
(Score: 1, Informative) by Anonymous Coward on Monday December 09, @03:37AM (4 children)
Go ahead and pick up any stray USB cables you want...but before using them check with a multimeter to make sure they match the standard wiring diagram, there's one given here for example, https://electronics.stackexchange.com/questions/323128/wiring-diagram-for-usb-c-to-usb-a-cable [stackexchange.com]
Correct me if I'm wrong, but if the meter reads anything other than "open circuit" or "near-zero ohms" for a wire, then something fishy is going on in that cable.
(Score: 4, Funny) by RS3 on Monday December 09, @04:00AM
I see what you did there.
(Score: 3, Insightful) by Rich on Monday December 09, @10:09AM
The cable may contain e.g. depletion mode FETs that are passively conducting in power-off conditions. The microcontroller may only become active when plugged in and data (even specific patterns, like words typed) is sensed and then interrupt the apparently direct connection. Very-low-resistance (i.e. good enough for a multimeter beep) depletion mode FETs are somewhat hard to get in small cases, but for fitting the electronics in a plug, an actor will have to have access to die or fab level tech anyway.
(Score: 2) by DannyB on Monday December 09, @03:23PM (1 child)
It seams like a microcontroller could automatically do this testing. Now you have created a market for a new USB cable tasting tool so people can feel safe about their USB cables.
But then a new tool will be required to test the USB cable testing tool.
Stop asking "How stupid can you be?" Some people apparently take it as a challenge.
(Score: 2) by Mykl on Monday December 09, @10:09PM
Kind of like the Trace-Buster-Buster [youtube.com]?
(Spoiler: Later in the movie they are defeated by someone who owns a Trace-Buster-Buster-Buster)
(Score: 2) by Rosco P. Coltrane on Monday December 09, @04:43AM (1 child)
Woosh... [wikipedia.org]
(Score: 0) by Anonymous Coward on Monday December 09, @02:06PM
Sigh, it's not a "whoosh" if it's not a joke, or so bad it's not even funny.
(Score: 1, Interesting) by Anonymous Coward on Monday December 09, @03:35AM (5 children)
"electronics that look as simple as a charging cable"
There is NOTHING simple about a full function USB charging cable
or the shitpile of firmware surrounding its use.
(Score: 3, Disagree) by canopic jug on Monday December 09, @06:30AM (4 children)
USB A is fine. It is just a bunch of wires. It is USB-C which is the abomination. USB-C is a small computer which is shaped like a cable. It is in a position to inject all kinds of malicious, but small, payloads. The fact that the initial payload must be small does not hinder it in any way from subsequently bootstrapping more tools to eventually install a larger more harmful payload from the net.
Money is not free speech. Elections should not be auctions.
(Score: 5, Insightful) by stormwyrm on Monday December 09, @07:23AM (3 children)
No, USB A or C is irrelevant. There is nothing in principle that prevents embedding a small computer inside a USB-A cable either, in fact the USB-A form factor gives you even more space to embed a physically bigger microcontroller. It's the same problem with thumb drives. I have a small circuit board with an ATMega32u4 microcontroller (this is one of the ATMega microcontrollers with full hardware USB support) in a thumb drive form factor. You can make it take over any device you plug it into with the right firmware for it just the same as with the trick USB-C cable described in TFA. While USB-C cables usually have to have some kind of microcontroller inside them when they have to support the full complexity of the protocol, there is nothing about a USB-A cable that says it must be only a bunch of wires. A random USB-A cable that some joker gives you could just as easily contain a trick microcontroller.
Numquam ponenda est pluralitas sine necessitate.
(Score: 4, Funny) by DannyB on Monday December 09, @03:30PM
There is a solution to this that can make us all feel a lot safer.
Get rid of cables and switch to virtual cables.
A virtual cable will come in a blister pack of TWO (2) USB dongles which are the two endpoints of the virtual cable. It will work like a USB cable but has the advantages of:
I feel safer already.
Stop asking "How stupid can you be?" Some people apparently take it as a challenge.
(Score: 2) by bussdriver on Wednesday December 11, @06:21PM
No, USB-C is USB 4 or USB 3. Way more insecure than USB 1-2 were! USB A could be USB 3.1 but doesn't have to be. Sure all can do keylogging, but a secure keyboard standard would fix that.
It's a another example industry screwing tech up! USB could have remained a simple serial port at version 1 or 2. The plug was always idiotic until USB C... not that they didn't ruin that in other ways.
You don't need more than USB 2 for it's intended purposes. If you need more speed, then a different shaped plug with a less secure DMA model or PCI-bus like access could do that and constantly change specs, plugs, and adapters as demands ALWAYS increases. USB 4 isn't the end. USB 2 should have been. Thunderbolt or whatever new trademark can be the other thing.
This 1 plug to rule them all Lord of the Rings solution is coincidentally perfect for Sauron like control; also the industrialization metaphor those books.
(Score: 2) by canopic jug on Wednesday January 01, @03:39AM
Just a belated afterthought: there are adapters you can get for USB-A which pass only the power and have no data wires. If you were to connect a hostile USB-A cable for the purposes of powering a small device, then it would completely prevent any possible attack. However, if we're talking about data transfer then, yeah, there is no protection.
Money is not free speech. Elections should not be auctions.
(Score: 3, Insightful) by Username on Tuesday December 10, @03:16AM
They could have at least used a better photo for the ad. This doesn't even come close to the image quality of an yxlon xray machine. Also, nobody I know uses the red blue filter for inspection. Seems gimmicky. Their website tells me nothing about their xray equipment either. It's a scrolling slideshow website.