O.MG: A Physical Threat to Our Online Space
Today’s post is a reminder about the importance of the physical security aspect of electronic things. We protect our network with strong passwords and through high phishing awareness, but what about physical threats? While phishing scams are more prevalent, there are other types of threats that can be just as dangerous.
Think about how often you connect removable devices to your computer. Your phone to download pictures. A removable hard drive to free up storage. It probably happens with some regularity. But these are devices you trust. You know not to plug in any unknown devices — you would never connect a flash stick you found in the parking lot (right?). But have you given any consideration to the cable itself?
Criminals have a new way to attack, and it’s through what appears to be an innocuous lightning cable. Once plugged in, the cable, dubbed the O.MG Cable, allows the attacker to access the computer over WiFi. From over 300 feet away, the attacker can issue any command, just as though they were sitting right in front of the compromised computer. The O.MG cable, reconfigured with a fourth prong, is recognized by the computer as a Human Interface Device (HID), which the computer sees as a valid input device.
It gets worse. When looking at the O.MG cable and a regular lightning cable, they are indistinguishable. When you plug in a USB, your computer will try to detect and install drivers, which would alert the potential victim (if they were paying close attention!) to something suspicious. Unfortunately, hackers have even come up with a way to block any detection of the USB until after the attack has been executed. These cables were months of painstaking work for one hacker but are now ready for mass production and sale. The sale will be geared toward penetration testing teams, but now that the technology is out there, it’s only a matter of time before the cable is used maliciously. It’s time to be vigilant.
How Can We Protect Ourselves?
There is no doubt about it, this is a potential threat. If you somehow come into contact with one of these cables, it’s almost impossible to defend yourself. But here are a few ways you can avoid these dangerous cables.
First, buy cables from a reputable store. Go into a local or national chain electronics store and buy your cables there. If you shop online, make sure it is a website you can trust. Second, mark your cables so you can easily recognize them. Third, treat unknown cables as you would an unknown flash drive or other portable device. Assume it can carry malicious code. Never use a cable when you are unsure of the origin. If you borrow a friend’s cable, ask them where they got it. Take the necessary steps to make sure you don’t become a victim of the O.MG cable!
At work, you probably have a use policy that prohibits people from connecting personal devices (such as smartphones) to their work computers. It’s a good time to remind others about that policy and the danger of modified USB cables.