- The O.MG hacker cable can pretty much take over your computer as soon as you plug it in.
- Never insert untrusted cables or USB dongles into your computer or phone.
- Carry your own charger.
Your phone is getting low on battery, so you grab the courtesy charging cable at the coffee shop while you’re ordering, but it’s no ordinary USB cable, and the coffee shop owner didn’t put it there.
One problem with using USB cables for charging is that they also carry data, in and out of your phone, including malware (in) and private information (out). And the O.MG Cable, which looks just like any other USB-C-to-Lightning cable, is, in fact, a tiny hacking computer inside a cable. Will somebody target you personally with such a thing? Unlikely. But ask yourself this. If you were to deploy a cable to catch the largest number of people, where would you leave it?
“Consumers should be careful about the cables they use and the ports they plug into, as both white and black hat hackers are constantly innovating new ways to pwn over USB. And, even if a USB cable isn’t malicious, many cables fail to follow standards like USB-C and can cause other electrical or mechanical issues,” Sean O’Brien, lecturer in cybersecurity at Yale Law School, told Lifewire via email.
The O.MG Cable is the latest version of a hacking tool from hacker MG (Mike Grover), introduced at the Def Con hacking conference. It looks like any other cable, only it houses a tiny Wi-Fi access point, which essentially gives a hacker a path into your computer. It can also connect in and out over the internet, not just to a nearby hacker with their laptop open.
The cable can do just about anything you would want to avoid. It can log all of your keystrokes, and it can also pretend to be a USB keyboard and type its own commands into your machine. That means it can pretty much do anything you could do via the keyboard, including downloading malware, installing spyware, anything.
And because it has its own Wi-Fi access point, it can exfiltrate all your data directly. This bypasses any internet-facing security because it doesn’t use the internet. Grover’s O.MG cable might be a headline grabber, but it is also a warning about USB devices in general. If you plug something into your computer or phone, it has a scary level of access.
“USB cables are direct avenues for malware and ransomware attacks: Any ill-intentioned person can access confidential information from many unsuspecting user devices by simply leaving their USB insight. Plugging it into your phone renders you instantly vulnerable,” Yusuf Yeganeh, founder of Microbyte Solutions, and IT and cybersecurity consultant, told Lifewire via email.
You probably won’t ever get targeted by an O.MG. For starters, just the basic version costs $120. But even if you were, there’s a 100% safe way to avoid its hacking abilities. Don’t plug it in.
That’s easier said than done. If somebody really wants to target you, they can employ all kinds of tricks to get you to trust the cable, including selling it to you or sneaking into your office to swap it for the one on your desk.
But in general, the way to avoid malicious cables, or other USB devices, is to avoid unknown devices.
“When traveling, it’s best to use [your own] USB cable, preferably one that does not support data transfer. Avoid any cables you see in public places,” says Yeganeh.
Mac users can look forward to macOS Ventura this fall, which will block connected USB devices until you give them permission to interact with your computer, although this only applies to M1 Mac laptops, to begin with. Windows users should make sure USB autorun is disabled, which stops apps on USB sticks from launching on insert.
But while those are good backups, you should be careful about what you shove into your computer’s ports. Always carry your cables, a battery backup, or a trusted charger. And plug your charger directly into the power socket. Don’t just use your own USB cable with some unknown USB outlet because the USB outlet may be compromised.
If you really cannot avoid using public cables to charge your device, use a USB condom. This is simply a USB adapter with the data pins removed, so it can only pass power. Making your own from a USB-A adapter is easy. But if you decide to buy one, make sure you trust the vendor, or all bets are off.
Thanks for letting us know!
Tell us why!