Skip to main content

The O․MG Elite cable is a scarily stealthy hacker tool

Is that phone charger doing more than you think it is?

Share this story

Photo Illustration by Alex Castro / The Verge

I didn’t think I would be scared of a USB cable until I went to Def Con. But that’s where I first learned about the O.MG Cable. Released at the notorious hacker conference, the Elite cable wowed me with a combination of technical prowess and its extremely stealth design.

Put simply, you can do a lot of damage with a cable that doesn’t behave the way your target expects.

What is it?

It’s just an ordinary, unremarkable USB cable — or that’s what a hacker would want you to think.

“It’s a cable that looks identical to the other cables you already have,” explains MG, the cable’s creator. “But inside each cable, I put an implant that’s got a web server, USB communications, and Wi-Fi access. So it plugs in, powers up, and you can connect to it.”

That means this ordinary-looking cable is, in fact, designed to snoop on the data that passes through it and send commands to whatever phone or computer it’s connected to. And yes, there’s a Wi-Fi access point built into the cable itself. That feature existed in the original cable, but the newest version comes with expanded network capabilities that make it capable of bidirectional communications over the internet — listening for incoming commands from a control server and sending data from whatever device it’s connected to back to the attacker.

MG, creator of the O.MG Cable, at Def Con.
MG, creator of the O.MG Cable, at Def Con.
Photo by Corin Faife / The Verge

What can it do?

Stressing, again, that this is a totally normal-looking USB cable, its power and stealth are impressive.

Firstly, like the USB Rubber Ducky (which I also tested at Def Con), the O.MG cable can perform keystroke injection attacks, tricking a target machine into thinking it’s a keyboard and then typing in text commands. That already gives it a huge range of possible attack vectors: using the command line, it could launch software applications, download malware, or steal saved Chrome passwords and send them over the internet.

It also contains a keylogger: if used to connect a keyboard to a host computer, the cable can record every keystroke that passes through it and save up to 650,000 key entries in its onboard storage for retrieval later. Your password? Logged. Bank account details? Logged. Bad draft tweets you didn’t want to send? Also logged.

(This would most probably require physical access to a target machine, but there are many ways that an “evil maid attack” can be executed in real life.)

An X-ray of the O.MG Cable showing the chip implant.
An X-ray of the O.MG Cable showing the chip implant.
Image via the O.MG website

Lastly, about that built-in Wi-Fi. Many “exfiltration” attacks — like the Chrome password theft mentioned above — rely on sending data out over the target machine’s internet connection, which runs the risk of being blocked by antivirus software or a corporate network’s configuration rules. The onboard network interface skirts around these protections, giving the cable its own communications channel to send and receive data and even a way to steal data from targets that are “air gapped,” i.e., completely disconnected from external networks.

Basically, this cable can spill your secrets without you ever knowing.

How much of a threat is it?

The scary thing about the O.MG cable is that it’s extremely covert. Holding the cable in my hand, there was really nothing to make me suspicious. If someone had offered it as a phone charger, I wouldn’t have had a second thought. With a choice of connections from Lightning, USB-A, and USB-C, it can be adapted for almost any target device including Windows, macOS, iPhone, and Android, so it’s suitable for many different environments.

This cable can spill your secrets

For most people, though, the threat of being targeted is very low. The Elite version costs $179.99, so this is definitely a tool for professional penetration testing, rather than something a low-level scammer could afford to leave lying around in the hope of snaring a target. Still, costs tend to come down over time, especially with a streamlined production process. (“I originally made these in my garage, by hand, and it took me four to eight hours per cable,” MG told me. Years later, a factory now handles the assembly.)

Overall, chances are that you won’t be hacked with an O.MG cable unless there’s something that makes you a valuable target. But it’s a good reminder that anyone with access to sensitive information should be careful with what they plug into a computer, even with something as innocuous as a cable.

Could I use it myself?

I didn’t get a chance to test the O.MG cable directly, but judging by the online setup instructions and my experience with the Rubber Ducky, you don’t need to be an expert to use it.

The cable takes some initial setup, like flashing firmware to the device, but can then be programmed through a web interface that’s accessible from a browser. You can write attack scripts in a modified version of DuckyScript, the same programming language used by the USB Rubber Ducky; when I tested that product, I found it easy enough to get to grips with the language but also noted a few things that could trip up an inexperienced programmer.

Given the price, this wouldn’t make sense as a first hacking gadget for most people — but with a bit of time and motivation, someone with a basic technical grounding could find many ways to put it to work.

Today’s Storystream

Feed refreshed Two hours ago Not just you

T
Thomas RickerTwo hours ago
The Simpsons pays tribute to Chrome’s dino game.

Season 34 of The Simpsons kicked off on Sunday night with an opening credits “couch gag” based on the offline dino game from Google’s Chrome browser. Cactus, cactus, couch, d’oh! Perfect.


T
Youtube
Thomas Ricker7:29 AM UTC
Table breaks before Apple Watch Ultra’s sapphire glass.

”It’s the most rugged and capable Apple Watch yet,” said Apple at the launch of the Apple Watch Ultra (read The Verge review here). YouTuber TechRax put that claim to the test with a series of drop, scratch, and hammer tests. Takeaways: the titanium case will scratch with enough abuse, and that flat sapphire front crystal is tough — tougher than the table which cracks before the Ultra fails — but not indestructible.


E
Twitter
Emma RothSep 25
Rihanna’s headlining the Super Bowl Halftime Show.

Apple Music’s set to sponsor the Halftime Show next February, and it’s starting out strong with a performance from Rihanna. I honestly can’t remember which company sponsored the Halftime Show before Pepsi, so it’ll be nice to see how Apple handles the show for Super Bowl LVII.


Welcome to the new Verge

Revolutionizing the media with blog posts

Nilay PatelSep 13
E
Twitter
Emma RothSep 25
Starlink is growing.

The Elon Musk-owned satellite internet service, which covers all seven continents including Antarctica, has now made over 1 million user terminals. Musk has big plans for the service, which he hopes to expand to cruise ships, planes, and even school buses.

Musk recently said he’ll sidestep sanctions to activate the service in Iran, where the government put restrictions on communications due to mass protests. He followed through on his promise to bring Starlink to Ukraine at the start of Russia’s invasion, so we’ll have to wait and see if he manages to bring the service to Iran as well.


E
External Link
Emma RothSep 25
We might not get another Apple event this year.

While Apple was initially expected to hold an event to launch its rumored M2-equipped Macs and iPads in October, Bloomberg’s Mark Gurman predicts Apple will announce its new devices in a series of press releases, website updates, and media briefings instead.

I know that it probably takes a lot of work to put these polished events together, but if Apple does pass on it this year, I will kind of miss vibing to the livestream’s music and seeing all the new products get presented.


E
External Link
Emma RothSep 24
California Governor Gavin Newsom vetoes the state’s “BitLicense” law.

The bill, called the Digital Financial Assets Law, would establish a regulatory framework for companies that transact with cryptocurrency in the state, similar to New York’s BitLicense system. In a statement, Newsom says it’s “premature to lock a licensing structure” and that implementing such a program is a “costly undertaking:”

A more flexible approach is needed to ensure regulatory oversight can keep up with rapidly evolving technology and use cases, and is tailored with the proper tools to address trends and mitigate consumer harm.


A
Youtube
Andrew WebsterSep 24
Look at this Thing.

At its Tudum event today, Netflix showed off a new clip from the Tim Burton series Wednesday, which focused on a very important character: the sentient hand known as Thing. The full series starts streaming on November 23rd.


A
The Verge
Andrew WebsterSep 24
Get ready for some Netflix news.

At 1PM ET today Netflix is streaming its second annual Tudum event, where you can expect to hear news about and see trailers from its biggest franchises, including The Witcher and Bridgerton. I’ll be covering the event live alongside my colleague Charles Pulliam-Moore, and you can also watch along at the link below. There will be lots of expected names during the stream, but I have my fingers crossed for a new season of Hemlock Grove.


A
Andrew WebsterSep 24
Looking for something to do this weekend?

Why not hang out on the couch playing video games and watching TV. It’s a good time for it, with intriguing recent releases like Return to Monkey Island, Session: Skate Sim, and the Star Wars spinoff Andor. Or you could check out some of the new anime on Netflix, including Thermae Romae Novae (pictured below), which is my personal favorite time-traveling story about bathing.


A screenshot from the Netflix anime Thermae Romae Novae.
Thermae Romae Novae.
Image: Netflix