Photo by Steve Johnson on Unsplash

USB Cable of Terror: Why You Should Never Borrow a Charging Cord

Remember simpler times when our biggest concern was being “juice jack” hacked at a public charging station, rather than worrying about whether we could leave our home or not without catching the plague?  In case you were too busy enjoying maskless merry-making to remember the craze from a couple of years ago, “juice jacking,” in hackers news, was when you would plug your phone into a public charging station and your data would get hacked by a device secretly attached to the chargers.

Mike Grover remembers the craze, and it apparently got his wheels really turning.  Because in 2019, the same year the fear of “juice jacking” really came into our consciousness, Grover unveiled his O.MG cable at that year’s DEFCON, and it really caused a stir.

This cable he created is essentially a “smart” cable that has the potential to cause some major damage… Because if a bad actor were to get his or her hands on one, they wouldn’t need any device or computer to “juice jack” a device that plugged into it.

The O.MG cable is controlled by a browser and can take commands on-demand because it also comes equipped with its own WiFi access point.  Not only that, but it also contains payload storage, geofencing capabilities, and the ability to log keystrokes – or even inject its own!

When the O.MG cable was unveiled in 2019, the cord itself was rather large and bulky, and could easily be distinguished from a regular Apple lightning cable.  But since its market introduction, Grover has refined his product to the point where it’s not only “affordable” (at just under $140) but is also practically identical to the original. In fact, all the USB-As have now been updated to USB-Cs, putting both Androids and iPad Pros at further risk.

Additionally, he has increased storage capacity, putting devices at risk for direct malware attacks through “attack modes” that have the ability to “self-arm” and “self-destruct” given specific parameters.  This attack cycle, as previously mentioned, allows the cord to capture AND inject keystrokes.

What does this all mean?  When you boil it down, this cable can gather sensitive data when the user is attached to a device, and attack the device after the user has detached from it.

Scary stuff.

What’s important to note, as well, is that iPhones are not the intended target; the targets are actually the Macs (or other computers) that are charging the phones or being synced to.  This is because Grover is more or less an ethical hacker.  He doesn’t want to compromise the devices, he just wanted to see if the task (building a self-sustained attack cable of nightmares) was possible. And his whole reason for choosing Apple’s Lightning cable was simply because it was the most challenging of all the cords, due to its compact design.

He’s also not selling his wares to black-hat hackers.  The intent of his invention is to serve as a warning; Grover runs red team attacks with businesses to unknowingly compromise their employees, thus raising awareness for cybersecurity hygiene and best practices, especially during travel.  In today’s cyber landscape, one small mistake can cost a business hundreds of millions of dollars, in addition to the loss of respect from customers and peers alike.

The O.MG cable is not the BIGGEST threat on the horizon, and you are much more likely to receive a phishing email than you are to plug into this cable of cyber horrors, but its existence should hopefully get employees to really consider what threats they (and their employers) are facing in today’s increasingly-sophisticated digital world.

Short story long, always use your own cable when traveling, especially if you have data that could be used against you or your business.  It’s not a common attack, but if you are in a public space, it is a good idea to use your own charger and cable; USB cords are, as you know, used to transfer data as well as “juice.”

With as many threats as we see out there today, it’s understandable that you may feel overwhelmed; after all, where do you even begin securing your small business to keep it from getting hacked?  Bad news first – there is no quick fix, and anyone telling you otherwise is probably just trying to scam you.  If you aren’t sure whether your networks and data would survive a cyberattack then they most likely won’t.  Schedule a free consultation by giving us a call at 919-422-2607, or by visiting our online scheduler.

The longer you keep your head in the sand, the bigger target you become.  Stay safe out there!