TL;DR: The ubiquity of life on a smartphone can be counted as a wonderful convenience. But there seems to be a price to pay for having everything in one place. As the cryptocurrency space maps onto mobile phones, increasing awareness of attack vectors and vulnerabilities is a great way to become security literate. The latest example hides in an O.MG kit cable as a backdoor, enabling remote access over WiFi through USB-connected mobile device. CoinSpice caught up with the project’s inventor, MG, to ask about his work.
USB Cable Has Hidden WiFi for Remote Access
Information security (infosec) is of paramount concern for anyone online, anyone who uses computers — which is most everyone. A wonderful way to be introduced to the exciting infosec world is to be jarred by a hack. Hackers get a bad reputation because the name has been used as a pejorative, but traditional hacking is to go where most folks will not, to think about what others might not.
You like wifi in your malicious USB cables?
The O•MG cable
(Offensive MG kit)https://t.co/Pkv9pQrmHt
This was a fun way to pick up a bunch of new skills.
— _MG_ (@_MG_) February 10, 2019
Infosec developer MG recently posted about his experiment with USB cables. Essentially, he hid backdoor WiFi capability inside its shell. MG is perhaps best known for his Mr. Self Destruct exploding USB drive demonstration back in 2017. “I called that one Mr Self Destruct as a nod to NIN,” MG told CoinSpice (NIN = Nine Inch Nails).
As Hackaday explained of MG’s latest work with USB cables, “You might be asking what’s inside this tiny USB cable to make it susceptible to such attacks. That’s the trick: inside the shell of the USB ‘A’ connector is a PCB loaded up with a WiFi microcontroller — the documentation doesn’t say which one — that will send payloads over the USB device,” insisting, it “is the ultimate way into a system, and all anyone has to do is plug a random USB cable into their computer.”
Driving Awareness and Attention to Problems
MG recalls how he “spent ~$4k and ~300hrs across the last month chasing this project as a way to also pick up a bunch of new skills. That is a lot more time and money than most people would take, but I was starting from zero on a lot of this,” according to his personal site.
Asked about how regular people respond to his unorthodox experiments, MG told CoinSpice, “That’s a complicated one because each person is different and they all warrant a tailored approach. I guess the most extreme are people who do not understand how offensive security can have a positive impact on security by driving awareness and attention to problems.”
He also added a novel way to explain the hacker’s ethos. “But also, does everything have to be assigned a demonstratively positive output? What happened to fun? What happened to art? Did watching any of my videos create a visceral response inside you? Did you feel something?” MG asked rhetorically of CoinSpice.
Implications Beyond Nefarious
As for what such work has beyond ooohs and ahhhs, MG explained, “Does awareness training count? Or further security research? Those are big ones. But if you mean purely technical uses: I have used HID emulating devices (like the Hak5 USB Rubber Ducky) for automating sysadmin type process, setting up raspberry Pis without a keyboard or monitor, etc. And wireless variants as a wireless keyboard/mouse. And even as ‘jigglers’ to simulate user activity to prevent a screensaver from interrupting a long presentation of a slide deck. All would work here too but it feels like a bit of a waste on the cable form factor,” he noted.
When CoinSpice asked about such a cable and its impact on cryptocurrency, MG was less sure. “Maybe tangentially. I certainly align with the anarchist early days of of it, but I don’t think the output of my work has any strongly apparent philosophy or politics. That’s more about how I work and interact with people. So I won’t go deeper,” he revealed.
Certainly, there isn’t need to alarm the community and insist something is afoot, but it is nice to know such vectors are possible and, to a degree, practical. “I know there are plenty of security issues in that realm,” MG told CoinSpice, “but I will leave it up to you and the reader to connect the dots.”
CONTINUE THE SPICE and check out our piping hot VIDEOS. Our podcast, The CoinSpice Podcast, has amazing guests. Follow CoinSpice on Twitter. Join our Telegram feed to make sure you never miss a post. Drop some BCH at the merch shop — we’ve got some spicy shirts for men and women. Don’t forget to help spread the word about CoinSpice on social media.