Would you use a stranger's USB charger cable?
- 29 November, 2019 08:00
USB charger cables for our phones, tablets, watches or whatever gadget we want to strap ourselves to these days (yes I said that correctly – strap ourselves to, not strap to ourselves – Think about it, it’s probably closer to the truth). The charger cords, most of us have several for all the different devices we use regularly, sometimes they break or we lose them. It true isn't it or you just run out of charge and you don't have one with you. What happens in this situation? Would you borrow someone else's charger cord? Of course, you would.
Would you just grab one from one of those vending machines, 2 dollar shop or corner stores? Yeah, you would because it's just a charger cable there is no risk. Most people think this and honestly, I don't blame anyone for thinking this is harmless, nothing could go wrong with this scenario.
I want to introduce you to the O.MG cable by MG. essentially the cable has been created to look exactly like a legitimate iPhone charger lead, nothing fancy, just exactly like the cable and seriously these guys have done a great job it looks perfect. Take a look at it here. Now if you look a little closer and pull back the USB plug circuitry cover you will see a giveaway (picture here), these cables originally surfaced at Defcon in August this year when MG showed the capability he and his team had been working on.
Look these types of cables aren’t new idea but in my opinion these would have to be the best attempt yet, they look very real, they work very easily and are controllable via an app on the malicious actors phone that connects from up to 300ft or almost 100 metres away via a built-in wireless adapter in the USB cable. If you check out the video that MG included in his tweet on 9th August 2019, you will see a basic demonstration of what it can do.
So let’s create a bit of a scenario now so it all makes sense. It’s a Friday afternoon and you are sitting in an airport lounge area waiting for your flight home to see your family, your work phone is flat and you really want to just get out a couple of quick emails before your flight starts to board so that when you get home all you need to worry about is spending time with your family. You are looking around and you see a girl in her early twenties roughly sitting across from you with her laptop open working away. Sitting next to her on the chair is an iPhone charger cable, you look around a bit more and see one of those USB charge points that we all see starting to pop up in cafes and airport terminals.
You consider asking the girl if you could borrow the cable, you know that you should never plug a USB into your machine that you find or is given as part of a giveaway, the risks are too high that you will get a virus or something. There is no risk with a charge cable right, you ask the girl and she smiles and says "sure go for it". She passes it to you and you make your way over to the charge point and connect up your phone. It starts to charge as expected and you wait a few moments before switching it on. Now at this time the super helpful girl has connected to the O.MG cable and is loading malicious code to your device for some nefarious purpose. She will soon have access to everything on your phone, work emails, texts, internet banking passwords you name it she now owns you.
Now I am guessing some of you are sitting there thinking that's not a realistic scenario, well let's think of another one. You are at the office and your phone is flat, you sing out to one of your co-workers asking if you can borrow their phone charger cable. You grab it and plug it into your pc USB port and connect to your phone. Now the part you didn't know is that the cable was bought online in bulk, they bought 10 of them for $1 each as they keep losing their cables. Those cables were O.MG malicious cables and the staff member was targeted because of where they work. You have just given the malicious actor access to your company network via your laptop and most likely access to everything on your phone from the company carpark. Whoops right.
Another scenario could be, say a doctors surgery, if you have been to one lately most have PC's on a bench as you walk in, some even have a pc for people to self-check-in, if you plugged in one of these charge cables, would anyone pay attention? Maybe. What about if you were in the doctor's room or nurse station and they turned around to get something or left the room. Plugin the cable leave it and you are in most won't think it's a threat even if they think it's unusual. They will probably just keep it and use it themselves.
All of these scenarios are very real possibilities and we all need to include these types of scenarios in our awareness training programs. Let users know of the real threat, it's about more than USB drives now. We need to inform staff and families to not use cables that they have purchased themselves from a reputable source. Look even in this scenario you could still fall, victim, if a supply chain is Brocken and a malicious actor finds a way to say "man in the middle" a new iPhone delivery, take out the charging cable, replace with a new O.MG cable and then reshrink wrap the box. Doable right? Okay, that is probably a pretty sophisticated attack and is probably unlikely but still possible.
What about the brand new iPhone you just won, in a competition that you didn't know you entered that just arrived. Yeah, it thinks it could be done.
I don't want to be all doom and gloom here. Just do yourselves a favour and think before plugging in random phone charge cables you may regret it later. Keep one with you, have a couple and if your phone still goes flat sometimes and you don't have a charger cable just disconnect for a while it will probably help your stress levels. We all should do it now and then.
As always, tell me what you think, tell me I am crazy or you agree but let’s start a conversation about better security.
Till next time…