DefCon posters

Mikael Thalen

Y0ur P@ssw0rd S*cks: Testing the O.MG Cable at DefCon

What if you couldn’t even trust your own charging cord?


Mikael Thalen


Y0ur P@ssw0rd S*cks is a bi-weekly column that answers the most pressing internet security questions web_crawlr readers have to make sure they can navigate the ‘net safely. If you want to get this column a day before we publish it, subscribe to web_crawlr, where you’ll get the daily scoop of internet culture delivered straight to your inbox.

This week on Y0ur P@ssw0rd S*cks we’re going to do something a little different.

So far, we’ve discussed everything from the importance of password managers and 2FA to web browser security and ad blockers—topics that all internet users should be aware of.

But what about the more rare threats? What kind of security problems exist for the most targeted members of society?

Last month, The Daily Dot sent me to DefCon, the world’s largest hacking conference held annually in Las Vegas. I managed to get my hands on what is arguably one of the coolest, and perhaps scariest, hacking tools available.

You may have heard about juice jacking before, an attack that can hack a phone via a malicious charging port. These attacks are incredibly rare and the vast majority of people needn’t be concerned about booby-trapped charging ports. But what if you couldn’t even trust your own charging cord?

This is where the “O.MG Cable” comes in. Remember when NSA whistleblower Edward Snowden leaked all those documents back in 2013? One of the files revealed a $20,000 USB cable known as Cottonmouth-1.

This tool had hacking capabilities built into the plug itself, meaning if you used it, it could steal data or download malware onto your device. When those secret documents went public, one hacker was not only able to recreate the cord but upgrade it as well.

The cable comes in multiple formats, which are identical to charging cords for iPhones, Androids, and other devices. It even has Wi-Fi built inside

In my testing, I was able to plug the USB end of the iPhone-style O.MG Cable into my laptop and remotely connect to it from my phone as far as 300+ feet away. From my phone, I was able to receive everything that was typed on my computer, force the computer to run commands, make it open YouTube videos, essentially anything.

The sellers of the cable also sell a device you can plug any USB cable into to detect whether it’s normal or malicious.

To reiterate, 99.9 percent of the public will never be targeted with such sophisticated hacks. It’s also important to remember that hacking anything without permission is illegal. In my testing, I only used this device against myself.

So while such attacks aren’t a worry for the vast majority of people, being aware of them is quite interesting––and pretty cool, if I say so myself.

The internet is chaotic—but we’ll break it down for you in one daily email. Sign up for the Daily Dot’s web_crawlr newsletter here to get the best (and worst) of the internet straight into your inbox.

The Daily Dot