Are Apple OSs vulnerable to the O.MG cable?

security hardware authentication data-transfer

macOS and iOS both seem always to ask whether to trust a device before allowing the exchange of data. Warnings about the O.MG cable claim it gains access to your data the moment you plug it in.

How does Apple ensure an administrator knowingly authorizes the transfer of data via hardware ports? Are there credible tests showing Apple successfully defends against the O.MG cable and similar attacks that rely on Lightning, USB-C, or Thunderbolt?


Solution 1:

From a software perspective, there's really nothing "new" about the O.MG cable - it doesn't exploit new vectors in the software or hardware of the computer.

The interesting thing about that cable is its form factor. I.e. if you pick up a random USB pen drive from the street, some people will instinctly think that it might not be a good idea to plug that into their computer - because they do not know what it contains. However, if you pick up a random charger cable from a desk in the break room, the same people perhaps wouldn't think twice about plugging it into their computer.

The thinking is along the lines of "it's just a cable - what harm could it possibly do". The interesting thing about the O.MG cable is simply that they it was now possible to easily get the components necessary to run a small microprocessor in a form factor so small that it really looks like "just a cable" - and not "a cable with a big box or big bulge on it".

The software running on the microprocessor in the cable tells the computer that it is a human-interface device - a fancy name for things like keyboards, mice, trackballs and the like. So the cable is basically a "headless" keyboard. At any point in time after plugging in the cable, the microprocessor could send USB packets to the computer telling the computer that the user pressed so and so buttons on the keyboard, or moved the mice so and so.

The cable does not as such gain access to the data on your computer. Your question seem to imply that plugging in the cable will somehow gain access to data - that's not the case. The microprocessor can send data to the computer - it does not receive data (payloads) from the computer as such. The microprocessor will need to send key presses (etc) to activate some software that would then send data to the microprocessor in the cable for any data transfer to happen. If your computer is for exampled locked (i.e. not logged in, FileVault enabled) - then none of your data can be transferred to the microprocessor in the cable.

If you imagine the microprocessor also having a wireless interface (i.e. think RF radio, Bluetooth, WiFi, etc) - then an attacker could sit in a nearby place with visibility of the victim. The victim plugs in the cable and goes by their day as usual - when the victim turns their back on the computer's monitor to talk to a colleague, the attacker wireless simulates keyboard presses and mouse movements to do whatever they want. This can then be done after the user has unlocked the computer.

This attack is essentially the same as someone, unknown to you, plugging in one of those tiny USB-dongles for wireless keyboards into your computer - and use that to remotely control your computer using the wireless keyboard.

Theoretically the attack is easy to defend against. The computer should just not let anyone plug in keyboards and mouse. I.e. this is not some super difficult brain teaser of a complex attack.

In practice, home users would probably be very confused if they suddenly could not plugin keyboard and mouse and expect them to work. Therefore most major operating systems (like Windows, Mac, Linux) allows the user to plugin keyboards, mouse, etc. without any approval process.

To guard against the O.MG cable from a technically perspective (i.e. organisationally, you could teach user's to never use cable of unknown origin, or you could teach user's to use a special guard adapter that only connects the power pins of the cable into the computer) - you could do so that the user needs to approve keyboards, mice, etc. that are plugged into the computer.

For example that could be by having a message appear on the TouchBar on a MacBook Pro that the user needs to acknowledge with a tap.

It could also be simpler that the first keyboard and the first mouse that is plugged in is approved, but the following are not, and requires approval by typing something on the first keyboard.

Related

Using an AppleScript to kill an AppleScript
Can't use my 2016 year MacBook Pro due to a failed update. What are my options?
How to make MacBook Pro's keyboard backlight fade in and out?
Apple script - set path to a custom path
iPhone - location services can be disabled
Why GPG does not ask me for password when using a private key?
OSX Numbers Checking for either of two text values
custom routine mac os
MacBook Air OS Big Sur will not update
Sound bar GUI glitch on MacBook
2 monitor set up on MacBook Pro with just 1 unused ThunderBolt port
How can I get older versions of kubectl for arm64 (MacBook Pro M1)