You know what else is less than the price of an LTT Backpack? A FREE weekend of Crusader Kings 3 starting May 11th. Build your dynasty at: lmg.gg/CK3CS
A while back I picked up a micro-usb charging cable in a parking lot before this really became a hot topic and considering my extensive amount of micro-usb cables I can't remember which one it is to get rid of it. Should I be worried? PS: This was like 4yrs ago
To be fair he talks so much about computers, but very rarely talks about cyber security. I do cyber security on the side and people find it so scary how easy it is to hack anyone today. Security went the opposite, it never got better…it got way worse.
As someone who works in a large company IT department. Mike has a good point, most cyber criminals don't need to go through that kind of hassle. Its staggering at the amount of people (who swear they didnt click anything) get their work computers infected that i have to pull, wipe, and re-image. Our company cyber security team also sends out test phishing emails randomly and it always catches people.
"I DIDN'T CLICK NOTHIN!!" ..."Sir, I am right here beside you. I just watched you click seven differnt things just because they had blinky pictures." "I DIDN'T CLICK IT!" ..."Sir, I can -hear- your mouse clicking."
I know better and accidentally clicked a phishing link recently. Fortunately it only went to a fake login page and didn't download anything, but it was a pretty scary couple minutes.
Yeah, but considering that this cable is about $120 and the Flipper zero costs about $400, I'd say that already makes the flipper zero a no go for most nefarious actors.
@@wisteelathere is more truth to that than most people realize. I have several cables that were found in the wild. They are all… let’s just say very behind.
Plant a cable that opens a notepad to warn against random cables & in the background have their webcam open proceeding to download the short video file of them reading that; finally opening the video to themselves reading. This would be a SHOCKER and great content hahaha
Security is one of the few fields where "spreading awareness" is actually a valid and worthwhile thing. These attacks exist whether we like it or not, so it is better to know about them so we can defend against them.
My work CONSTANTLY reiterates never using the same password for your personal accounts as for your work accounts, to never giving your work passwords to phishers, to never using your work email to sign up to shady sites. Yet employees continue to do it.
As someone who recently sat awake all night, naked, trying to log someone else out of their RUclips account, I'm sure Linus loves that this tool exists.
I don't understand the point of these videos, who just picks up random ass cords or USB sticks and uses them? Even without these risks existing I wouldn't do that have common sense people
Can totally see in a few years amazon or ali express being full of cables like this if these exploits aren’t taken care of. Maybe O.M.G is doing the right thing.
@@hollytaylor5327 better to make something like this, be open to everyone about how it works and let it be researched than for someone else to make this with terrible intentions and blindside tons of businesses
@@hollytaylor5327 They make these products for actual security testing purposes as they explained in the video. But yes by making them generally available you're putting the threat out into the real world which means companies are forced to take the threat seriously. Besides you can't just buy these and go on a crime spree, even buying these products absolutely puts you on a list.
Man, the ending about those getting cheaper, that gives the chills. Love to see security content like this on the channel. It's way more important than people think it is.
It's not viable for general attacks but perfectly viable for a targeted attack. If someone wants to harm you they will harm you, money is not a problem for those cases.
@@chiranjeevsahoo4960 Targeted attacks need to be far more sophisticated for a remote attack. Anything worth while is going to need a physical compromise to be worth using a remote tool. Which is pretty much non-existent for years already.
lol, no. These sorts of tools can be made for $10. It's been cheap for years. It's not a real threat becasue these tools are not useful for actual targeted attacks.
Not only that, people backward engineer this stuff all the time, so I could see a slew of people making "copies" of this tech, and it not only being cheap but unknown because they will only use it for themselves
not just for an organization, but for an average joe with a vendetta as well. It may be expensive for throwing it on the road or using it for general attacks like in a hotel. It's perfectly viable for a targeted attack. I can see a disgruntled ex slipping it in.
Sending an email costs 0$ though and is more likely to work, less likely to be traced back to you (if you know what your doing), and is likely to give you more access. Walking out with a computer or hard drive costs 0$ and is more likely to work and much less skilled, and if you are vulnerable to physical attacks someone could pull it off. Plugging in a normal keyboard costs 20$ and while there are some things you can't do with it, (remote connection) you could still do damage. I love it when LTT covers these tools because they are fun to play with. But I am much more worried about phishing as an attack vector than physical attacks with tools like this. These tools are not going to shift how we defend networks because they are simply slightly flashier more advanced versions of existing threat vectors.
Yeah, but sending a couple hundred of phishing emails and text messages is cheaper, easier and safer for the attacker. (safer in terms of remaining anonymous). You'll only get to the fancy stuff, like physically infiltrating the place and leaving a malicious cable lying around, once all of the boring and cheap stuff is exhausted.
The NSA apparently had these back in 2008 (according to the ANT catalog leaked in 2013). COTTONMOUTH-I was a device that could load malware and act as a wireless bridge (for subverting airgaps) while being disguised as a regular USB cable connector. The price for making these things must have a dropped a bit, since the listed unit price was 20 300 USD.
Generally, whenever consumers get access to cutting Edge technology, governments and militaries have likely had access to something with similar or Superior capability for at least 4 years. Whether or not they used it as a different question like for example, I don't think any military has been using folding screens because they're just way too fragile, but I suspect if for example, the US military had a use case they probably could have had them back in 2005
I almost worry that people are going to try and slip these into things like Ebay or Amazon listings or returns, they look good enough to be official and nobody would think twice about using the charging cable that came in the box with their new phone.
Yeah, but anyone trying to save money by buying a phone on ebay probably isn't rich enough to be a worthy target of such an attack. It would largely be a waste of the attackers time and money more often than not.
@@Khronogi yeah, but scam what, though? If they put ransomware on some random middle schmuck's computer, then said schmuck would probably just go get a new computer. Stealing banking credentials isn't gonna accomplish much, because they probably don't have much to steal in the first place. It would almost always end up being a waste of time and money.
@@Khronogi It's $120 USD, no scammer is going to pay that much in the hopes that some random person will use it and have anything worth stealing. Scammers succeed by casting a wide net that doesn't cost them much if anything, like phishing emails, not by by spending over $100 per target.
I would much prefer someone selling it publicly versus them selling it privately. The flipper and OMG cable is making it known that this could happen and we could learn to defend ourselves. Way better than not knowing till after the fact.
People who despise these devices existing don't understand how dangerous this kind of stuff is or physical security for that matter, there are attacks that have existed for over 70 years (and when I say have existed I mean there is absolutely no way the manufacturer did not know for that amount of time) that are still absolutely doable on relatively high-end locks today. The design flaws that allow these kinds of devices (mostly the flipper zero but the omg cable a little) will not be patched if there is not outrage at the design flaw
The name of the NSA implant this is inspired from is called COTTONMOUTH. A USB cable with wifi remote control in the type-A end. It was in the TAO catalog released in late 2013 iir.
And that’s why I always carry my own cables. If anything, this video couldn’t be timed better since I’m headed downtown for the day & had to pack some chargers.
Thank you for teaching us about things like this! I'm a computer salesman, and a lot of people come to me with cybersecurity and ask for my knowledge. So when it comes to things like these, you said it first, it's better know about it as early as possible to prevent people of having these encounters. Have a nice day Levy
People are dumb, it can't be fixed... I could grab a USB stick, load up an autorun attack tool on it, and almost everyone would pick it up off the street and plug it in. By making it throw a popup saying it's not compatible and to try another computer I could get them to infect everything they have access to. I'm in IT and security now, because I used to wear a different hat before and know how it's done, there is a near infinite mountain of attack vectors to use and the way to protect against them is isolation mostly.
I'm glad your covering this. I saw these and picked one up at DefCon last year and have been messing around with it, it's a GREAT Red Teaming tool, especially if it's more than just a single day op. You can either connect it yourself or leave/swap it on a desk when your doing a "scheduled unscheduled audit" or something similar. (I'm a professional pentester not just breaking into tech companies without permission)
15 years ago my brother warned me about this stuff.. Ever since i've never used public charging and only use my own brick and cable xD sometimes a brother with a tinfoil hat is a good thing. Miss him tho
its the worst part about being a cynic. You don't want to be right. But you know you are. Your brother sounds like a wise man. As someone with 3 younger brothers to protect (even if they don't realize they still need it) you have my respect from one brother to another.
I wonder how much data can be transferred when just charging? Android phones ask before data transfer over usb would that not prevent some of from accessing data?
@@jarryjackal3827 hacking has been around far longer than the early 2000s. Just cause a method is widespread enough to get onto LTT now doesn't make it new. Don't you remember those good ol days when they warned ya not to put strange CD's into your disk drive, or those sketchy floppies with some guys sick new beats from the subway?
It's misinformation based on a bad understanding of real world netsec, and shilling to sell a product. LTT are the last people to give out netsec advice.
In regards to juice-jacking, I miss the micro USB cables we had at Google, by default they were charging only and had a physical switch to enable the data lines of the cable if you needed to transfer data. Sadly they never made USB-C versions
There are type A charge only USB adapters. You could use one of those with a tape C to type A adapter. You’ll probably lose charging speed, but at least you can use it in an emergency.
It occurs to me that using USB for charging, data, and input is actually quite a security flaw. I know some large companies just disable USB drive support on all computers. Now I see why. Perhaps SD cards are actually safer, because they can only be storage.
@@sylviam6535 Having a single button is way more convenient than having to add / remove the "USB condom" (as some call it) each time you want to toggle data on or off. I miss those cables too!
@@florentcastelli - I am not sure that a physical switch would work on USB type C. They would probably need to insert a chip to deal with the additional complexity.
My biggest worry about these is how easy it is to inject fake or knock-off items into Amazon's listings or inventory. It's entirely plausible that an attacker could mock up a few of these to look like some reputable brand and then sell them on Amazon to unsuspecting people. I've gotten fake stuff from "Ships and Sold by Amazon" listings, so it's not just a matter of avoiding dodgy listings. Too expensive to be worth it now? Probably. But that won't last long.
I expect that someone like Apple or Samsung don't make their own cables in house. If the company they buy these from wanted they could include cables like this with every smartphone these companies sell. Then wait until their cables are everywhere or until they are found out and then ransom every device.
This sounds like a stress test that went on at LMG where they planted a cable that got used and then there would've been a seminar around 'security in the workplace', followed by 'That would make a great video' 😂😂
Juicejacking makes sense considering the term juice is synonymous with power; leaving a "charger cable" at a diner would be a really effective means of attack especially if the victim believes that cable is the only means of keeping their device charged. Take a McDonalds near our location for example, they have only one seat adjacent to an outlet, if an inconspicuous cable is just sitting there and their phone is about to die chances are they aren't going to spend the time to dig around for their own cable (if they have one).
I never thought we'd need this, but here we are - I think "Plug and Play" in Windows needs to be updated to have some sort of hardware security or something, god knows how that could ever be figured out, goodluck Microsoft
It’s not possible. A computer is useless without some way to interact with it. If a person can interact with it, then anything that emulates a person interacting with it can too. The best that can be done is a cat and mouse game trying to detect exploits, etc. but that will never stop someone being able to go to a website and download software or run software written on the machine itself.
I mean, it would be nice to have the option. but on the other hand, these devices can mask themselves as pretty much any device out there. so even if windows gave you an alert or something that the device named "xx" was connected and you need to accept a prompt to continue, this could just name itself the same as the device and most people would not ever see anything wrong with that.
Devices could send an "evil bit" to the host to indicate they have malicious intent. Something similar has been proposed for internet packets on april 1st 2003.
One day we'll encrypt USB with keys that we upload to devices ourselves. Setting up a keyboard, mouse, USB stick, etc. will become crazy complicated just to keep bad guys out. And they'll still find a way.
@@alexturnbackthearmy1907 I'm not sure what this has to do with being opposed to him promoting actual products. He could warn people about the risks of these types of devices without showing every wannabe hacker exactly where to get a product like this.
@@KrillinInTheNameOf I mean I searched for "hacking USB cable" and got the OM.G and Ninja as the first results, with a public storefront, so I don't think that barrier to entry is really valid.
These devices being available to the public for purchase and using the defense of "It CAN be a learning tool. And. You're more likely to be hit by lightning." Are arguments I've heard in defense of many harmful and damaging products. I'm helping create and complicate the problem so I can educate you on the problem. Such a honorable cause
Wow.. "Best to learn about it now when it is expensive rather than later when it's cheap and too late" is probably the best line from an LTT video.. like ever!
Always cool to see LTT do a more simplified overview of HAK5 tools. Might be cool to see a cybersec spinoff channel so a bigger channel like yours can help spread awareness.
Another use case where this could be problematic is people getting these cables for their partners/friends/family members as a way to spy on them. "Hey honey, have you seen my charging cable?" "No. But you can use this extra one I have."
Generally if you're going to spy on your loved ones, you'd also have physical access to the devices they use too. Sneaking in a USB device into the back of their desktop or laptop is going to be easier and cheaper than ensuring they use your cable.
@@Programmdude yes but when it comes down in price it would be less phishy and a cheap way to get into the person phone which these devices target also
People have been hacking each other since people exist. Its even common to treat ideas and thoughts like this usb cable, like a threat. And sometimes they are. This tech is interesting, nonetheless.
Already exists. Use of a hardware keylogger on your partners PC to spy on them for abusive purposes has been a thing for years. Most people won't notice something in the back of their machine that wasn't there before.
You're welcome. As consolation, you don't need to be afraid of hackers trying to compromise your systems until you have data worth stealing. Are your memories safe? I sell zero-day exploits on bug-bounty forums. Secure your bad ideas and protect the future of disinformation.
@@oldtools assuming you don’t have information worth stealing is this first mistake. Do you have a social security number? Then you have information worth stealing. That number is worth a lot of money.
mike's a legend, creates the best hacking cable and makes a profit from hackers and also creates a data warner and profits of people avoiding such hackers to hack them
Kriega R30: $275 USD and made from abrasion resistant textiles, has a fantastic system for distributing weight and staying on, as well as 30 liters of space and having a massive 100% Waterproof compartment. Linus: how 'bout none of that BUT it's $25 USD less expensive.
I get that mike is on the up and up... but when they said he made a cable to detect malicious cables... I got some very "we created a disease to sell an antidote," vibes
They are more or less fearmongering misinformation. These tools are useless in real life and pose zero threat. They have been around for years for $1, and there have never been any recorded accounts of these attacks being used on anyone.
Based Paradox with a "keep it simple" ad. I appreciate that greatly. I am actually far more willing to play their games, now. I mean, I already was, but now I'm even more endeared to them.
If some random coder dude is releasing these at a reasonably accessible price, you can bet these have already been around for a while in a more secretive manner. Governments and other various agencies have likely been using these for years. At least now the public is aware that these are, in fact, a real tangible thing.
And the fact that the FBI is willing to _tell people this is a thing_ is a sign that to them, this method of exfiltrating data and hacking stuff is already *_obsolete_* by Three Letter Agency standards. Why spill the beans on a technique you're still actively using to spy on people?
Год назад+25
Yeah in my eyes what this guy is doing is making this accessible to security researchers and pen testers so companies etc can figure out how to defend themselves from it, rather than really creating a new attack vector or anything of the sort
Yes this type of device has existed for many years, the company behind the usb rubber ducky has been around since 2005. Awareness is just bad, they've clearly made their point to the negligence of certain enforced security. In security, the biggest vulnerability to anything is physical access, with the right tools you can obtain anything. This is not just technology of course. Honest attackers are creative and sneaky who can be reasonably discouraged. Attackers with sledge hammers also exist. Keep your important belongings safe!
Thanks for the video as a wake up call. I knew that plugging in any usb device or flash drives found on the street would be a dumb thing to do. But I had no idea until now, that even just a cable can be malicious. They always seemed really benign to me.
the fact that such a device is readily available is a good thing Linus . if it were some type of obscure tool that's only available through underground connections then only a select few would know of its existence thus making it a bigger threat the fact that it is readily available means that people like you will make videos about it the more people who know of its existence means more people know what to watch out for
I feel like the quote, "Your scientists were so preoccupied with whether or not they could, they didn't stop to think if they should." best applies to this cable.
The problem with that saying is (skipping the whole scientists vs engineers, the tech isnt new the application is) not that this is a unique tool developed by some masterminds. It's common tech thats been packaged and branded for the consumers. CIA had this tech 10 years ago and so did probably other state funded organizations as well. It's only a matter of time before you can buy it from aliexpress for a dollar. Creating this product and bringing this design flaw in USB to the light of mass audiences does more good than harm to the world collectively.
No, what applies better is “security through obscurity is no security at all”. OMG didn’t create this attack vector, he made it accessible to everyone and raised awareness that this exists. Now more people will be on guard, look at this and work on mitigating this.
8:50 " sif someone can walk in and take something, they can walk in and plant something" LTT's security are clear at risk seeing how much get taken from the office😂
Tools like these help testing your security for sure. The problem is, if there is actually a bad person who really needs to go these routes, there is also probably enough criminal energy to build it yourself. Its better to have the tools to protect yourself against it, than to wait for someone who WILL make their own. But yes, most ways into a security system are wayyyyy easier and the weakest link in the chain will always be humans
Although I find this technology somewhat frightening. I am much more concerned with the fact that I never knew it existed to this point. The best way to protect yourself is to become educated on the topic. That is why I hope LTT continues to come out with great videos teaching us about nefarious methods an individual might use in the tech sector.
If education actually solved problems we wouldn't have them. The internet's been around for almost 3 decades but humanity is less educated than ever. They fall for the most obvious scams. Do you know how many times I have to tell my family not to do certain things on a computer/phone? They still don't understand not to immediately trust what they see. Pessimism is a better protection than trying to learn about all the different ways life can screw you over. Case in point, the guy who made this said there's many easier ways that are constantly being used. These methods are rare.
I thought about something like this the moment I started seeing "public use" cables/charging stations in airports, malls ect. and kept always bringing my own cable and brick. Friends and family said I was paranoid/crazy, to them I smugly tip my tin foil cap 😏
Oddly reminds me of the early days of free wifi access points at places like coffee shops etc and my warning to friends / family of how numerous the ways were that they can be malicious
I feel like these are probably similar to credit card skimmers. They are probably pretty abundant but the chances that we as an individual will encounter one are low.
Can I just say, what a market powermove to create and sell a very dangerous security device, and then also create and sell a way to detect and protect yourself from it
As Mike said, the average person and probably does not have to worry about an attack like this right now because it's too powerful. "You don't aim a cannon to kill a fly"
@@MK73DS Yeah I've noticed that too, they really do charge slowly. Unfortunately for me, I've had a lot of accounts hacked because I've had most of them since I was a kid and didn't take any cyber security stuff seriously. My twitter account was taken over and now advertises knock off facebook glasses. I actually got the real ones as a gift once because my parents just thought I really, really wanted them because the account was constantly DMing all of my relatives and everything and was posting about it constantly. In reality, I find them creepy AF, so I've never used them.
This is such a weak argument. It would make sense if the device was $10k or needed a team of elite experts to operate. That's not the case though. Instead, this argument sounds like, "Why do I need to use passwords? I'm not valuable enough to be attacked" When attacking is relatively cheap, then it doesn't matter
The way I see it, this was always a viable attack vector. If Mike didn't make his publicly available, someone else would be doing it in secret (and likely already has). If you don't know a threat is out there, you can't defend against it.
Except that he clearly doesn't care about the security aspect and he is creating THE NEED. He rationalizes heavily and his body language is visibly giddy about the potential chaos that he can sow by having a tool - that would normally cost substantially more and for good reason - much more accessible to the average populace who are willing to sacrifice their kidney for a goddamn $2000 GPU. For LTT to brush that aside while using it as an example was an "O_O are you serious?" moment. The irony of this is that he is apparently lackadaisical about it at home and was forced to create a counter-measure because his wife was getting tired of his bullshit. (Frankly, i'd just divorce the asshole.)
@@RoshiGaming No one. Well.. not that i've noticed anyway. I just know bad news when I see it and I haven't felt this uncomfortable watching an LTT video ..ever. So I responded to a comment that helped formulate what I was thinking.
@@gludlok747 you’re actually dumb. Nearly everyone who works in offensive security from pentesting to red teaming gets excited and giddy about new hacks and toys. Anyone else who is able to invent anything similar to that from Proxmark to the bash bunny has every right to be excited about what they achieved and it’s dumb to think that means anything about their attitude to security.
@@gludlok747 the counter messure may actualy be just as bad as the creation. hes just not going to tell you. and make you think you are safe. thats the level we are at here.
I liked the advert at the end, suggesting you can hide your cables away. After Linus had explained that cables that weren't easily visible would be easier to compromise :)
If I would live anywhere near I would definitely do this. On the other hand I hope dbrand will use one of those to prank Linus with their next "hacked" lineup
I assume there is a new focus on cybersecurity over at LTT after the recent hack... good to see more content making that world more accessible in a responsible way. I studied academic Philosophy and the depth of the conversations around the cybersecurity world about code, ethics, and best practices is in the company of the deepest conversations I've ever ran across. Maybe LTT should talk to Steve Gibson over at the Security Now podcast.
Great stuff! This type of attack has been possible for a while but to make it easier and streamlined hopefully will expedite countermeasures both in IT and personal awareness.
Yeah when we visited a cybersec company they handed us charging only cables, for free. We had a practical demo on the how and why, this video reminds me of that day.
Apple Employee after watching this: “I see…” (The employee goes to Apple’s R&D facility.) Apple Employee: “Yeah, uhh… guys? We may want to create a unique design for our cables and patent it.”
While every other big RUclipsrs are going to give its viewers same content at the same time, Linus always make a way for him by differentiating his content from others. Love you man!
the worst thing about this seems to be the fact that these cables are unmarked. amazon sellers could easily have some of these mixed in with a generic product
Ding, Ding, Ding. Shared product bins is already an issue beset with with counterfeit knockoffs. The fact this exists at all should be a crime, and if not the engineers responsible should be mandated to carry liability insurance to cover any damages resulting from their product being used by anyone that's not a white hat.
@@reahreic7698 i feel like you're reaching a bit. This thing is only effective if the person who wants to use it is able to get close to the person. So what are they going to mix it in with legit cables and pray they get it sent to the person they want to attack?
Given how little people seems to be security aware (for example i dumpster dive and I’ve seen a lot of people not even encrypting/wiping a drive), this might already be overkill enough
2:43 love how you used the payload skins from Team Fortress 2 to illustrate payloads :) if I'm correct about the origin of those carts, of course Edit: I would also recommend everyone to carry an extra USB cable that doesn't support data transfer in case of having to use a publicly accessible charging USB port. Might be a redundance but an extra USB cable doesn't weigh much and brings some extra safety when using public chargers
One of the few times that I am aware of a new product months before Linus publicly covers it. Was able to even hold one in my hands at my local Cybersecurity club.
I disagree. If someone benign can make it so can someone nefarious. If someone benign makes it and publishes the risks and all the tools it’s more likely to be helpful rather then hidden.
Mike's argument reminds me a lot of people talking about doing gain of function research on viruses. Yes, we know that viruses can be bad but countries arguing that they should be able do it for "defense" or a "just in case" misreads the problem. His work is going to hurt a lot of people and it has absolutely no benefit to anyone expect bad actors.
A couple of things that you could have brought up to help protect you against these is to not use computer profiles that have administrator access as you are default account. Yes it's more annoying to have to type in a username and password every time you want to change a particular setting or install a program but it's one more layer of security that malicious actors have to navigate past when the default user logged in is not an administrator.
Here's an example I had during my trainings. I proposed the students to only share files and documents with approved or known team members of a contractor. If they didn't trust it, they should get in contact with the contractor using a phone number known by our company. I got laughed at and they didn't think it was serious. Next, another speaker shared a security awareness of not clicking links in an email. People were like "yeah, that makes sense". I'm like, why don't you take my warning serious, but this one you do?
I think inventing stuff like this and then making it publicly available makes mark more of a good guy. He probably isn‘t the first person to invent stuff like this, but he‘s raising awareness. (So are you btw)
I’d be more interested in knowing how to take control of one of these sorts of cables should you find one. Would be fun to just get one for free and spoil an attack.
One of the OMG Programmers will let you completely reload the firmware and use it as your own. Also, the programmer can be used for doing full forensic dumps on OMG Cables, we actually have a forensic capture tool built into our python flasher.
Please add a digital output pin, a tiny compartment for my own stuff and a small ultra capacitor to the cable. Nothing like a good fire to destroy evidence. Metaphorically speaking.
Man, I think this could be a real threat on university campuses. Drop one of these in the library or computer lab. Heck, just plug it in to a computer and leave it. You'll have hundreds of passwords and log in info by the end of the week. Put one of the go betweens on a uni keyboard and people could do all kinds of damage.
It would be product suicide to put backdoors into something sold to the infosec community. They would find it pretty fast. Detector has been out for a couple years now.
@@carl7534 I mean, why would Microsoft put spyware in Windows? You paid lots of money for it. Shouldn't they be happy with the money they got? Same with every phone company. And every piece of "smart" tech.
THANK YOU someone else who is saying this. I;ve been replying to comments praiseing the dectoror for the last hour. Trying to drill it into peoples minds. Why would you trust this guy? He created this evil thing. Why do you people think the solution he sold is going to be a solotion? Think about it people. Now he has all your data access to your computer your network AND you have given him MORE money to "be safe" What if the detector itself is even WORSE?
Fun now I cant trust a random USB cable either, thank you for sharing now time to retrain the family to not to plug in any random device to their phone or PC.
@@wnsjimbo2863 cyber criminals target anyone cause you never know who has something of value. It may not be likely now, but I can totally see people selling cheaper versions of these online at some point in the future with malicious intents
@@SyntheticSpy This. Once scammers buy them by the millions they'll be in thousands of homes and have control over their computer, just sitting there waiting for someone to knock on their virtual door and it'll let them in.
As someone who lost 11 years of work, my entire company, and every account I had ever…to something very similar to this, this video is a stark reminder why I have repudiated all things tech and net. Thanks for reminding me as I recently started slipping back into the online world, mainly via RUclips. Logging off, deleting RUclips, definitely going to get a dumb phone. Thanks for the reminder.
You know what else is less than the price of an LTT Backpack? A FREE weekend of Crusader Kings 3 starting May 11th. Build your dynasty at: lmg.gg/CK3CS
“All for less than a backpack from Ltt store” that doesn’t really give you a good idea lol
nope
Nah
A while back I picked up a micro-usb charging cable in a parking lot before this really became a hot topic and considering my extensive amount of micro-usb cables I can't remember which one it is to get rid of it. Should I be worried? PS: This was like 4yrs ago
no
At this point im 99% convinced these security videos are the LTT equivalent of security awareness training after the hack.
To be fair he talks so much about computers, but very rarely talks about cyber security. I do cyber security on the side and people find it so scary how easy it is to hack anyone today. Security went the opposite, it never got better…it got way worse.
at least this doesnt have the soulless coporate jingle
It's shilling, these are all just thinly veiled advertisements for products
@@ticenits1926 can you shut up please? no one wanted your input.
@@ticenits1926 "shilling" he says. Yeah I love shilling for security knowledge. STAY SAFE GUYS, I'M BEING PAID TO TELL YOU IMPORTANT INFORMATION
As someone who works in a large company IT department. Mike has a good point, most cyber criminals don't need to go through that kind of hassle. Its staggering at the amount of people (who swear they didnt click anything) get their work computers infected that i have to pull, wipe, and re-image. Our company cyber security team also sends out test phishing emails randomly and it always catches people.
I find it very hard to get a work computer infected with anything, can't do shit anymore 😂
it's like stopping a boat made of Swiss cheese from sinking there will be always someone doing the wrong thing at the wrong time.
"I DIDN'T CLICK NOTHIN!!"
..."Sir, I am right here beside you. I just watched you click seven differnt things just because they had blinky pictures."
"I DIDN'T CLICK IT!"
..."Sir, I can -hear- your mouse clicking."
I know better and accidentally clicked a phishing link recently. Fortunately it only went to a fake login page and didn't download anything, but it was a pretty scary couple minutes.
I had a laptop that was in the middle of being reimaged and got infected 💀 Defender caught it but it was strange nonetheless. Mimikatz.
Mike created the perfect ecosystem.
1. Create the problem
2. Create the solution
3. Profit
Maybe he worked at apple?
The Hegelian dialectic
Maybe works for mossad 🤔exploding pagers
To be fair, flipper zero already looks like a happy meal toy.
When I first saw the Flipper Zero, I thought it was some sort of Tamagotchi and fidget toy combined....
Yeah, but considering that this cable is about $120 and the Flipper zero costs about $400, I'd say that already makes the flipper zero a no go for most nefarious actors.
To be faaaaiiirr.
@@cepheusclips you would be highly surprised.
Also built like one except for the internals lmao
I love that he had to create a device to detect his own cables.
Totally had to. And had to sell these for a lot of money
@@flameshana9 The high price keeps them out of the hands of many. Good thing.
@@wisteelathere is more truth to that than most people realize. I have several cables that were found in the wild. They are all… let’s just say very behind.
Create problem, sell solution :p
He made his own Kryptonite
Would be somewhat tempted to plant a cable that just opens notepad and warns against using random cables if not for the price.
That would be hilarious if you could catch someone's reactions
Plant a cable that opens a notepad to warn against random cables & in the background have their webcam open proceeding to download the short video file of them reading that; finally opening the video to themselves reading. This would be a SHOCKER and great content hahaha
@@_____alyptic Make the first line _"SAY CHEESE!"_ and make it take a picture with flash and shutter sound on and send you the picture 🤔😂
That's very reddit of you, have some gold stranger!
Security is one of the few fields where "spreading awareness" is actually a valid and worthwhile thing. These attacks exist whether we like it or not, so it is better to know about them so we can defend against them.
Its also a field that can't be measured you cannot tell how many attacks awareness prevents.
My work CONSTANTLY reiterates never using the same password for your personal accounts as for your work accounts, to never giving your work passwords to phishers, to never using your work email to sign up to shady sites. Yet employees continue to do it.
100%. The only real attacks are social engineering. Remote hacks and such are hollywood tropes.
@@AdhamOhmClearly not a problem with the “law” then.
Few? What fields are there where spreading awareness is bad?
As someone who recently sat awake all night, naked, trying to log someone else out of their RUclips account, I'm sure Linus loves that this tool exists.
🍓🍓🍓
Well done
I hope the being naked part was needed for logging out
I'm pretty sure that's the reason he's doing a video on hacking tools in the first place. Awareness of the threat is the first step to combating it.
I don't understand the point of these videos, who just picks up random ass cords or USB sticks and uses them? Even without these risks existing I wouldn't do that have common sense people
Can totally see in a few years amazon or ali express being full of cables like
this if these exploits aren’t taken care of. Maybe O.M.G is doing the right thing.
Unless Amazon cleans up their sloppy practices that's definitely going to happen. It probably is already happening.
Not just online shopping but I could see this getting planted in places like gas stations as well. Scary stuff.
By providing the threat? The link is in the description. The hypocrisy no one is seeing is astounding.
@@hollytaylor5327 better to make something like this, be open to everyone about how it works and let it be researched than for someone else to make this with terrible intentions and blindside tons of businesses
@@hollytaylor5327 They make these products for actual security testing purposes as they explained in the video. But yes by making them generally available you're putting the threat out into the real world which means companies are forced to take the threat seriously. Besides you can't just buy these and go on a crime spree, even buying these products absolutely puts you on a list.
Man, the ending about those getting cheaper, that gives the chills.
Love to see security content like this on the channel. It's way more important than people think it is.
Once one person does it, then the copycats will try cheaper versions, but perhaps not as full featured.
It's not viable for general attacks but perfectly viable for a targeted attack. If someone wants to harm you they will harm you, money is not a problem for those cases.
These devices pose zero threat in the real world. Don't buy into LTT's fear mongering. They are selling a product.
@@brianwest2775 Devices like this have been $10 for years, it's nothing special or new. They are useless in the real world.
@@chiranjeevsahoo4960 Targeted attacks need to be far more sophisticated for a remote attack. Anything worth while is going to need a physical compromise to be worth using a remote tool. Which is pretty much non-existent for years already.
2:43 I appriciate the editor using different TF2 payloads as a way to show it can carry multiple.
THE CART IS SUPPOSED TO GO *FORWARD!*
THE CART IS REACHING THE FINAL TERMINANCE!
GET TO THE CART MAGGOTS!!
Who's not pushing ze cart? I want the names!
THE LITTLE CART IS MOVING!
"We'd better off learn about now while it's expensive, then later when it's cheap and it's too late."
Well said, so well said
China has already reversed this from the day it came out, we'll see $10 versions in a few months.
lol, no. These sorts of tools can be made for $10. It's been cheap for years. It's not a real threat becasue these tools are not useful for actual targeted attacks.
@@theairaccumulator7144 It's been $10 for years already. Look at what Arduino offers, lol.
@@theairaccumulator7144 these Chinese stuff works but they usually don't come with comprehendible docs, so I guess we're fine for now
Mike creating a problem and also providing a solution is a genius way to sell stuff
doesnt get more textbook than that, well played to him
That's the governments way.
Still a pos
Technically it could be classified as racketeering, but there are some qualifiers for that.
Well, it's just a detector. Not a full blocker, so, no solution really lol
Could still just instantly execute scripts.
I feel like $100 per cable is already incredibly cheap for someone looking for a big payday by infiltrating some organization
Not only that, people backward engineer this stuff all the time, so I could see a slew of people making "copies" of this tech, and it not only being cheap but unknown because they will only use it for themselves
Yeah
not just for an organization, but for an average joe with a vendetta as well. It may be expensive for throwing it on the road or using it for general attacks like in a hotel. It's perfectly viable for a targeted attack. I can see a disgruntled ex slipping it in.
Sending an email costs 0$ though and is more likely to work, less likely to be traced back to you (if you know what your doing), and is likely to give you more access.
Walking out with a computer or hard drive costs 0$ and is more likely to work and much less skilled, and if you are vulnerable to physical attacks someone could pull it off.
Plugging in a normal keyboard costs 20$ and while there are some things you can't do with it, (remote connection) you could still do damage.
I love it when LTT covers these tools because they are fun to play with. But I am much more worried about phishing as an attack vector than physical attacks with tools like this. These tools are not going to shift how we defend networks because they are simply slightly flashier more advanced versions of existing threat vectors.
Yeah, but sending a couple hundred of phishing emails and text messages is cheaper, easier and safer for the attacker. (safer in terms of remaining anonymous).
You'll only get to the fancy stuff, like physically infiltrating the place and leaving a malicious cable lying around, once all of the boring and cheap stuff is exhausted.
The NSA apparently had these back in 2008 (according to the ANT catalog leaked in 2013). COTTONMOUTH-I was a device that could load malware and act as a wireless bridge (for subverting airgaps) while being disguised as a regular USB cable connector. The price for making these things must have a dropped a bit, since the listed unit price was 20 300 USD.
It's expected for intelligence agencies to have access to these and more. But for normal people to, this is gonna be interesting to watch unfold.
Generally, whenever consumers get access to cutting Edge technology, governments and militaries have likely had access to something with similar or Superior capability for at least 4 years. Whether or not they used it as a different question like for example, I don't think any military has been using folding screens because they're just way too fragile, but I suspect if for example, the US military had a use case they probably could have had them back in 2005
I almost worry that people are going to try and slip these into things like Ebay or Amazon listings or returns, they look good enough to be official and nobody would think twice about using the charging cable that came in the box with their new phone.
Yeah, but anyone trying to save money by buying a phone on ebay probably isn't rich enough to be a worthy target of such an attack. It would largely be a waste of the attackers time and money more often than not.
@@GeneralNickles I disagree. Scammers gonna scam.
You didnt check the price of the cable. Dont be stupid, no scammer will spray and pray with it.
@@Khronogi yeah, but scam what, though?
If they put ransomware on some random middle schmuck's computer, then said schmuck would probably just go get a new computer. Stealing banking credentials isn't gonna accomplish much, because they probably don't have much to steal in the first place.
It would almost always end up being a waste of time and money.
@@Khronogi It's $120 USD, no scammer is going to pay that much in the hopes that some random person will use it and have anything worth stealing. Scammers succeed by casting a wide net that doesn't cost them much if anything, like phishing emails, not by by spending over $100 per target.
I would much prefer someone selling it publicly versus them selling it privately.
The flipper and OMG cable is making it known that this could happen and we could learn to defend ourselves. Way better than not knowing till after the fact.
They are not a real threat regardless. Just pen testing toys for basic netsec education.
People who despise these devices existing don't understand how dangerous this kind of stuff is or physical security for that matter, there are attacks that have existed for over 70 years (and when I say have existed I mean there is absolutely no way the manufacturer did not know for that amount of time) that are still absolutely doable on relatively high-end locks today. The design flaws that allow these kinds of devices (mostly the flipper zero but the omg cable a little) will not be patched if there is not outrage at the design flaw
The name of the NSA implant this is inspired from is called COTTONMOUTH. A USB cable with wifi remote control in the type-A end. It was in the TAO catalog released in late 2013 iir.
WHAT this is awesome. thank you, non-descript commenter
And that’s why I always carry my own cables. If anything, this video couldn’t be timed better since I’m headed downtown for the day & had to pack some chargers.
Toileg
I like how you say"against"
@@danyal_assi Ratio
Wow with that price it may make him a lot of money
Why bother taking electronic devices with you? Go there without them, keep them at home. You'll be 100 times happier
Thank you for teaching us about things like this! I'm a computer salesman, and a lot of people come to me with cybersecurity and ask for my knowledge. So when it comes to things like these, you said it first, it's better know about it as early as possible to prevent people of having these encounters.
Have a nice day
Levy
couldnt agree more
People are dumb, it can't be fixed... I could grab a USB stick, load up an autorun attack tool on it, and almost everyone would pick it up off the street and plug it in. By making it throw a popup saying it's not compatible and to try another computer I could get them to infect everything they have access to. I'm in IT and security now, because I used to wear a different hat before and know how it's done, there is a near infinite mountain of attack vectors to use and the way to protect against them is isolation mostly.
I'm glad your covering this. I saw these and picked one up at DefCon last year and have been messing around with it, it's a GREAT Red Teaming tool, especially if it's more than just a single day op. You can either connect it yourself or leave/swap it on a desk when your doing a "scheduled unscheduled audit" or something similar. (I'm a professional pentester not just breaking into tech companies without permission)
15 years ago my brother warned me about this stuff.. Ever since i've never used public charging and only use my own brick and cable xD sometimes a brother with a tinfoil hat is a good thing. Miss him tho
its the worst part about being a cynic. You don't want to be right. But you know you are. Your brother sounds like a wise man. As someone with 3 younger brothers to protect (even if they don't realize they still need it) you have my respect from one brother to another.
@@Secret_Takodachi if his brother said that 15 years ago he isn't wise. Its probably the first thing that came true that he said.
@@jarryjackal3827 your comment is just as presumptuous as the one you’re criticising
I wonder how much data can be transferred when just charging? Android phones ask before data transfer over usb would that not prevent some of from accessing data?
@@jarryjackal3827 hacking has been around far longer than the early 2000s. Just cause a method is widespread enough to get onto LTT now doesn't make it new. Don't you remember those good ol days when they warned ya not to put strange CD's into your disk drive, or those sketchy floppies with some guys sick new beats from the subway?
Not sure if there is a phobia name for "fear of cables" but I'm sure we're gonna need one.
Its called Apple.
Though it could just be phobia of mini-jacks
Cablaphobia
Pronounced Kay-blah-phobia
I'm just glad I decided to keep those 2 boxes full of cables for the last 20 years of my life!
... who am I kidding, it's more like 4 crates.
@@MotoDash1100 I lol'd. Thank you.
@ChillingSpree give it two and it’ll be another gender lol
Please do more videos like this, so people can learn more about it.
It's misinformation based on a bad understanding of real world netsec, and shilling to sell a product. LTT are the last people to give out netsec advice.
In regards to juice-jacking, I miss the micro USB cables we had at Google, by default they were charging only and had a physical switch to enable the data lines of the cable if you needed to transfer data. Sadly they never made USB-C versions
There are type A charge only USB adapters. You could use one of those with a tape C to type A adapter. You’ll probably lose charging speed, but at least you can use it in an emergency.
It occurs to me that using USB for charging, data, and input is actually quite a security flaw. I know some large companies just disable USB drive support on all computers. Now I see why. Perhaps SD cards are actually safer, because they can only be storage.
@@andybrice2711 - It’s more serious than data. USB is a bus, just like the PC Express bus, which means that it can add devices to your PC.
@@sylviam6535 Having a single button is way more convenient than having to add / remove the "USB condom" (as some call it) each time you want to toggle data on or off. I miss those cables too!
@@florentcastelli - I am not sure that a physical switch would work on USB type C. They would probably need to insert a chip to deal with the additional complexity.
My biggest worry about these is how easy it is to inject fake or knock-off items into Amazon's listings or inventory. It's entirely plausible that an attacker could mock up a few of these to look like some reputable brand and then sell them on Amazon to unsuspecting people. I've gotten fake stuff from "Ships and Sold by Amazon" listings, so it's not just a matter of avoiding dodgy listings.
Too expensive to be worth it now? Probably. But that won't last long.
People are saying the chips only cost a dollar. So there's nothing to stop them from it.
allready made its way into best buy disgused as legit products. People buy a real one. replace it with this then return the product to the store.
@@flameshana9 Pretty sure its just an esp32 or something.
I expect that someone like Apple or Samsung don't make their own cables in house. If the company they buy these from wanted they could include cables like this with every smartphone these companies sell. Then wait until their cables are everywhere or until they are found out and then ransom every device.
@@Souchirouu Thank you for that idea…
This sounds like a stress test that went on at LMG where they planted a cable that got used and then there would've been a seminar around 'security in the workplace', followed by 'That would make a great video' 😂😂
Juicejacking makes sense considering the term juice is synonymous with power; leaving a "charger cable" at a diner would be a really effective means of attack especially if the victim believes that cable is the only means of keeping their device charged. Take a McDonalds near our location for example, they have only one seat adjacent to an outlet, if an inconspicuous cable is just sitting there and their phone is about to die chances are they aren't going to spend the time to dig around for their own cable (if they have one).
I never thought we'd need this, but here we are - I think "Plug and Play" in Windows needs to be updated to have some sort of hardware security or something, god knows how that could ever be figured out, goodluck Microsoft
Toilet
It’s not possible. A computer is useless without some way to interact with it. If a person can interact with it, then anything that emulates a person interacting with it can too.
The best that can be done is a cat and mouse game trying to detect exploits, etc. but that will never stop someone being able to go to a website and download software or run software written on the machine itself.
I mean, it would be nice to have the option. but on the other hand, these devices can mask themselves as pretty much any device out there. so even if windows gave you an alert or something that the device named "xx" was connected and you need to accept a prompt to continue, this could just name itself the same as the device and most people would not ever see anything wrong with that.
it would likely mean making billions of USB devices uselsess and obsolete since they dont have any way to verify themselves to the new security system
Devices could send an "evil bit" to the host to indicate they have malicious intent. Something similar has been proposed for internet packets on april 1st 2003.
One day we'll encrypt USB with keys that we upload to devices ourselves. Setting up a keyboard, mouse, USB stick, etc. will become crazy complicated just to keep bad guys out. And they'll still find a way.
"It makes flipper zero look like a happy meal toy"
For some reason I can't even explain why I laughed so hard there 😂
Lol me too
.... because the flipper zero DOES look like a happy meal toy? I don't think the cable has anything to do with that...
Flipper Zero does already look like a Happy Meal toy though. LOL
The video says uploaded 1 hour ago with your comment being made two hours ago 😅
@@WSAnderson Exactly LOL
Linus: I wouldn’t give this cable to my worst enemy
Also Linus: but whoever hacked us is an exception!
Linus: But I'll happily give it an incredible amount of free advertising!
@@KrillinInTheNameOf So you prefer to be NOT informed and caught in panic wave or be the victum when shit hits the fan?
@@alexturnbackthearmy1907 I'm not sure what this has to do with being opposed to him promoting actual products. He could warn people about the risks of these types of devices without showing every wannabe hacker exactly where to get a product like this.
@@KrillinInTheNameOf I mean I searched for "hacking USB cable" and got the OM.G and Ninja as the first results, with a public storefront, so I don't think that barrier to entry is really valid.
These devices being available to the public for purchase and using the defense of "It CAN be a learning tool. And. You're more likely to be hit by lightning." Are arguments I've heard in defense of many harmful and damaging products. I'm helping create and complicate the problem so I can educate you on the problem. Such a honorable cause
Juice jacking is an absolutely perfect hacking term in the classic style. Reminds me of phone phreaking
Wow.. "Best to learn about it now when it is expensive rather than later when it's cheap and too late" is probably the best line from an LTT video.. like ever!
No kidding. Even the ELITE version is ONLY $199.99, that's CHEAP for something with such nearly limitless functionality!
It still won't matter
New fear unlocked, thank you linus!!
I will be bringing both my own charging brick and cable everywhere going forward. The world is getting scary.
No I don't fucking care
Always has been
@@resneptacle yup nothings really changed just method
@@xwiick Yep. They've been warning about using public USB charging stations for almost as long as they've been a thing.
Android phones block data transfer until you explicitly allow it.
Unless you’re running Stone Age Androids, I don’t see an issue.
Always cool to see LTT do a more simplified overview of HAK5 tools. Might be cool to see a cybersec spinoff channel so a bigger channel like yours can help spread awareness.
Additionally, you should always close windows, because USB stick theoretically can be inserted by drone.
Another use case where this could be problematic is people getting these cables for their partners/friends/family members as a way to spy on them.
"Hey honey, have you seen my charging cable?"
"No. But you can use this extra one I have."
im gonna use thumbnail to soy on myself. Finally gonna know what the fuck i do all day
Generally if you're going to spy on your loved ones, you'd also have physical access to the devices they use too. Sneaking in a USB device into the back of their desktop or laptop is going to be easier and cheaper than ensuring they use your cable.
@@Programmdude yes but when it comes down in price it would be less phishy and a cheap way to get into the person phone which these devices target also
People have been hacking each other since people exist. Its even common to treat ideas and thoughts like this usb cable, like a threat. And sometimes they are. This tech is interesting, nonetheless.
Already exists. Use of a hardware keylogger on your partners PC to spy on them for abusive purposes has been a thing for years. Most people won't notice something in the back of their machine that wasn't there before.
Love the recent security focused videos. Please keep them coming.
I love that the creator had to make a malicious cable detector lol
0:46
"All for less than a price of a backpack"
A 250$ backpack!
A backpack that may or may not still have no warranty.
lifetime warranty?
This is just plain dangerous. Thanks techies for making my day less anxious and safer.
You're welcome. As consolation, you don't need to be afraid of hackers trying to compromise your systems until you have data worth stealing. Are your memories safe? I sell zero-day exploits on bug-bounty forums. Secure your bad ideas and protect the future of disinformation.
@@oldtools assuming you don’t have information worth stealing is this first mistake.
Do you have a social security number? Then you have information worth stealing. That number is worth a lot of money.
@@FilmFlam-8008there's also a factor of "have you made any severe enemies to go to these lengths".
@@chiranjeevsahoo4960 no.
I know people that have had their SS number or cards stolen with no enemies.
Those are worth thousands.
@@FilmFlam-8008 And are profitable even at this cost
mike's a legend, creates the best hacking cable and makes a profit from hackers and also creates a data warner and profits of people avoiding such hackers to hack them
Most things are less than the LTT backpack 😂
for real 😂
My thoughts exactly
another thing that's cheaper than that backpack...is this segue
Kriega R30: $275 USD and made from abrasion resistant textiles, has a fantastic system for distributing weight and staying on, as well as 30 liters of space and having a massive 100% Waterproof compartment.
Linus: how 'bout none of that BUT it's $25 USD less expensive.
It is a nuclear bomb
Toilet
Yes
Валидно
fish
Ka-boom!
I get that mike is on the up and up... but when they said he made a cable to detect malicious cables... I got some very "we created a disease to sell an antidote," vibes
I've said it before, I absolutely love the security videos.. please continue to make them.
They are more or less fearmongering misinformation. These tools are useless in real life and pose zero threat. They have been around for years for $1, and there have never been any recorded accounts of these attacks being used on anyone.
The Scary part would be when it gets cheap enough that an Amazon 3rd party starts selling these as regular usb cables.
😂
Based Paradox with a "keep it simple" ad. I appreciate that greatly. I am actually far more willing to play their games, now. I mean, I already was, but now I'm even more endeared to them.
I feel the argument that it is a warning is pretty weak when it's being sold...
If some random coder dude is releasing these at a reasonably accessible price, you can bet these have already been around for a while in a more secretive manner. Governments and other various agencies have likely been using these for years. At least now the public is aware that these are, in fact, a real tangible thing.
Pretty sure spy movies have been using these for the past half a century.
And the fact that the FBI is willing to _tell people this is a thing_ is a sign that to them, this method of exfiltrating data and hacking stuff is already *_obsolete_* by Three Letter Agency standards. Why spill the beans on a technique you're still actively using to spy on people?
Yeah in my eyes what this guy is doing is making this accessible to security researchers and pen testers so companies etc can figure out how to defend themselves from it, rather than really creating a new attack vector or anything of the sort
Yes this type of device has existed for many years, the company behind the usb rubber ducky has been around since 2005. Awareness is just bad, they've clearly made their point to the negligence of certain enforced security. In security, the biggest vulnerability to anything is physical access, with the right tools you can obtain anything. This is not just technology of course. Honest attackers are creative and sneaky who can be reasonably discouraged. Attackers with sledge hammers also exist.
Keep your important belongings safe!
The name of the NSA implant this is inspired from is called COTTONMOUTH. It was in the TAO catalog released in late 2013 iir.
Thanks for the video as a wake up call. I knew that plugging in any usb device or flash drives found on the street would be a dumb thing to do. But I had no idea until now, that even just a cable can be malicious. They always seemed really benign to me.
As much as I hate hearing what people are creating for less than honorable purposes, I do appreciate video's like this to inform the general public.
I really wonder why someone would create something like this
the fact that such a device is readily available is a good thing Linus . if it were some type of obscure tool that's only available through underground connections then only a select few would know of its existence thus making it a bigger threat the fact that it is readily available means that people like you will make videos about it the more people who know of its existence means more people know what to watch out for
To be safe on public charging-stations, you could also just use power-only cables. Those don't have any Data-lines.
USB-C cables all have data lines, they're what allow rapid charging.
I feel like the quote, "Your scientists were so preoccupied with whether or not they could, they didn't stop to think if they should." best applies to this cable.
This cable should be a crime
@@joshbittner ethen hackers that need one will just make their own, You ren't solving the problem
The problem with that saying is (skipping the whole scientists vs engineers, the tech isnt new the application is) not that this is a unique tool developed by some masterminds. It's common tech thats been packaged and branded for the consumers. CIA had this tech 10 years ago and so did probably other state funded organizations as well. It's only a matter of time before you can buy it from aliexpress for a dollar. Creating this product and bringing this design flaw in USB to the light of mass audiences does more good than harm to the world collectively.
No, what applies better is “security through obscurity is no security at all”. OMG didn’t create this attack vector, he made it accessible to everyone and raised awareness that this exists. Now more people will be on guard, look at this and work on mitigating this.
@@ForeverHobbit "not solving the problem" is not an invitation to make that problem even worse.
8:50 " sif someone can walk in and take something, they can walk in and plant something" LTT's security are clear at risk seeing how much get taken from the office😂
Tools like these help testing your security for sure.
The problem is, if there is actually a bad person who really needs to go these routes, there is also probably enough criminal energy to build it yourself.
Its better to have the tools to protect yourself against it, than to wait for someone who WILL make their own.
But yes, most ways into a security system are wayyyyy easier and the weakest link in the chain will always be humans
Although I find this technology somewhat frightening. I am much more concerned with the fact that I never knew it existed to this point. The best way to protect yourself is to become educated on the topic. That is why I hope LTT continues to come out with great videos teaching us about nefarious methods an individual might use in the tech sector.
If education actually solved problems we wouldn't have them. The internet's been around for almost 3 decades but humanity is less educated than ever. They fall for the most obvious scams. Do you know how many times I have to tell my family not to do certain things on a computer/phone? They still don't understand not to immediately trust what they see.
Pessimism is a better protection than trying to learn about all the different ways life can screw you over. Case in point, the guy who made this said there's many easier ways that are constantly being used. These methods are rare.
you can't protect yourself. its out there
@@housemouseshorts Living the rest of my days out in the woods becomes a more enticing option with every passing day.
I thought about something like this the moment I started seeing "public use" cables/charging stations in airports, malls ect. and kept always bringing my own cable and brick. Friends and family said I was paranoid/crazy, to them I smugly tip my tin foil cap 😏
Oddly reminds me of the early days of free wifi access points at places like coffee shops etc and my warning to friends / family of how numerous the ways were that they can be malicious
Wait til they start replacing the power plugs then you screwed
I feel like these are probably similar to credit card skimmers. They are probably pretty abundant but the chances that we as an individual will encounter one are low.
@@mikemcmike6427 hence the adapters for power only that block the data channels on the cords
The odds of someone using this on random nobodies at the airport is REALLY low.
Can I just say, what a market powermove to create and sell a very dangerous security device, and then also create and sell a way to detect and protect yourself from it
As Mike said, the average person and probably does not have to worry about an attack like this right now because it's too powerful.
"You don't aim a cannon to kill a fly"
But when you are mass producing the cannon ball anyway, you may as well have a go...
These are not powerful. You can't do much with them. They are only useful if you know a lot about your target and want to get data on their computer
I dunno, I mean I think a fly is kind of a bad example though. You've heard the lengths people will go to kill a spider right?
@@MK73DS Yeah I've noticed that too, they really do charge slowly. Unfortunately for me, I've had a lot of accounts hacked because I've had most of them since I was a kid and didn't take any cyber security stuff seriously. My twitter account was taken over and now advertises knock off facebook glasses. I actually got the real ones as a gift once because my parents just thought I really, really wanted them because the account was constantly DMing all of my relatives and everything and was posting about it constantly. In reality, I find them creepy AF, so I've never used them.
This is such a weak argument. It would make sense if the device was $10k or needed a team of elite experts to operate. That's not the case though. Instead, this argument sounds like, "Why do I need to use passwords? I'm not valuable enough to be attacked"
When attacking is relatively cheap, then it doesn't matter
The way I see it, this was always a viable attack vector. If Mike didn't make his publicly available, someone else would be doing it in secret (and likely already has). If you don't know a threat is out there, you can't defend against it.
Except that he clearly doesn't care about the security aspect and he is creating THE NEED. He rationalizes heavily and his body language is visibly giddy about the potential chaos that he can sow by having a tool - that would normally cost substantially more and for good reason - much more accessible to the average populace who are willing to sacrifice their kidney for a goddamn $2000 GPU. For LTT to brush that aside while using it as an example was an "O_O are you serious?" moment.
The irony of this is that he is apparently lackadaisical about it at home and was forced to create a counter-measure because his wife was getting tired of his bullshit. (Frankly, i'd just divorce the asshole.)
@@gludlok747 who pissed in your cheerios?
@@RoshiGaming No one. Well.. not that i've noticed anyway. I just know bad news when I see it and I haven't felt this uncomfortable watching an LTT video ..ever. So I responded to a comment that helped formulate what I was thinking.
@@gludlok747 you’re actually dumb. Nearly everyone who works in offensive security from pentesting to red teaming gets excited and giddy about new hacks and toys. Anyone else who is able to invent anything similar to that from Proxmark to the bash bunny has every right to be excited about what they achieved and it’s dumb to think that means anything about their attitude to security.
@@gludlok747 the counter messure may actualy be just as bad as the creation. hes just not going to tell you. and make you think you are safe. thats the level we are at here.
I liked the advert at the end, suggesting you can hide your cables away. After Linus had explained that cables that weren't easily visible would be easier to compromise :)
I can't wait to hear about the next LTT hack because someone watched this and thought "what if".
If I would live anywhere near I would definitely do this.
On the other hand I hope dbrand will use one of those to prank Linus with their next "hacked" lineup
I assume there is a new focus on cybersecurity over at LTT after the recent hack... good to see more content making that world more accessible in a responsible way. I studied academic Philosophy and the depth of the conversations around the cybersecurity world about code, ethics, and best practices is in the company of the deepest conversations I've ever ran across. Maybe LTT should talk to Steve Gibson over at the Security Now podcast.
"Get a data blocker."
And then these things start being made to imitate the look of popular data blockers, if they haven't already.
Great stuff! This type of attack has been possible for a while but to make it easier and streamlined hopefully will expedite countermeasures both in IT and personal awareness.
Toilet
It seems to me the proliferation of devices like this is going to, at some point, spur a harsher (possibly) international regulatory response.
Yeah when we visited a cybersec company they handed us charging only cables, for free. We had a practical demo on the how and why, this video reminds me of that day.
Why? Because you got that omg cable for free - and didn't even notice?
Apple Employee after watching this: “I see…”
(The employee goes to Apple’s R&D facility.)
Apple Employee: “Yeah, uhh… guys? We may want to create a unique design for our cables and patent it.”
While every other big RUclipsrs are going to give its viewers same content at the same time, Linus always make a way for him by differentiating his content from others. Love you man!
the worst thing about this seems to be the fact that these cables are unmarked. amazon sellers could easily have some of these mixed in with a generic product
Ding, Ding, Ding. Shared product bins is already an issue beset with with counterfeit knockoffs. The fact this exists at all should be a crime, and if not the engineers responsible should be mandated to carry liability insurance to cover any damages resulting from their product being used by anyone that's not a white hat.
Or someone could buy legit cable, replace it with one of those, and return it. Scarry but possible...
@@reahreic7698 i feel like you're reaching a bit. This thing is only effective if the person who wants to use it is able to get close to the person. So what are they going to mix it in with legit cables and pray they get it sent to the person they want to attack?
@@altokers that and the cost would be astronomical
Dont buy stuff from amazon
"Hey man can I borrow your charger?"
Then just give them back your involuntary backup cable.
Given how little people seems to be security aware (for example i dumpster dive and I’ve seen a lot of people not even encrypting/wiping a drive), this might already be overkill enough
2:43 love how you used the payload skins from Team Fortress 2 to illustrate payloads :) if I'm correct about the origin of those carts, of course
Edit: I would also recommend everyone to carry an extra USB cable that doesn't support data transfer in case of having to use a publicly accessible charging USB port. Might be a redundance but an extra USB cable doesn't weigh much and brings some extra safety when using public chargers
Yup those are the TF2 payloads used in game.
No data transfer might mean less support for fast charging protocols, but... I guess that's a small price to pay for added safety from attackers.
@@fairyball3929 Most public charger i've used havent had fast charging anyways. You aren't losing out on much
@@Xachremos Oh yeah, I forgo that lots of public usb chargers built into outlet plates max out the voltage a 5V and current at 3-4 A.
the rubber ducky, omg cable, and flipper are amazing items. they are really cool
One of the few times that I am aware of a new product months before Linus publicly covers it. Was able to even hold one in my hands at my local Cybersecurity club.
The saying
"You were so preoccupied with whether or not you could you didn't stop to think if you should"
fits this perfectly.
I disagree. If someone benign can make it so can someone nefarious. If someone benign makes it and publishes the risks and all the tools it’s more likely to be helpful rather then hidden.
A N I M E
N
I
M
E
You should. Because across the globe random Joe is doing same thing right now. And only god know who would be first.
Mike's argument reminds me a lot of people talking about doing gain of function research on viruses. Yes, we know that viruses can be bad but countries arguing that they should be able do it for "defense" or a "just in case" misreads the problem. His work is going to hurt a lot of people and it has absolutely no benefit to anyone expect bad actors.
I would totally use this on my worst enemy.
Toinut
Go ahead & do it then
Show them you are the good/bad guy lol
@@danyal_assi hope you get banned
du hast ein z bei satzzeichen vergessen ;)
I would on my best friend
A couple of things that you could have brought up to help protect you against these is to not use computer profiles that have administrator access as you are default account. Yes it's more annoying to have to type in a username and password every time you want to change a particular setting or install a program but it's one more layer of security that malicious actors have to navigate past when the default user logged in is not an administrator.
Expect they showed in the video that's a (somewhat) trival thing to bypass esp with keylogger capabilities.
Here's an example I had during my trainings. I proposed the students to only share files and documents with approved or known team members of a contractor. If they didn't trust it, they should get in contact with the contractor using a phone number known by our company. I got laughed at and they didn't think it was serious. Next, another speaker shared a security awareness of not clicking links in an email. People were like "yeah, that makes sense". I'm like, why don't you take my warning serious, but this one you do?
Hak5 always comes out with some wild stuff.
Toilet
Criminal activity
@@joshbittner it’s a tool just like a car, hammer, gun, etc.
@@spencer5051 I wouldn't exactly call a gun a tool.
@@cameron7374 its a self defense tool in some cases
I think inventing stuff like this and then making it publicly available makes mark more of a good guy. He probably isn‘t the first person to invent stuff like this, but he‘s raising awareness. (So are you btw)
0:40 you made it sound like we shouldn't buy your backpack as it's more expensive than this state of the art hacking tool lol
I’d be more interested in knowing how to take control of one of these sorts of cables should you find one. Would be fun to just get one for free and spoil an attack.
One of the OMG Programmers will let you completely reload the firmware and use it as your own. Also, the programmer can be used for doing full forensic dumps on OMG Cables, we actually have a forensic capture tool built into our python flasher.
Please add a digital output pin, a tiny compartment for my own stuff and a small ultra capacitor to the cable. Nothing like a good fire to destroy evidence. Metaphorically speaking.
Man, I think this could be a real threat on university campuses. Drop one of these in the library or computer lab. Heck, just plug it in to a computer and leave it. You'll have hundreds of passwords and log in info by the end of the week. Put one of the go betweens on a uni keyboard and people could do all kinds of damage.
The Malicious Cable Detector should have a "Destroyer" companion. I wonder how that cable would handle 30V 🤔
Use this USB malicious cable detector that definitely isn't compromised we promise.
It would be product suicide to put backdoors into something sold to the infosec community. They would find it pretty fast. Detector has been out for a couple years now.
i mean, why would it? he is not selling malware, he is selling tools.
@@carl7534 I mean, why would Microsoft put spyware in Windows? You paid lots of money for it. Shouldn't they be happy with the money they got?
Same with every phone company. And every piece of "smart" tech.
THANK YOU someone else who is saying this. I;ve been replying to comments praiseing the dectoror for the last hour. Trying to drill it into peoples minds. Why would you trust this guy? He created this evil thing. Why do you people think the solution he sold is going to be a solotion? Think about it people. Now he has all your data access to your computer your network AND you have given him MORE money to "be safe" What if the detector itself is even WORSE?
@@carl7534 Why would he not? Now you have given him your money TWICE. and he has acsess to your data
Love network security content definitely want more of this kind of content!!
Guy is a smart businessman. Create a malicous product and sell it. Also sell a device that can detect the malicous attack
People called us paranoid when we rolled out centralized authentication of USB devices in our company 😂
Fun now I cant trust a random USB cable either, thank you for sharing now time to retrain the family to not to plug in any random device to their phone or PC.
its not actually a thread today
Dude your family is no-one
Cybercryminals wont try this to your family
@@MR3 The fuck does that even mean?
@@wnsjimbo2863 cyber criminals target anyone cause you never know who has something of value. It may not be likely now, but I can totally see people selling cheaper versions of these online at some point in the future with malicious intents
@@SyntheticSpy This. Once scammers buy them by the millions they'll be in thousands of homes and have control over their computer, just sitting there waiting for someone to knock on their virtual door and it'll let them in.
As someone who lost 11 years of work, my entire company, and every account I had ever…to something very similar to this, this video is a stark reminder why I have repudiated all things tech and net. Thanks for reminding me as I recently started slipping back into the online world, mainly via RUclips. Logging off, deleting RUclips, definitely going to get a dumb phone. Thanks for the reminder.
I can definitely believe that something attached to a length of cable can be an antenna.
The antenna is built right onto the little circuit board. The main chip is the ESP8266 from expressive, they are about $1 to buy..
Interesting, thanks!
Has no one seen those usb WiFi cards? They're just a quarter inch piece of plastic attached to a USB plug.
It's genious! Make a product that makes everyone scared, then make a product they can buy to detect it so they don't have to be so scared!
I knew about most of this but the take away at the end (better to learn about it now, than too late) makes this video a goodie.