You know what else is less than the price of an LTT Backpack? A FREE weekend of Crusader Kings 3 starting May 11th. Build your dynasty at: lmg.gg/CK3CS
A while back I picked up a micro-usb charging cable in a parking lot before this really became a hot topic and considering my extensive amount of micro-usb cables I can't remember which one it is to get rid of it. Should I be worried? PS: This was like 4yrs ago
Yeah, but considering that this cable is about $120 and the Flipper zero costs about $400, I'd say that already makes the flipper zero a no go for most nefarious actors.
To be fair he talks so much about computers, but very rarely talks about cyber security. I do cyber security on the side and people find it so scary how easy it is to hack anyone today. Security went the opposite, it never got better…it got way worse.
As someone who recently sat awake all night, naked, trying to log someone else out of their RUclips account, I'm sure Linus loves that this tool exists.
I don't understand the point of these videos, who just picks up random ass cords or USB sticks and uses them? Even without these risks existing I wouldn't do that have common sense people
@@wisteelathere is more truth to that than most people realize. I have several cables that were found in the wild. They are all… let’s just say very behind.
Plant a cable that opens a notepad to warn against random cables & in the background have their webcam open proceeding to download the short video file of them reading that; finally opening the video to themselves reading. This would be a SHOCKER and great content hahaha
As someone who works in a large company IT department. Mike has a good point, most cyber criminals don't need to go through that kind of hassle. Its staggering at the amount of people (who swear they didnt click anything) get their work computers infected that i have to pull, wipe, and re-image. Our company cyber security team also sends out test phishing emails randomly and it always catches people.
"I DIDN'T CLICK NOTHIN!!" ..."Sir, I am right here beside you. I just watched you click seven differnt things just because they had blinky pictures." "I DIDN'T CLICK IT!" ..."Sir, I can -hear- your mouse clicking."
I know better and accidentally clicked a phishing link recently. Fortunately it only went to a fake login page and didn't download anything, but it was a pretty scary couple minutes.
Not only that, people backward engineer this stuff all the time, so I could see a slew of people making "copies" of this tech, and it not only being cheap but unknown because they will only use it for themselves
not just for an organization, but for an average joe with a vendetta as well. It may be expensive for throwing it on the road or using it for general attacks like in a hotel. It's perfectly viable for a targeted attack. I can see a disgruntled ex slipping it in.
Sending an email costs 0$ though and is more likely to work, less likely to be traced back to you (if you know what your doing), and is likely to give you more access. Walking out with a computer or hard drive costs 0$ and is more likely to work and much less skilled, and if you are vulnerable to physical attacks someone could pull it off. Plugging in a normal keyboard costs 20$ and while there are some things you can't do with it, (remote connection) you could still do damage. I love it when LTT covers these tools because they are fun to play with. But I am much more worried about phishing as an attack vector than physical attacks with tools like this. These tools are not going to shift how we defend networks because they are simply slightly flashier more advanced versions of existing threat vectors.
Yeah, but sending a couple hundred of phishing emails and text messages is cheaper, easier and safer for the attacker. (safer in terms of remaining anonymous). You'll only get to the fancy stuff, like physically infiltrating the place and leaving a malicious cable lying around, once all of the boring and cheap stuff is exhausted.
Can totally see in a few years amazon or ali express being full of cables like this if these exploits aren’t taken care of. Maybe O.M.G is doing the right thing.
@@hollytaylor5327 better to make something like this, be open to everyone about how it works and let it be researched than for someone else to make this with terrible intentions and blindside tons of businesses
@@hollytaylor5327 They make these products for actual security testing purposes as they explained in the video. But yes by making them generally available you're putting the threat out into the real world which means companies are forced to take the threat seriously. Besides you can't just buy these and go on a crime spree, even buying these products absolutely puts you on a list.
lol, no. These sorts of tools can be made for $10. It's been cheap for years. It's not a real threat becasue these tools are not useful for actual targeted attacks.
Security is one of the few fields where "spreading awareness" is actually a valid and worthwhile thing. These attacks exist whether we like it or not, so it is better to know about them so we can defend against them.
My work CONSTANTLY reiterates never using the same password for your personal accounts as for your work accounts, to never giving your work passwords to phishers, to never using your work email to sign up to shady sites. Yet employees continue to do it.
15 years ago my brother warned me about this stuff.. Ever since i've never used public charging and only use my own brick and cable xD sometimes a brother with a tinfoil hat is a good thing. Miss him tho
its the worst part about being a cynic. You don't want to be right. But you know you are. Your brother sounds like a wise man. As someone with 3 younger brothers to protect (even if they don't realize they still need it) you have my respect from one brother to another.
I wonder how much data can be transferred when just charging? Android phones ask before data transfer over usb would that not prevent some of from accessing data?
@@jarryjackal3827 hacking has been around far longer than the early 2000s. Just cause a method is widespread enough to get onto LTT now doesn't make it new. Don't you remember those good ol days when they warned ya not to put strange CD's into your disk drive, or those sketchy floppies with some guys sick new beats from the subway?
The NSA apparently had these back in 2008 (according to the ANT catalog leaked in 2013). COTTONMOUTH-I was a device that could load malware and act as a wireless bridge (for subverting airgaps) while being disguised as a regular USB cable connector. The price for making these things must have a dropped a bit, since the listed unit price was 20 300 USD.
Generally, whenever consumers get access to cutting Edge technology, governments and militaries have likely had access to something with similar or Superior capability for at least 4 years. Whether or not they used it as a different question like for example, I don't think any military has been using folding screens because they're just way too fragile, but I suspect if for example, the US military had a use case they probably could have had them back in 2005
My biggest worry about these is how easy it is to inject fake or knock-off items into Amazon's listings or inventory. It's entirely plausible that an attacker could mock up a few of these to look like some reputable brand and then sell them on Amazon to unsuspecting people. I've gotten fake stuff from "Ships and Sold by Amazon" listings, so it's not just a matter of avoiding dodgy listings. Too expensive to be worth it now? Probably. But that won't last long.
I expect that someone like Apple or Samsung don't make their own cables in house. If the company they buy these from wanted they could include cables like this with every smartphone these companies sell. Then wait until their cables are everywhere or until they are found out and then ransom every device.
One day we'll encrypt USB with keys that we upload to devices ourselves. Setting up a keyboard, mouse, USB stick, etc. will become crazy complicated just to keep bad guys out. And they'll still find a way.
I almost worry that people are going to try and slip these into things like Ebay or Amazon listings or returns, they look good enough to be official and nobody would think twice about using the charging cable that came in the box with their new phone.
Yeah, but anyone trying to save money by buying a phone on ebay probably isn't rich enough to be a worthy target of such an attack. It would largely be a waste of the attackers time and money more often than not.
@@Khronogi yeah, but scam what, though? If they put ransomware on some random middle schmuck's computer, then said schmuck would probably just go get a new computer. Stealing banking credentials isn't gonna accomplish much, because they probably don't have much to steal in the first place. It would almost always end up being a waste of time and money.
@@Khronogi It's $120 USD, no scammer is going to pay that much in the hopes that some random person will use it and have anything worth stealing. Scammers succeed by casting a wide net that doesn't cost them much if anything, like phishing emails, not by by spending over $100 per target.
And that’s why I always carry my own cables. If anything, this video couldn’t be timed better since I’m headed downtown for the day & had to pack some chargers.
The name of the NSA implant this is inspired from is called COTTONMOUTH. A USB cable with wifi remote control in the type-A end. It was in the TAO catalog released in late 2013 iir.
@@alexturnbackthearmy1907 I'm not sure what this has to do with being opposed to him promoting actual products. He could warn people about the risks of these types of devices without showing every wannabe hacker exactly where to get a product like this.
@@KrillinInTheNameOf I mean I searched for "hacking USB cable" and got the OM.G and Ninja as the first results, with a public storefront, so I don't think that barrier to entry is really valid.
This sounds like a stress test that went on at LMG where they planted a cable that got used and then there would've been a seminar around 'security in the workplace', followed by 'That would make a great video' 😂😂
I never thought we'd need this, but here we are - I think "Plug and Play" in Windows needs to be updated to have some sort of hardware security or something, god knows how that could ever be figured out, goodluck Microsoft
It’s not possible. A computer is useless without some way to interact with it. If a person can interact with it, then anything that emulates a person interacting with it can too. The best that can be done is a cat and mouse game trying to detect exploits, etc. but that will never stop someone being able to go to a website and download software or run software written on the machine itself.
I mean, it would be nice to have the option. but on the other hand, these devices can mask themselves as pretty much any device out there. so even if windows gave you an alert or something that the device named "xx" was connected and you need to accept a prompt to continue, this could just name itself the same as the device and most people would not ever see anything wrong with that.
Devices could send an "evil bit" to the host to indicate they have malicious intent. Something similar has been proposed for internet packets on april 1st 2003.
I would much prefer someone selling it publicly versus them selling it privately. The flipper and OMG cable is making it known that this could happen and we could learn to defend ourselves. Way better than not knowing till after the fact.
People who despise these devices existing don't understand how dangerous this kind of stuff is or physical security for that matter, there are attacks that have existed for over 70 years (and when I say have existed I mean there is absolutely no way the manufacturer did not know for that amount of time) that are still absolutely doable on relatively high-end locks today. The design flaws that allow these kinds of devices (mostly the flipper zero but the omg cable a little) will not be patched if there is not outrage at the design flaw
Kriega R30: $275 USD and made from abrasion resistant textiles, has a fantastic system for distributing weight and staying on, as well as 30 liters of space and having a massive 100% Waterproof compartment. Linus: how 'bout none of that BUT it's $25 USD less expensive.
Thank you for teaching us about things like this! I'm a computer salesman, and a lot of people come to me with cybersecurity and ask for my knowledge. So when it comes to things like these, you said it first, it's better know about it as early as possible to prevent people of having these encounters. Have a nice day Levy
People are dumb, it can't be fixed... I could grab a USB stick, load up an autorun attack tool on it, and almost everyone would pick it up off the street and plug it in. By making it throw a popup saying it's not compatible and to try another computer I could get them to infect everything they have access to. I'm in IT and security now, because I used to wear a different hat before and know how it's done, there is a near infinite mountain of attack vectors to use and the way to protect against them is isolation mostly.
It's misinformation based on a bad understanding of real world netsec, and shilling to sell a product. LTT are the last people to give out netsec advice.
Man, the ending about those getting cheaper, that gives the chills. Love to see security content like this on the channel. It's way more important than people think it is.
It's not viable for general attacks but perfectly viable for a targeted attack. If someone wants to harm you they will harm you, money is not a problem for those cases.
@@chiranjeevsahoo4960 Targeted attacks need to be far more sophisticated for a remote attack. Anything worth while is going to need a physical compromise to be worth using a remote tool. Which is pretty much non-existent for years already.
Our company's IT group does bi-annual "USB thumb drive left in the parking lot" tests and our staff has failed for the last 5 years LMAO this cable is definitely the least of their problems.
sounds like your company is a PRIME cable target. People still plugging in random USBs is a "HUGE STUPIDITY HOLE" If they're that vulnerable to USB infiltrations I'd honestly feel very confident that if I dropped a little over a grand on ten of these in your company parking lot I could make 100x time my money back through a combination of personal blackmail & company hacks. but hey im just a ten year old kid or a 40 yo virgin trying to sound mean and scary right? yeah probably i mean... more than likely? or maybe.... lol this sh*t isn't hard or expensive (relatively) its just obscure. Once you understand the principles the primary limits are your own creativity and ethical standards.
@@Jake420 Why spend $100+ on an attack cable when the company can be infiltrated with some $5 USB sticks, is the point I think they were trying to make :P
I worked for a chemical company on a project and all of the production control machines were air gapped, used PS2 keyboard and mouse and had all of their USB ports stuffed with hot glue. Transferring data to those machines was done with special "data caddies" which were basically USB drives with a non-standard connector.
So, where do you work? Kidding. Saw a man in the street thing where they offered people candy for their workstation password. So many just handed it over no probs.
I thought about something like this the moment I started seeing "public use" cables/charging stations in airports, malls ect. and kept always bringing my own cable and brick. Friends and family said I was paranoid/crazy, to them I smugly tip my tin foil cap 😏
Oddly reminds me of the early days of free wifi access points at places like coffee shops etc and my warning to friends / family of how numerous the ways were that they can be malicious
I feel like these are probably similar to credit card skimmers. They are probably pretty abundant but the chances that we as an individual will encounter one are low.
If some random coder dude is releasing these at a reasonably accessible price, you can bet these have already been around for a while in a more secretive manner. Governments and other various agencies have likely been using these for years. At least now the public is aware that these are, in fact, a real tangible thing.
And the fact that the FBI is willing to _tell people this is a thing_ is a sign that to them, this method of exfiltrating data and hacking stuff is already *_obsolete_* by Three Letter Agency standards. Why spill the beans on a technique you're still actively using to spy on people?
Год назад+25
Yeah in my eyes what this guy is doing is making this accessible to security researchers and pen testers so companies etc can figure out how to defend themselves from it, rather than really creating a new attack vector or anything of the sort
Yes this type of device has existed for many years, the company behind the usb rubber ducky has been around since 2005. Awareness is just bad, they've clearly made their point to the negligence of certain enforced security. In security, the biggest vulnerability to anything is physical access, with the right tools you can obtain anything. This is not just technology of course. Honest attackers are creative and sneaky who can be reasonably discouraged. Attackers with sledge hammers also exist. Keep your important belongings safe!
In regards to juice-jacking, I miss the micro USB cables we had at Google, by default they were charging only and had a physical switch to enable the data lines of the cable if you needed to transfer data. Sadly they never made USB-C versions
There are type A charge only USB adapters. You could use one of those with a tape C to type A adapter. You’ll probably lose charging speed, but at least you can use it in an emergency.
It occurs to me that using USB for charging, data, and input is actually quite a security flaw. I know some large companies just disable USB drive support on all computers. Now I see why. Perhaps SD cards are actually safer, because they can only be storage.
@@sylviam6535 Having a single button is way more convenient than having to add / remove the "USB condom" (as some call it) each time you want to toggle data on or off. I miss those cables too!
@@florentcastelli - I am not sure that a physical switch would work on USB type C. They would probably need to insert a chip to deal with the additional complexity.
Another use case where this could be problematic is people getting these cables for their partners/friends/family members as a way to spy on them. "Hey honey, have you seen my charging cable?" "No. But you can use this extra one I have."
Generally if you're going to spy on your loved ones, you'd also have physical access to the devices they use too. Sneaking in a USB device into the back of their desktop or laptop is going to be easier and cheaper than ensuring they use your cable.
@@Programmdude yes but when it comes down in price it would be less phishy and a cheap way to get into the person phone which these devices target also
People have been hacking each other since people exist. Its even common to treat ideas and thoughts like this usb cable, like a threat. And sometimes they are. This tech is interesting, nonetheless.
Already exists. Use of a hardware keylogger on your partners PC to spy on them for abusive purposes has been a thing for years. Most people won't notice something in the back of their machine that wasn't there before.
I get that mike is on the up and up... but when they said he made a cable to detect malicious cables... I got some very "we created a disease to sell an antidote," vibes
Like, I can appreciate him making it as “showing everybody what’s possible” sort of scenario. But why is he mass-producing it and selling it? That seems like a step too far. Because people besides just those who would need this to research security can get their hands on them
If I would live anywhere near I would definitely do this. On the other hand I hope dbrand will use one of those to prank Linus with their next "hacked" lineup
Wow.. "Best to learn about it now when it is expensive rather than later when it's cheap and too late" is probably the best line from an LTT video.. like ever!
11:21 So buying a similar-looking cable from London Drugs, swapping them, then returning for it to be placed back onto the shelf as open product, or dropping the cables off to a thrift store, or even hanging them yourself, are not realistic scenarios today? $119 is a lot, but as with playing the lottery, you only need 1 win to become rich.
Juicejacking makes sense considering the term juice is synonymous with power; leaving a "charger cable" at a diner would be a really effective means of attack especially if the victim believes that cable is the only means of keeping their device charged. Take a McDonalds near our location for example, they have only one seat adjacent to an outlet, if an inconspicuous cable is just sitting there and their phone is about to die chances are they aren't going to spend the time to dig around for their own cable (if they have one).
Always cool to see LTT do a more simplified overview of HAK5 tools. Might be cool to see a cybersec spinoff channel so a bigger channel like yours can help spread awareness.
You're welcome. As consolation, you don't need to be afraid of hackers trying to compromise your systems until you have data worth stealing. Are your memories safe? I sell zero-day exploits on bug-bounty forums. Secure your bad ideas and protect the future of disinformation.
@@oldtools6089 assuming you don’t have information worth stealing is this first mistake. Do you have a social security number? Then you have information worth stealing. That number is worth a lot of money.
The only cables or usb devices that ever get plugged into my machines are ones I have bought by going to a physical shop and grabbing one off the rack. So, unless I get super unlucky or someone reeeeeaaaaaalllllyyyy wants to steal the £3.50 in my bank account and goes to some extreme lengths, I think I'm safe from these badboys.
Does that data blocker only block data on the side it plugs into? Seems like the phone plugged into the other side would need a data blocker of it's own.
the worst thing about this seems to be the fact that these cables are unmarked. amazon sellers could easily have some of these mixed in with a generic product
Ding, Ding, Ding. Shared product bins is already an issue beset with with counterfeit knockoffs. The fact this exists at all should be a crime, and if not the engineers responsible should be mandated to carry liability insurance to cover any damages resulting from their product being used by anyone that's not a white hat.
@@reahreic7698 i feel like you're reaching a bit. This thing is only effective if the person who wants to use it is able to get close to the person. So what are they going to mix it in with legit cables and pray they get it sent to the person they want to attack?
They are more or less fearmongering misinformation. These tools are useless in real life and pose zero threat. They have been around for years for $1, and there have never been any recorded accounts of these attacks being used on anyone.
I feel like the quote, "Your scientists were so preoccupied with whether or not they could, they didn't stop to think if they should." best applies to this cable.
The problem with that saying is (skipping the whole scientists vs engineers, the tech isnt new the application is) not that this is a unique tool developed by some masterminds. It's common tech thats been packaged and branded for the consumers. CIA had this tech 10 years ago and so did probably other state funded organizations as well. It's only a matter of time before you can buy it from aliexpress for a dollar. Creating this product and bringing this design flaw in USB to the light of mass audiences does more good than harm to the world collectively.
No, what applies better is “security through obscurity is no security at all”. OMG didn’t create this attack vector, he made it accessible to everyone and raised awareness that this exists. Now more people will be on guard, look at this and work on mitigating this.
The way I see it, this was always a viable attack vector. If Mike didn't make his publicly available, someone else would be doing it in secret (and likely already has). If you don't know a threat is out there, you can't defend against it.
Except that he clearly doesn't care about the security aspect and he is creating THE NEED. He rationalizes heavily and his body language is visibly giddy about the potential chaos that he can sow by having a tool - that would normally cost substantially more and for good reason - much more accessible to the average populace who are willing to sacrifice their kidney for a goddamn $2000 GPU. For LTT to brush that aside while using it as an example was an "O_O are you serious?" moment. The irony of this is that he is apparently lackadaisical about it at home and was forced to create a counter-measure because his wife was getting tired of his bullshit. (Frankly, i'd just divorce the asshole.)
@@RoshiGaming No one. Well.. not that i've noticed anyway. I just know bad news when I see it and I haven't felt this uncomfortable watching an LTT video ..ever. So I responded to a comment that helped formulate what I was thinking.
@@gludlok747 you’re actually dumb. Nearly everyone who works in offensive security from pentesting to red teaming gets excited and giddy about new hacks and toys. Anyone else who is able to invent anything similar to that from Proxmark to the bash bunny has every right to be excited about what they achieved and it’s dumb to think that means anything about their attitude to security.
@@gludlok747 the counter messure may actualy be just as bad as the creation. hes just not going to tell you. and make you think you are safe. thats the level we are at here.
I've known about Hak.5 for longer than I've known about LTT lol. I love their stuff and those they associate with like omg and rf1. But there is one thing I didn't consider until watching this video... the Linux-based OS called Qubes OS (you should do a video on that btw if you haven't already lol) can be set up to have all USB devices connected to a dedicated, untrusted Qube, and if you want to use something like an external keyboard/mouse, you need to first pass the USB device thru from the USB Qube to the target Qube. I wonder if that would be enough to catch a bad device like a rubber ducky or omg cable before you can pass it thru to another Qube. Might be worth a video to test all these things on Qubes lol.
@@Ck87JF that... is a really good question lol. I honestly don't know. I've only ever used it on a laptop, and I think that's what it's mainly used for. My guess would be if you use it on a desktop, you'd have at least a generic USB to PS/2 adapter.
@@little-wytch Even with a laptop, I'm pretty sure the built-in keyboard & touchpad are seen as USB devices, so maybe there's some kind of thing that says "this specific device with this identifier was here at install time, so we trust it" while any additional HIDs have to be configured. Which if your internal device breaks ... :P
As Mike said, the average person and probably does not have to worry about an attack like this right now because it's too powerful. "You don't aim a cannon to kill a fly"
@@MK73DS Yeah I've noticed that too, they really do charge slowly. Unfortunately for me, I've had a lot of accounts hacked because I've had most of them since I was a kid and didn't take any cyber security stuff seriously. My twitter account was taken over and now advertises knock off facebook glasses. I actually got the real ones as a gift once because my parents just thought I really, really wanted them because the account was constantly DMing all of my relatives and everything and was posting about it constantly. In reality, I find them creepy AF, so I've never used them.
This is such a weak argument. It would make sense if the device was $10k or needed a team of elite experts to operate. That's not the case though. Instead, this argument sounds like, "Why do I need to use passwords? I'm not valuable enough to be attacked" When attacking is relatively cheap, then it doesn't matter
Although I find this technology somewhat frightening. I am much more concerned with the fact that I never knew it existed to this point. The best way to protect yourself is to become educated on the topic. That is why I hope LTT continues to come out with great videos teaching us about nefarious methods an individual might use in the tech sector.
If education actually solved problems we wouldn't have them. The internet's been around for almost 3 decades but humanity is less educated than ever. They fall for the most obvious scams. Do you know how many times I have to tell my family not to do certain things on a computer/phone? They still don't understand not to immediately trust what they see. Pessimism is a better protection than trying to learn about all the different ways life can screw you over. Case in point, the guy who made this said there's many easier ways that are constantly being used. These methods are rare.
I'm glad your covering this. I saw these and picked one up at DefCon last year and have been messing around with it, it's a GREAT Red Teaming tool, especially if it's more than just a single day op. You can either connect it yourself or leave/swap it on a desk when your doing a "scheduled unscheduled audit" or something similar. (I'm a professional pentester not just breaking into tech companies without permission)
Fun now I cant trust a random USB cable either, thank you for sharing now time to retrain the family to not to plug in any random device to their phone or PC.
@@wnsjimbo2863 cyber criminals target anyone cause you never know who has something of value. It may not be likely now, but I can totally see people selling cheaper versions of these online at some point in the future with malicious intents
@@SyntheticSpy This. Once scammers buy them by the millions they'll be in thousands of homes and have control over their computer, just sitting there waiting for someone to knock on their virtual door and it'll let them in.
I’d be more interested in knowing how to take control of one of these sorts of cables should you find one. Would be fun to just get one for free and spoil an attack.
One of the OMG Programmers will let you completely reload the firmware and use it as your own. Also, the programmer can be used for doing full forensic dumps on OMG Cables, we actually have a forensic capture tool built into our python flasher.
Please add a digital output pin, a tiny compartment for my own stuff and a small ultra capacitor to the cable. Nothing like a good fire to destroy evidence. Metaphorically speaking.
It would be product suicide to put backdoors into something sold to the infosec community. They would find it pretty fast. Detector has been out for a couple years now.
@@carl7534 I mean, why would Microsoft put spyware in Windows? You paid lots of money for it. Shouldn't they be happy with the money they got? Same with every phone company. And every piece of "smart" tech.
THANK YOU someone else who is saying this. I;ve been replying to comments praiseing the dectoror for the last hour. Trying to drill it into peoples minds. Why would you trust this guy? He created this evil thing. Why do you people think the solution he sold is going to be a solotion? Think about it people. Now he has all your data access to your computer your network AND you have given him MORE money to "be safe" What if the detector itself is even WORSE?
Yes, if you modify it's firmware or constantly run code on your phone which acts as a vpn and reroutes data to the cable, but then you would have very shity bandwidth because this thing doesn't have any processing power. You could instead just turn on hot spot. Your smartphone is a portable router
8:50 " sif someone can walk in and take something, they can walk in and plant something" LTT's security are clear at risk seeing how much get taken from the office😂
Given how little people seems to be security aware (for example i dumpster dive and I’ve seen a lot of people not even encrypting/wiping a drive), this might already be overkill enough
I assume there is a new focus on cybersecurity over at LTT after the recent hack... good to see more content making that world more accessible in a responsible way. I studied academic Philosophy and the depth of the conversations around the cybersecurity world about code, ethics, and best practices is in the company of the deepest conversations I've ever ran across. Maybe LTT should talk to Steve Gibson over at the Security Now podcast.
2:43 love how you used the payload skins from Team Fortress 2 to illustrate payloads :) if I'm correct about the origin of those carts, of course Edit: I would also recommend everyone to carry an extra USB cable that doesn't support data transfer in case of having to use a publicly accessible charging USB port. Might be a redundance but an extra USB cable doesn't weigh much and brings some extra safety when using public chargers
Here's an example I had during my trainings. I proposed the students to only share files and documents with approved or known team members of a contractor. If they didn't trust it, they should get in contact with the contractor using a phone number known by our company. I got laughed at and they didn't think it was serious. Next, another speaker shared a security awareness of not clicking links in an email. People were like "yeah, that makes sense". I'm like, why don't you take my warning serious, but this one you do?
I've been wanting one of these since they first hit the market. Same goes for the USB rubber ducky and the WiFi pineapple. I'm too afraid of getting myself into major trouble with it though. lol Besides I wouldn't want to cause real problems for anyone.
Yeah when we visited a cybersec company they handed us charging only cables, for free. We had a practical demo on the how and why, this video reminds me of that day.
Man, I think this could be a real threat on university campuses. Drop one of these in the library or computer lab. Heck, just plug it in to a computer and leave it. You'll have hundreds of passwords and log in info by the end of the week. Put one of the go betweens on a uni keyboard and people could do all kinds of damage.
Things like the Flipper Zero, and Rubber Ducky to an extent, are great tools that can be used for a bunch of legitimate purposes (or at least, depending on the stuff that's loaded on it, stuff that doesn't cause permanent damage), however stuff like this and "USB killers" have no reason to exist other than as purely malicious tools. I certainly wouldn't plug in some random flash drive or cable that I'd find on the street, but who's to say some kid won't innocently plug one in and do untold damage to their own, their parents' or their school's PCs? They don't know any better.
What I find interesting is the argument - it's too expensive for a general person to meet it. Is he like never met a bored rich kid? The only question is if they have the skills to do some actual damage. And since it can be used as an overpriced keylogger... dunno, may be enough to log into a teacher's account or something. I like this as a teaching tool, but saying the price is deterrent is weird.
These OMG cables aren't unique. The point they make is, this way you can legally see how these work and how to protect against them. Also this will force companies to improve protection of their devices.
@@SanderEvers Proactive is not a word you often use for humanity. More like "Wait until it happens to millions of people, then make news and clickbait videos about it, then nag the government, then wait a year until they do something."
@@SanderEvers What I am afraid of is one thing - once these become widespread, the companies will instead all branch out into their own proprietary standards in a panicked attempt to fix the issue. And instead of one universal standard for plugging in peripherals, we will have a dozen.
I don't get why there isn't an option to enable a "Activating keyboard/mouse in 5 seconds" popup so if you clearly aren't plugging in a keyboard or mouse in your pc, you can remove it. Thogh it should only be on the os-level (Obviously it should always be enabled pre-boot for changing bios settings etc)
That would seem like an incredibly easy fix, wouldn't it! Just pop up a warning whenever someone plugs in a new HID device of any kind. I'm surprised it's not already standard, this has been a known attack vector for years now.
While every other big RUclipsrs are going to give its viewers same content at the same time, Linus always make a way for him by differentiating his content from others. Love you man!
A couple of things that you could have brought up to help protect you against these is to not use computer profiles that have administrator access as you are default account. Yes it's more annoying to have to type in a username and password every time you want to change a particular setting or install a program but it's one more layer of security that malicious actors have to navigate past when the default user logged in is not an administrator.
Is there any possible use for this kind of device for a normal person? it seems very strange to me that something that looks like it might be exclusively used for malware and hacking could be sold and advertised so publically! Is there some other 'purpose' that the average man or a tech business could use something like this technology for?
Great stuff! This type of attack has been possible for a while but to make it easier and streamlined hopefully will expedite countermeasures both in IT and personal awareness.
As an excellent comic pointed out, the real way bad actors get your passwords isn't hacking the mainframe and breaking the 2048-bit encryption blah blah blah, it's more like they phone you and say "hey this is Bob the password inspector" and bada-bing bada-boom
One of the few times that I am aware of a new product months before Linus publicly covers it. Was able to even hold one in my hands at my local Cybersecurity club.
You know what else is less than the price of an LTT Backpack? A FREE weekend of Crusader Kings 3 starting May 11th. Build your dynasty at: lmg.gg/CK3CS
“All for less than a backpack from Ltt store” that doesn’t really give you a good idea lol
nope
Nah
A while back I picked up a micro-usb charging cable in a parking lot before this really became a hot topic and considering my extensive amount of micro-usb cables I can't remember which one it is to get rid of it. Should I be worried? PS: This was like 4yrs ago
no
To be fair, flipper zero already looks like a happy meal toy.
When I first saw the Flipper Zero, I thought it was some sort of Tamagotchi and fidget toy combined....
Yeah, but considering that this cable is about $120 and the Flipper zero costs about $400, I'd say that already makes the flipper zero a no go for most nefarious actors.
To be faaaaiiirr.
@@cepheusclips you would be highly surprised.
Also built like one except for the internals lmao
At this point im 99% convinced these security videos are the LTT equivalent of security awareness training after the hack.
To be fair he talks so much about computers, but very rarely talks about cyber security. I do cyber security on the side and people find it so scary how easy it is to hack anyone today. Security went the opposite, it never got better…it got way worse.
at least this doesnt have the soulless coporate jingle
It's shilling, these are all just thinly veiled advertisements for products
@@ticenits1926 can you shut up please? no one wanted your input.
@@ticenits1926 "shilling" he says. Yeah I love shilling for security knowledge. STAY SAFE GUYS, I'M BEING PAID TO TELL YOU IMPORTANT INFORMATION
Mike created the perfect ecosystem.
1. Create the problem
2. Create the solution
3. Profit
Maybe he worked at apple?
The Hegelian dialectic
Maybe works for mossad 🤔exploding pagers
As someone who recently sat awake all night, naked, trying to log someone else out of their RUclips account, I'm sure Linus loves that this tool exists.
🍓🍓🍓
Well done
I hope the being naked part was needed for logging out
I'm pretty sure that's the reason he's doing a video on hacking tools in the first place. Awareness of the threat is the first step to combating it.
I don't understand the point of these videos, who just picks up random ass cords or USB sticks and uses them? Even without these risks existing I wouldn't do that have common sense people
I love that he had to create a device to detect his own cables.
Totally had to. And had to sell these for a lot of money
@@flameshana9 The high price keeps them out of the hands of many. Good thing.
@@wisteelathere is more truth to that than most people realize. I have several cables that were found in the wild. They are all… let’s just say very behind.
Create problem, sell solution :p
He made his own Kryptonite
Would be somewhat tempted to plant a cable that just opens notepad and warns against using random cables if not for the price.
That would be hilarious if you could catch someone's reactions
Plant a cable that opens a notepad to warn against random cables & in the background have their webcam open proceeding to download the short video file of them reading that; finally opening the video to themselves reading. This would be a SHOCKER and great content hahaha
@@_____alyptic Make the first line _"SAY CHEESE!"_ and make it take a picture with flash and shutter sound on and send you the picture 🤔😂
That's very reddit of you, have some gold stranger!
As someone who works in a large company IT department. Mike has a good point, most cyber criminals don't need to go through that kind of hassle. Its staggering at the amount of people (who swear they didnt click anything) get their work computers infected that i have to pull, wipe, and re-image. Our company cyber security team also sends out test phishing emails randomly and it always catches people.
I find it very hard to get a work computer infected with anything, can't do shit anymore 😂
it's like stopping a boat made of Swiss cheese from sinking there will be always someone doing the wrong thing at the wrong time.
"I DIDN'T CLICK NOTHIN!!"
..."Sir, I am right here beside you. I just watched you click seven differnt things just because they had blinky pictures."
"I DIDN'T CLICK IT!"
..."Sir, I can -hear- your mouse clicking."
I know better and accidentally clicked a phishing link recently. Fortunately it only went to a fake login page and didn't download anything, but it was a pretty scary couple minutes.
I had a laptop that was in the middle of being reimaged and got infected 💀 Defender caught it but it was strange nonetheless. Mimikatz.
I feel like $100 per cable is already incredibly cheap for someone looking for a big payday by infiltrating some organization
Not only that, people backward engineer this stuff all the time, so I could see a slew of people making "copies" of this tech, and it not only being cheap but unknown because they will only use it for themselves
Yeah
not just for an organization, but for an average joe with a vendetta as well. It may be expensive for throwing it on the road or using it for general attacks like in a hotel. It's perfectly viable for a targeted attack. I can see a disgruntled ex slipping it in.
Sending an email costs 0$ though and is more likely to work, less likely to be traced back to you (if you know what your doing), and is likely to give you more access.
Walking out with a computer or hard drive costs 0$ and is more likely to work and much less skilled, and if you are vulnerable to physical attacks someone could pull it off.
Plugging in a normal keyboard costs 20$ and while there are some things you can't do with it, (remote connection) you could still do damage.
I love it when LTT covers these tools because they are fun to play with. But I am much more worried about phishing as an attack vector than physical attacks with tools like this. These tools are not going to shift how we defend networks because they are simply slightly flashier more advanced versions of existing threat vectors.
Yeah, but sending a couple hundred of phishing emails and text messages is cheaper, easier and safer for the attacker. (safer in terms of remaining anonymous).
You'll only get to the fancy stuff, like physically infiltrating the place and leaving a malicious cable lying around, once all of the boring and cheap stuff is exhausted.
Can totally see in a few years amazon or ali express being full of cables like
this if these exploits aren’t taken care of. Maybe O.M.G is doing the right thing.
Unless Amazon cleans up their sloppy practices that's definitely going to happen. It probably is already happening.
Not just online shopping but I could see this getting planted in places like gas stations as well. Scary stuff.
By providing the threat? The link is in the description. The hypocrisy no one is seeing is astounding.
@@hollytaylor5327 better to make something like this, be open to everyone about how it works and let it be researched than for someone else to make this with terrible intentions and blindside tons of businesses
@@hollytaylor5327 They make these products for actual security testing purposes as they explained in the video. But yes by making them generally available you're putting the threat out into the real world which means companies are forced to take the threat seriously. Besides you can't just buy these and go on a crime spree, even buying these products absolutely puts you on a list.
It is a nuclear bomb
Toilet
Yes
Валидно
fish
Ka-boom!
"We'd better off learn about now while it's expensive, then later when it's cheap and it's too late."
Well said, so well said
China has already reversed this from the day it came out, we'll see $10 versions in a few months.
lol, no. These sorts of tools can be made for $10. It's been cheap for years. It's not a real threat becasue these tools are not useful for actual targeted attacks.
@@theairaccumulator7144 It's been $10 for years already. Look at what Arduino offers, lol.
@@theairaccumulator7144 these Chinese stuff works but they usually don't come with comprehendible docs, so I guess we're fine for now
Security is one of the few fields where "spreading awareness" is actually a valid and worthwhile thing. These attacks exist whether we like it or not, so it is better to know about them so we can defend against them.
Its also a field that can't be measured you cannot tell how many attacks awareness prevents.
My work CONSTANTLY reiterates never using the same password for your personal accounts as for your work accounts, to never giving your work passwords to phishers, to never using your work email to sign up to shady sites. Yet employees continue to do it.
100%. The only real attacks are social engineering. Remote hacks and such are hollywood tropes.
@@AdhamOhmClearly not a problem with the “law” then.
Few? What fields are there where spreading awareness is bad?
15 years ago my brother warned me about this stuff.. Ever since i've never used public charging and only use my own brick and cable xD sometimes a brother with a tinfoil hat is a good thing. Miss him tho
its the worst part about being a cynic. You don't want to be right. But you know you are. Your brother sounds like a wise man. As someone with 3 younger brothers to protect (even if they don't realize they still need it) you have my respect from one brother to another.
@@Secret_Takodachi if his brother said that 15 years ago he isn't wise. Its probably the first thing that came true that he said.
@@jarryjackal3827 your comment is just as presumptuous as the one you’re criticising
I wonder how much data can be transferred when just charging? Android phones ask before data transfer over usb would that not prevent some of from accessing data?
@@jarryjackal3827 hacking has been around far longer than the early 2000s. Just cause a method is widespread enough to get onto LTT now doesn't make it new. Don't you remember those good ol days when they warned ya not to put strange CD's into your disk drive, or those sketchy floppies with some guys sick new beats from the subway?
The NSA apparently had these back in 2008 (according to the ANT catalog leaked in 2013). COTTONMOUTH-I was a device that could load malware and act as a wireless bridge (for subverting airgaps) while being disguised as a regular USB cable connector. The price for making these things must have a dropped a bit, since the listed unit price was 20 300 USD.
It's expected for intelligence agencies to have access to these and more. But for normal people to, this is gonna be interesting to watch unfold.
Generally, whenever consumers get access to cutting Edge technology, governments and militaries have likely had access to something with similar or Superior capability for at least 4 years. Whether or not they used it as a different question like for example, I don't think any military has been using folding screens because they're just way too fragile, but I suspect if for example, the US military had a use case they probably could have had them back in 2005
2:43 I appriciate the editor using different TF2 payloads as a way to show it can carry multiple.
THE CART IS SUPPOSED TO GO *FORWARD!*
THE CART IS REACHING THE FINAL TERMINANCE!
GET TO THE CART MAGGOTS!!
Who's not pushing ze cart? I want the names!
THE LITTLE CART IS MOVING!
Mike creating a problem and also providing a solution is a genius way to sell stuff
doesnt get more textbook than that, well played to him
That's the governments way.
Still a pos
Technically it could be classified as racketeering, but there are some qualifiers for that.
Well, it's just a detector. Not a full blocker, so, no solution really lol
Could still just instantly execute scripts.
My biggest worry about these is how easy it is to inject fake or knock-off items into Amazon's listings or inventory. It's entirely plausible that an attacker could mock up a few of these to look like some reputable brand and then sell them on Amazon to unsuspecting people. I've gotten fake stuff from "Ships and Sold by Amazon" listings, so it's not just a matter of avoiding dodgy listings.
Too expensive to be worth it now? Probably. But that won't last long.
People are saying the chips only cost a dollar. So there's nothing to stop them from it.
allready made its way into best buy disgused as legit products. People buy a real one. replace it with this then return the product to the store.
@@flameshana9 Pretty sure its just an esp32 or something.
I expect that someone like Apple or Samsung don't make their own cables in house. If the company they buy these from wanted they could include cables like this with every smartphone these companies sell. Then wait until their cables are everywhere or until they are found out and then ransom every device.
@@Souchirouu Thank you for that idea…
Not sure if there is a phobia name for "fear of cables" but I'm sure we're gonna need one.
Its called Apple.
Though it could just be phobia of mini-jacks
Cablaphobia
Pronounced Kay-blah-phobia
I'm just glad I decided to keep those 2 boxes full of cables for the last 20 years of my life!
... who am I kidding, it's more like 4 crates.
@@MotoDash1100 I lol'd. Thank you.
@ChillingSpree give it two and it’ll be another gender lol
One day we'll encrypt USB with keys that we upload to devices ourselves. Setting up a keyboard, mouse, USB stick, etc. will become crazy complicated just to keep bad guys out. And they'll still find a way.
I almost worry that people are going to try and slip these into things like Ebay or Amazon listings or returns, they look good enough to be official and nobody would think twice about using the charging cable that came in the box with their new phone.
Yeah, but anyone trying to save money by buying a phone on ebay probably isn't rich enough to be a worthy target of such an attack. It would largely be a waste of the attackers time and money more often than not.
@@GeneralNickles I disagree. Scammers gonna scam.
You didnt check the price of the cable. Dont be stupid, no scammer will spray and pray with it.
@@Khronogi yeah, but scam what, though?
If they put ransomware on some random middle schmuck's computer, then said schmuck would probably just go get a new computer. Stealing banking credentials isn't gonna accomplish much, because they probably don't have much to steal in the first place.
It would almost always end up being a waste of time and money.
@@Khronogi It's $120 USD, no scammer is going to pay that much in the hopes that some random person will use it and have anything worth stealing. Scammers succeed by casting a wide net that doesn't cost them much if anything, like phishing emails, not by by spending over $100 per target.
And that’s why I always carry my own cables. If anything, this video couldn’t be timed better since I’m headed downtown for the day & had to pack some chargers.
Toileg
I like how you say"against"
@@danyal_assi Ratio
Wow with that price it may make him a lot of money
Why bother taking electronic devices with you? Go there without them, keep them at home. You'll be 100 times happier
The name of the NSA implant this is inspired from is called COTTONMOUTH. A USB cable with wifi remote control in the type-A end. It was in the TAO catalog released in late 2013 iir.
WHAT this is awesome. thank you, non-descript commenter
Linus: I wouldn’t give this cable to my worst enemy
Also Linus: but whoever hacked us is an exception!
Linus: But I'll happily give it an incredible amount of free advertising!
@@KrillinInTheNameOf So you prefer to be NOT informed and caught in panic wave or be the victum when shit hits the fan?
@@alexturnbackthearmy1907 I'm not sure what this has to do with being opposed to him promoting actual products. He could warn people about the risks of these types of devices without showing every wannabe hacker exactly where to get a product like this.
@@KrillinInTheNameOf I mean I searched for "hacking USB cable" and got the OM.G and Ninja as the first results, with a public storefront, so I don't think that barrier to entry is really valid.
"It makes flipper zero look like a happy meal toy"
For some reason I can't even explain why I laughed so hard there 😂
Lol me too
.... because the flipper zero DOES look like a happy meal toy? I don't think the cable has anything to do with that...
Flipper Zero does already look like a Happy Meal toy though. LOL
The video says uploaded 1 hour ago with your comment being made two hours ago 😅
@@WSAnderson Exactly LOL
This sounds like a stress test that went on at LMG where they planted a cable that got used and then there would've been a seminar around 'security in the workplace', followed by 'That would make a great video' 😂😂
I never thought we'd need this, but here we are - I think "Plug and Play" in Windows needs to be updated to have some sort of hardware security or something, god knows how that could ever be figured out, goodluck Microsoft
Toilet
It’s not possible. A computer is useless without some way to interact with it. If a person can interact with it, then anything that emulates a person interacting with it can too.
The best that can be done is a cat and mouse game trying to detect exploits, etc. but that will never stop someone being able to go to a website and download software or run software written on the machine itself.
I mean, it would be nice to have the option. but on the other hand, these devices can mask themselves as pretty much any device out there. so even if windows gave you an alert or something that the device named "xx" was connected and you need to accept a prompt to continue, this could just name itself the same as the device and most people would not ever see anything wrong with that.
it would likely mean making billions of USB devices uselsess and obsolete since they dont have any way to verify themselves to the new security system
Devices could send an "evil bit" to the host to indicate they have malicious intent. Something similar has been proposed for internet packets on april 1st 2003.
I would much prefer someone selling it publicly versus them selling it privately.
The flipper and OMG cable is making it known that this could happen and we could learn to defend ourselves. Way better than not knowing till after the fact.
They are not a real threat regardless. Just pen testing toys for basic netsec education.
Realistically nobody is going to go through that much effort for a normal persons info, this would be much more useful to use against companies
People who despise these devices existing don't understand how dangerous this kind of stuff is or physical security for that matter, there are attacks that have existed for over 70 years (and when I say have existed I mean there is absolutely no way the manufacturer did not know for that amount of time) that are still absolutely doable on relatively high-end locks today. The design flaws that allow these kinds of devices (mostly the flipper zero but the omg cable a little) will not be patched if there is not outrage at the design flaw
What happened to the Google pixel stream???
Most things are less than the LTT backpack 😂
for real 😂
My thoughts exactly
another thing that's cheaper than that backpack...is this segue
Kriega R30: $275 USD and made from abrasion resistant textiles, has a fantastic system for distributing weight and staying on, as well as 30 liters of space and having a massive 100% Waterproof compartment.
Linus: how 'bout none of that BUT it's $25 USD less expensive.
Thank you for teaching us about things like this! I'm a computer salesman, and a lot of people come to me with cybersecurity and ask for my knowledge. So when it comes to things like these, you said it first, it's better know about it as early as possible to prevent people of having these encounters.
Have a nice day
Levy
couldnt agree more
People are dumb, it can't be fixed... I could grab a USB stick, load up an autorun attack tool on it, and almost everyone would pick it up off the street and plug it in. By making it throw a popup saying it's not compatible and to try another computer I could get them to infect everything they have access to. I'm in IT and security now, because I used to wear a different hat before and know how it's done, there is a near infinite mountain of attack vectors to use and the way to protect against them is isolation mostly.
Please do more videos like this, so people can learn more about it.
It's misinformation based on a bad understanding of real world netsec, and shilling to sell a product. LTT are the last people to give out netsec advice.
Man, the ending about those getting cheaper, that gives the chills.
Love to see security content like this on the channel. It's way more important than people think it is.
Once one person does it, then the copycats will try cheaper versions, but perhaps not as full featured.
It's not viable for general attacks but perfectly viable for a targeted attack. If someone wants to harm you they will harm you, money is not a problem for those cases.
These devices pose zero threat in the real world. Don't buy into LTT's fear mongering. They are selling a product.
@@brianwest2775 Devices like this have been $10 for years, it's nothing special or new. They are useless in the real world.
@@chiranjeevsahoo4960 Targeted attacks need to be far more sophisticated for a remote attack. Anything worth while is going to need a physical compromise to be worth using a remote tool. Which is pretty much non-existent for years already.
Our company's IT group does bi-annual "USB thumb drive left in the parking lot" tests and our staff has failed for the last 5 years LMAO this cable is definitely the least of their problems.
sounds like your company is a PRIME cable target. People still plugging in random USBs is a "HUGE STUPIDITY HOLE"
If they're that vulnerable to USB infiltrations I'd honestly feel very confident that if I dropped a little over a grand on ten of these in your company parking lot I could make 100x time my money back through a combination of personal blackmail & company hacks. but hey im just a ten year old kid or a 40 yo virgin trying to sound mean and scary right? yeah probably i mean... more than likely? or maybe.... lol this sh*t isn't hard or expensive (relatively) its just obscure. Once you understand the principles the primary limits are your own creativity and ethical standards.
@@Jake420 Why spend $100+ on an attack cable when the company can be infiltrated with some $5 USB sticks, is the point I think they were trying to make :P
I worked for a chemical company on a project and all of the production control machines were air gapped, used PS2 keyboard and mouse and had all of their USB ports stuffed with hot glue.
Transferring data to those machines was done with special "data caddies" which were basically USB drives with a non-standard connector.
if they start writing people up and cutting pay and benefits every time they fail the test they will gain IQ points real quick
So, where do you work?
Kidding. Saw a man in the street thing where they offered people candy for their workstation password. So many just handed it over no probs.
I will be bringing both my own charging brick and cable everywhere going forward. The world is getting scary.
No I don't fucking care
Always has been
@@resneptacle yup nothings really changed just method
@@xwiick Yep. They've been warning about using public USB charging stations for almost as long as they've been a thing.
Android phones block data transfer until you explicitly allow it.
Unless you’re running Stone Age Androids, I don’t see an issue.
New fear unlocked, thank you linus!!
0:42 you charge $250 for a fucking backpack?
That's waaaay too overpriced.
I thought about something like this the moment I started seeing "public use" cables/charging stations in airports, malls ect. and kept always bringing my own cable and brick. Friends and family said I was paranoid/crazy, to them I smugly tip my tin foil cap 😏
Oddly reminds me of the early days of free wifi access points at places like coffee shops etc and my warning to friends / family of how numerous the ways were that they can be malicious
Wait til they start replacing the power plugs then you screwed
I feel like these are probably similar to credit card skimmers. They are probably pretty abundant but the chances that we as an individual will encounter one are low.
@@mikemcmike6427 hence the adapters for power only that block the data channels on the cords
The odds of someone using this on random nobodies at the airport is REALLY low.
If some random coder dude is releasing these at a reasonably accessible price, you can bet these have already been around for a while in a more secretive manner. Governments and other various agencies have likely been using these for years. At least now the public is aware that these are, in fact, a real tangible thing.
Pretty sure spy movies have been using these for the past half a century.
And the fact that the FBI is willing to _tell people this is a thing_ is a sign that to them, this method of exfiltrating data and hacking stuff is already *_obsolete_* by Three Letter Agency standards. Why spill the beans on a technique you're still actively using to spy on people?
Yeah in my eyes what this guy is doing is making this accessible to security researchers and pen testers so companies etc can figure out how to defend themselves from it, rather than really creating a new attack vector or anything of the sort
Yes this type of device has existed for many years, the company behind the usb rubber ducky has been around since 2005. Awareness is just bad, they've clearly made their point to the negligence of certain enforced security. In security, the biggest vulnerability to anything is physical access, with the right tools you can obtain anything. This is not just technology of course. Honest attackers are creative and sneaky who can be reasonably discouraged. Attackers with sledge hammers also exist.
Keep your important belongings safe!
The name of the NSA implant this is inspired from is called COTTONMOUTH. It was in the TAO catalog released in late 2013 iir.
People called us paranoid when we rolled out centralized authentication of USB devices in our company 😂
In regards to juice-jacking, I miss the micro USB cables we had at Google, by default they were charging only and had a physical switch to enable the data lines of the cable if you needed to transfer data. Sadly they never made USB-C versions
There are type A charge only USB adapters. You could use one of those with a tape C to type A adapter. You’ll probably lose charging speed, but at least you can use it in an emergency.
It occurs to me that using USB for charging, data, and input is actually quite a security flaw. I know some large companies just disable USB drive support on all computers. Now I see why. Perhaps SD cards are actually safer, because they can only be storage.
@@andybrice2711 - It’s more serious than data. USB is a bus, just like the PC Express bus, which means that it can add devices to your PC.
@@sylviam6535 Having a single button is way more convenient than having to add / remove the "USB condom" (as some call it) each time you want to toggle data on or off. I miss those cables too!
@@florentcastelli - I am not sure that a physical switch would work on USB type C. They would probably need to insert a chip to deal with the additional complexity.
Another use case where this could be problematic is people getting these cables for their partners/friends/family members as a way to spy on them.
"Hey honey, have you seen my charging cable?"
"No. But you can use this extra one I have."
im gonna use thumbnail to soy on myself. Finally gonna know what the fuck i do all day
Generally if you're going to spy on your loved ones, you'd also have physical access to the devices they use too. Sneaking in a USB device into the back of their desktop or laptop is going to be easier and cheaper than ensuring they use your cable.
@@Programmdude yes but when it comes down in price it would be less phishy and a cheap way to get into the person phone which these devices target also
People have been hacking each other since people exist. Its even common to treat ideas and thoughts like this usb cable, like a threat. And sometimes they are. This tech is interesting, nonetheless.
Already exists. Use of a hardware keylogger on your partners PC to spy on them for abusive purposes has been a thing for years. Most people won't notice something in the back of their machine that wasn't there before.
I get that mike is on the up and up... but when they said he made a cable to detect malicious cables... I got some very "we created a disease to sell an antidote," vibes
Juice jacking is an absolutely perfect hacking term in the classic style. Reminds me of phone phreaking
The Scary part would be when it gets cheap enough that an Amazon 3rd party starts selling these as regular usb cables.
😂
Like, I can appreciate him making it as “showing everybody what’s possible” sort of scenario. But why is he mass-producing it and selling it? That seems like a step too far. Because people besides just those who would need this to research security can get their hands on them
I can't wait to hear about the next LTT hack because someone watched this and thought "what if".
If I would live anywhere near I would definitely do this.
On the other hand I hope dbrand will use one of those to prank Linus with their next "hacked" lineup
Wow.. "Best to learn about it now when it is expensive rather than later when it's cheap and too late" is probably the best line from an LTT video.. like ever!
No kidding. Even the ELITE version is ONLY $199.99, that's CHEAP for something with such nearly limitless functionality!
It still won't matter
11:21 So buying a similar-looking cable from London Drugs, swapping them, then returning for it to be placed back onto the shelf as open product, or dropping the cables off to a thrift store, or even hanging them yourself, are not realistic scenarios today? $119 is a lot, but as with playing the lottery, you only need 1 win to become rich.
0:46
"All for less than a price of a backpack"
A 250$ backpack!
A backpack that may or may not still have no warranty.
lifetime warranty?
Juicejacking makes sense considering the term juice is synonymous with power; leaving a "charger cable" at a diner would be a really effective means of attack especially if the victim believes that cable is the only means of keeping their device charged. Take a McDonalds near our location for example, they have only one seat adjacent to an outlet, if an inconspicuous cable is just sitting there and their phone is about to die chances are they aren't going to spend the time to dig around for their own cable (if they have one).
I love that the creator had to make a malicious cable detector lol
Always cool to see LTT do a more simplified overview of HAK5 tools. Might be cool to see a cybersec spinoff channel so a bigger channel like yours can help spread awareness.
I feel the argument that it is a warning is pretty weak when it's being sold...
Hehe, 9:52, the wife-factor 🤣
This is just plain dangerous. Thanks techies for making my day less anxious and safer.
You're welcome. As consolation, you don't need to be afraid of hackers trying to compromise your systems until you have data worth stealing. Are your memories safe? I sell zero-day exploits on bug-bounty forums. Secure your bad ideas and protect the future of disinformation.
@@oldtools6089 assuming you don’t have information worth stealing is this first mistake.
Do you have a social security number? Then you have information worth stealing. That number is worth a lot of money.
@@FilmFlam-8008there's also a factor of "have you made any severe enemies to go to these lengths".
@@chiranjeevsahoo4960 no.
I know people that have had their SS number or cards stolen with no enemies.
Those are worth thousands.
@@FilmFlam-8008 And are profitable even at this cost
Love the recent security focused videos. Please keep them coming.
The only cables or usb devices that ever get plugged into my machines are ones I have bought by going to a physical shop and grabbing one off the rack.
So, unless I get super unlucky or someone reeeeeaaaaaalllllyyyy wants to steal the £3.50 in my bank account and goes to some extreme lengths, I think I'm safe from these badboys.
Is the cable also available with RGB? It would raise suspicion if I hand over a cable without RGB.
I would totally use this on my worst enemy.
Toinut
Go ahead & do it then
Show them you are the good/bad guy lol
@@danyal_assi hope you get banned
du hast ein z bei satzzeichen vergessen ;)
I would on my best friend
Does that data blocker only block data on the side it plugs into? Seems like the phone plugged into the other side would need a data blocker of it's own.
the worst thing about this seems to be the fact that these cables are unmarked. amazon sellers could easily have some of these mixed in with a generic product
Ding, Ding, Ding. Shared product bins is already an issue beset with with counterfeit knockoffs. The fact this exists at all should be a crime, and if not the engineers responsible should be mandated to carry liability insurance to cover any damages resulting from their product being used by anyone that's not a white hat.
Or someone could buy legit cable, replace it with one of those, and return it. Scarry but possible...
@@reahreic7698 i feel like you're reaching a bit. This thing is only effective if the person who wants to use it is able to get close to the person. So what are they going to mix it in with legit cables and pray they get it sent to the person they want to attack?
@@altokers that and the cost would be astronomical
Dont buy stuff from amazon
I've said it before, I absolutely love the security videos.. please continue to make them.
They are more or less fearmongering misinformation. These tools are useless in real life and pose zero threat. They have been around for years for $1, and there have never been any recorded accounts of these attacks being used on anyone.
Apple should add a thing where if you already have a keyboard or mouse and you plug in a new device then it will ask you if you want to trust it
I feel like the quote, "Your scientists were so preoccupied with whether or not they could, they didn't stop to think if they should." best applies to this cable.
This cable should be a crime
@@joshbittner ethen hackers that need one will just make their own, You ren't solving the problem
The problem with that saying is (skipping the whole scientists vs engineers, the tech isnt new the application is) not that this is a unique tool developed by some masterminds. It's common tech thats been packaged and branded for the consumers. CIA had this tech 10 years ago and so did probably other state funded organizations as well. It's only a matter of time before you can buy it from aliexpress for a dollar. Creating this product and bringing this design flaw in USB to the light of mass audiences does more good than harm to the world collectively.
No, what applies better is “security through obscurity is no security at all”. OMG didn’t create this attack vector, he made it accessible to everyone and raised awareness that this exists. Now more people will be on guard, look at this and work on mitigating this.
@@ForeverHobbit "not solving the problem" is not an invitation to make that problem even worse.
The way I see it, this was always a viable attack vector. If Mike didn't make his publicly available, someone else would be doing it in secret (and likely already has). If you don't know a threat is out there, you can't defend against it.
Except that he clearly doesn't care about the security aspect and he is creating THE NEED. He rationalizes heavily and his body language is visibly giddy about the potential chaos that he can sow by having a tool - that would normally cost substantially more and for good reason - much more accessible to the average populace who are willing to sacrifice their kidney for a goddamn $2000 GPU. For LTT to brush that aside while using it as an example was an "O_O are you serious?" moment.
The irony of this is that he is apparently lackadaisical about it at home and was forced to create a counter-measure because his wife was getting tired of his bullshit. (Frankly, i'd just divorce the asshole.)
@@gludlok747 who pissed in your cheerios?
@@RoshiGaming No one. Well.. not that i've noticed anyway. I just know bad news when I see it and I haven't felt this uncomfortable watching an LTT video ..ever. So I responded to a comment that helped formulate what I was thinking.
@@gludlok747 you’re actually dumb. Nearly everyone who works in offensive security from pentesting to red teaming gets excited and giddy about new hacks and toys. Anyone else who is able to invent anything similar to that from Proxmark to the bash bunny has every right to be excited about what they achieved and it’s dumb to think that means anything about their attitude to security.
@@gludlok747 the counter messure may actualy be just as bad as the creation. hes just not going to tell you. and make you think you are safe. thats the level we are at here.
I've known about Hak.5 for longer than I've known about LTT lol. I love their stuff and those they associate with like omg and rf1. But there is one thing I didn't consider until watching this video... the Linux-based OS called Qubes OS (you should do a video on that btw if you haven't already lol) can be set up to have all USB devices connected to a dedicated, untrusted Qube, and if you want to use something like an external keyboard/mouse, you need to first pass the USB device thru from the USB Qube to the target Qube. I wonder if that would be enough to catch a bad device like a rubber ducky or omg cable before you can pass it thru to another Qube. Might be worth a video to test all these things on Qubes lol.
Curious, if all USB devices have to be configured, how do you even begin with your real keyboard & mouse if they don't work at the start?
@@Ck87JF that... is a really good question lol. I honestly don't know. I've only ever used it on a laptop, and I think that's what it's mainly used for. My guess would be if you use it on a desktop, you'd have at least a generic USB to PS/2 adapter.
@@little-wytch Even with a laptop, I'm pretty sure the built-in keyboard & touchpad are seen as USB devices, so maybe there's some kind of thing that says "this specific device with this identifier was here at install time, so we trust it" while any additional HIDs have to be configured. Which if your internal device breaks ... :P
As Mike said, the average person and probably does not have to worry about an attack like this right now because it's too powerful.
"You don't aim a cannon to kill a fly"
But when you are mass producing the cannon ball anyway, you may as well have a go...
These are not powerful. You can't do much with them. They are only useful if you know a lot about your target and want to get data on their computer
I dunno, I mean I think a fly is kind of a bad example though. You've heard the lengths people will go to kill a spider right?
@@MK73DS Yeah I've noticed that too, they really do charge slowly. Unfortunately for me, I've had a lot of accounts hacked because I've had most of them since I was a kid and didn't take any cyber security stuff seriously. My twitter account was taken over and now advertises knock off facebook glasses. I actually got the real ones as a gift once because my parents just thought I really, really wanted them because the account was constantly DMing all of my relatives and everything and was posting about it constantly. In reality, I find them creepy AF, so I've never used them.
This is such a weak argument. It would make sense if the device was $10k or needed a team of elite experts to operate. That's not the case though. Instead, this argument sounds like, "Why do I need to use passwords? I'm not valuable enough to be attacked"
When attacking is relatively cheap, then it doesn't matter
Although I find this technology somewhat frightening. I am much more concerned with the fact that I never knew it existed to this point. The best way to protect yourself is to become educated on the topic. That is why I hope LTT continues to come out with great videos teaching us about nefarious methods an individual might use in the tech sector.
If education actually solved problems we wouldn't have them. The internet's been around for almost 3 decades but humanity is less educated than ever. They fall for the most obvious scams. Do you know how many times I have to tell my family not to do certain things on a computer/phone? They still don't understand not to immediately trust what they see.
Pessimism is a better protection than trying to learn about all the different ways life can screw you over. Case in point, the guy who made this said there's many easier ways that are constantly being used. These methods are rare.
you can't protect yourself. its out there
@@housemouseshorts Living the rest of my days out in the woods becomes a more enticing option with every passing day.
I'm glad your covering this. I saw these and picked one up at DefCon last year and have been messing around with it, it's a GREAT Red Teaming tool, especially if it's more than just a single day op. You can either connect it yourself or leave/swap it on a desk when your doing a "scheduled unscheduled audit" or something similar. (I'm a professional pentester not just breaking into tech companies without permission)
Fun now I cant trust a random USB cable either, thank you for sharing now time to retrain the family to not to plug in any random device to their phone or PC.
its not actually a thread today
Dude your family is no-one
Cybercryminals wont try this to your family
@@MR3 The fuck does that even mean?
@@wnsjimbo2863 cyber criminals target anyone cause you never know who has something of value. It may not be likely now, but I can totally see people selling cheaper versions of these online at some point in the future with malicious intents
@@SyntheticSpy This. Once scammers buy them by the millions they'll be in thousands of homes and have control over their computer, just sitting there waiting for someone to knock on their virtual door and it'll let them in.
I’d be more interested in knowing how to take control of one of these sorts of cables should you find one. Would be fun to just get one for free and spoil an attack.
One of the OMG Programmers will let you completely reload the firmware and use it as your own. Also, the programmer can be used for doing full forensic dumps on OMG Cables, we actually have a forensic capture tool built into our python flasher.
Please add a digital output pin, a tiny compartment for my own stuff and a small ultra capacitor to the cable. Nothing like a good fire to destroy evidence. Metaphorically speaking.
Use this USB malicious cable detector that definitely isn't compromised we promise.
It would be product suicide to put backdoors into something sold to the infosec community. They would find it pretty fast. Detector has been out for a couple years now.
i mean, why would it? he is not selling malware, he is selling tools.
@@carl7534 I mean, why would Microsoft put spyware in Windows? You paid lots of money for it. Shouldn't they be happy with the money they got?
Same with every phone company. And every piece of "smart" tech.
THANK YOU someone else who is saying this. I;ve been replying to comments praiseing the dectoror for the last hour. Trying to drill it into peoples minds. Why would you trust this guy? He created this evil thing. Why do you people think the solution he sold is going to be a solotion? Think about it people. Now he has all your data access to your computer your network AND you have given him MORE money to "be safe" What if the detector itself is even WORSE?
@@carl7534 Why would he not? Now you have given him your money TWICE. and he has acsess to your data
But could I use this cable as a portable router ...🤔
Yes, if you modify it's firmware or constantly run code on your phone which acts as a vpn and reroutes data to the cable, but then you would have very shity bandwidth because this thing doesn't have any processing power.
You could instead just turn on hot spot. Your smartphone is a portable router
@@mola1.980 might as well just use a hotspot then, but if you could add some processing power to it, free internet. In theory
@@Teddybaer06 yes? That was what I wrote?
"You could instead just turn on hot spot. Your smartphone is a portable router "
@@mola1.980 yeah I know lol
@@Teddybaer06 Sorry i misunderstood your comment
Additionally, you should always close windows, because USB stick theoretically can be inserted by drone.
8:50 " sif someone can walk in and take something, they can walk in and plant something" LTT's security are clear at risk seeing how much get taken from the office😂
The Malicious Cable Detector should have a "Destroyer" companion. I wonder how that cable would handle 30V 🤔
Given how little people seems to be security aware (for example i dumpster dive and I’ve seen a lot of people not even encrypting/wiping a drive), this might already be overkill enough
I assume there is a new focus on cybersecurity over at LTT after the recent hack... good to see more content making that world more accessible in a responsible way. I studied academic Philosophy and the depth of the conversations around the cybersecurity world about code, ethics, and best practices is in the company of the deepest conversations I've ever ran across. Maybe LTT should talk to Steve Gibson over at the Security Now podcast.
To be safe on public charging-stations, you could also just use power-only cables. Those don't have any Data-lines.
USB-C cables all have data lines, they're what allow rapid charging.
2:43 love how you used the payload skins from Team Fortress 2 to illustrate payloads :) if I'm correct about the origin of those carts, of course
Edit: I would also recommend everyone to carry an extra USB cable that doesn't support data transfer in case of having to use a publicly accessible charging USB port. Might be a redundance but an extra USB cable doesn't weigh much and brings some extra safety when using public chargers
Yup those are the TF2 payloads used in game.
No data transfer might mean less support for fast charging protocols, but... I guess that's a small price to pay for added safety from attackers.
@@fairyball3929 Most public charger i've used havent had fast charging anyways. You aren't losing out on much
@@Xachremos Oh yeah, I forgo that lots of public usb chargers built into outlet plates max out the voltage a 5V and current at 3-4 A.
Hak5 always comes out with some wild stuff.
Toilet
Criminal activity
@@joshbittner it’s a tool just like a car, hammer, gun, etc.
@@spencer5051 I wouldn't exactly call a gun a tool.
@@cameron7374 its a self defense tool in some cases
Here's an example I had during my trainings. I proposed the students to only share files and documents with approved or known team members of a contractor. If they didn't trust it, they should get in contact with the contractor using a phone number known by our company. I got laughed at and they didn't think it was serious. Next, another speaker shared a security awareness of not clicking links in an email. People were like "yeah, that makes sense". I'm like, why don't you take my warning serious, but this one you do?
As much as I hate hearing what people are creating for less than honorable purposes, I do appreciate video's like this to inform the general public.
I really wonder why someone would create something like this
I've been wanting one of these since they first hit the market. Same goes for the USB rubber ducky and the WiFi pineapple. I'm too afraid of getting myself into major trouble with it though. lol Besides I wouldn't want to cause real problems for anyone.
"It works in Windows, Linux and Mac"
Me using TempleOs
I need this cord for educational purposes
Yeah when we visited a cybersec company they handed us charging only cables, for free. We had a practical demo on the how and why, this video reminds me of that day.
Why? Because you got that omg cable for free - and didn't even notice?
Man, I think this could be a real threat on university campuses. Drop one of these in the library or computer lab. Heck, just plug it in to a computer and leave it. You'll have hundreds of passwords and log in info by the end of the week. Put one of the go betweens on a uni keyboard and people could do all kinds of damage.
Things like the Flipper Zero, and Rubber Ducky to an extent, are great tools that can be used for a bunch of legitimate purposes (or at least, depending on the stuff that's loaded on it, stuff that doesn't cause permanent damage), however stuff like this and "USB killers" have no reason to exist other than as purely malicious tools. I certainly wouldn't plug in some random flash drive or cable that I'd find on the street, but who's to say some kid won't innocently plug one in and do untold damage to their own, their parents' or their school's PCs? They don't know any better.
What I find interesting is the argument - it's too expensive for a general person to meet it. Is he like never met a bored rich kid? The only question is if they have the skills to do some actual damage. And since it can be used as an overpriced keylogger... dunno, may be enough to log into a teacher's account or something. I like this as a teaching tool, but saying the price is deterrent is weird.
These OMG cables aren't unique. The point they make is, this way you can legally see how these work and how to protect against them. Also this will force companies to improve protection of their devices.
@@SanderEvers Proactive is not a word you often use for humanity. More like "Wait until it happens to millions of people, then make news and clickbait videos about it, then nag the government, then wait a year until they do something."
@@SanderEvers What I am afraid of is one thing - once these become widespread, the companies will instead all branch out into their own proprietary standards in a panicked attempt to fix the issue. And instead of one universal standard for plugging in peripherals, we will have a dozen.
If the Flipper Zero or the Rubber Ducky can be used for legitimate purposes (and they can), then so can be the OM.G Cable.
I don't get why there isn't an option to enable a "Activating keyboard/mouse in 5 seconds" popup so if you clearly aren't plugging in a keyboard or mouse in your pc, you can remove it. Thogh it should only be on the os-level (Obviously it should always be enabled pre-boot for changing bios settings etc)
That would seem like an incredibly easy fix, wouldn't it! Just pop up a warning whenever someone plugs in a new HID device of any kind. I'm surprised it's not already standard, this has been a known attack vector for years now.
This is only works if your user is actively looking out for this kind of attack. Otherwise they will be confused and simply ignore the prompt.
@@marcellkovacs5452 I think telling people "If this prompt shows up when plugging in a USB stick, remove the stick immediately" is doable
>less than the price of a backpack
>$250
Seems you don't understand that $250 is a lot of money for most people.
While every other big RUclipsrs are going to give its viewers same content at the same time, Linus always make a way for him by differentiating his content from others. Love you man!
A couple of things that you could have brought up to help protect you against these is to not use computer profiles that have administrator access as you are default account. Yes it's more annoying to have to type in a username and password every time you want to change a particular setting or install a program but it's one more layer of security that malicious actors have to navigate past when the default user logged in is not an administrator.
Expect they showed in the video that's a (somewhat) trival thing to bypass esp with keylogger capabilities.
Is there any possible use for this kind of device for a normal person? it seems very strange to me that something that looks like it might be exclusively used for malware and hacking could be sold and advertised so publically! Is there some other 'purpose' that the average man or a tech business could use something like this technology for?
Great stuff! This type of attack has been possible for a while but to make it easier and streamlined hopefully will expedite countermeasures both in IT and personal awareness.
Toilet
It seems to me the proliferation of devices like this is going to, at some point, spur a harsher (possibly) international regulatory response.
Create a hacking cable to scare companies, then create a device to block it. Stonks 📈😂
As an excellent comic pointed out, the real way bad actors get your passwords isn't hacking the mainframe and breaking the 2048-bit encryption blah blah blah, it's more like they phone you and say "hey this is Bob the password inspector" and bada-bing bada-boom
One of the few times that I am aware of a new product months before Linus publicly covers it. Was able to even hold one in my hands at my local Cybersecurity club.
Love network security content definitely want more of this kind of content!!