MG
@_MG_
Followers
42,632
Following
656
Media
2,866
Statuses
22,766
I was a terror since the public school era. My opinions are your adversary’s. — I also make terrible things:
Joined April 2008
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
#T20WorldCup
• 612436 Tweets
#INDvSA
• 377925 Tweets
#TeamIndia
• 198982 Tweets
South Africa
• 197679 Tweets
Bumrah
• 182869 Tweets
Italy
• 150855 Tweets
T-20
• 120856 Tweets
#ViratKohli
• 116045 Tweets
Switzerland
• 82240 Tweets
#SvizzeraItalia
• 74525 Tweets
Miller
• 69279 Tweets
#RohitSharma𓃵
• 49089 Tweets
Rahul Dravid
• 46841 Tweets
ايطاليا
• 45979 Tweets
भारतीय टीम
• 37178 Tweets
Vargas
• 37119 Tweets
Thala
• 35991 Tweets
Arshdeep
• 35799 Tweets
Spalletti
• 35007 Tweets
Suiza
• 34066 Tweets
#almazsanolmaz
• 33306 Tweets
#SUIITA
• 31922 Tweets
टीम इंडिया
• 31600 Tweets
Swiss
• 31148 Tweets
イタリア
• 30556 Tweets
भारतीय क्रिकेट टीम
• 27721 Tweets
Klaasen
• 24784 Tweets
Jai Hind
• 24162 Tweets
Donnarumma
• 22786 Tweets
#HardikPandya
• 22381 Tweets
#SuryakumarYadav
• 20909 Tweets
#IndiaVsSA
• 19536 Tweets
Xhaka
• 18998 Tweets
Proteas
• 18197 Tweets
#GERDEN
• 14156 Tweets
#RishabhPant
• 12150 Tweets
Di Lorenzo
• 11711 Tweets
#Champions
• 11071 Tweets
Pinned Tweet
OMG Cable - The New Batch
Now in USB C, the implant is much smaller, but it’s even more powerful than before.
Smartphone/tablet attacks, extreme long range triggers, geofencing, etc.
47
370
1K
I like to read replies to posts like this just to remind myself how misinformed the general public is about “USB-C”
So here is a thread looking at a few of them…
🧵1
Thunderbolt is so cool to me. like. you're telling me this one cable is;
charging my laptop at 90W,
providing a 5k60 video output,
using the 3 USB3 ports on the back of my display as a hub,
receiving video from my display's webcam,
and sending hi-res audio to my display.
140
464
15K
185
2K
17K
Seems Discord is having trouble mapping push notifications to the correct users.
This was a DM sent between 2 other people. I did not receive the DM but I did receive this push notification. 😂
I bet this is connected to their new username change rollout.
82
909
8K
First, USB-C is a specification for the physical connector. NOT the protocol. And it intentionally supports multiple protocols like USB, USB-PD, Thunderbolt, DisplayPort, HDMI, PCIe, etc.
Some protocols exclusively use USB-c, like USB-4, Thunderbolt 3 & 4, USB-PD.
🧵2
11
87
5K
HID attacks via USB drives have become too suspicious. What about embedding the attack inside a USB cable?
Just a quick test for a few things I'm hoping to make over the next month.
123
2K
4K
Love it
15
323
1K
94
1K
4K
Oh man, if this it what it looks (Okta got popped)… Blue Team everywhere is gonna be crazy busy.
76
1K
3K
And a lot of it has a belief that USB-C is somehow anti-Apple.
Reality: Apple (& Intel) designed USB-C.
The USB-Implementers Forum is responsible for USB-4, USB-PD, and many others. There are a lot of companies on the USB-IF, including Apple!
🧵4
13
72
3K
Now, because a high quality C to C cable can support ALL of these protocols, people incorrectly think the protocols are the same thing.
🧵3
8
26
3K
Most people with wired CarPlay that switched from a lighting cable to usb-c will notice how much more fragile the connection is if using cheap cables. That’s because the moving parts went from the socket (lightning) to the cable (USB-C). So cable quality matters more.
🧵6
19
57
2K
A lot of people celebrate the cable “standardization” & low cost availability. It’s becoming common knowledge that there are 8 types of compliant cables. But people don’t understand that quality matters. Else, you get perceptions like this:
🧵5
9
33
2K
Decided to get one of those USB spy cables with hidden microphone & GPS cell tracker. Noticed a few things... (1/n)
24
1K
2K
Day in the life of hardware production.
Thanks FedEx. Those fragile labels on every side of the box just complete the situation. 😂😭
105
94
2K
It really is impressive how confidently wrong people are about this stuff. But also how it’s almost like it challenges their identity or something 😂
Anyway, if I left anything out, let me know.
🧵7
9
24
2K
OMG! 2 months + 8 devs + O•MG Cable = malicious wireless implant update!
This update brought to you by the chaos workshop elves:
@d3d0c3d
,
@pry0cc
,
@clevernyyyy
,
@JoelSernaMoreno
,
@evanbooth
,
@noncetonic
,
@cnlohr
,
@RoganDawes
More info:
#OMGCable
47
740
2K
Apple - Ever since Sonoma, you’ve been polling TouchID Keyboards at nearly 150,000 per second, seemingly only on Mac Studio & Mac Pro. Why???
That’s equal to ~1000 keyboards of packets on the bus. How many people are seeing performance issues because of this?
22
119
2K
How I gambled a year’s salary and lost.
One of the many stories I have from building the OMG Cable.
44
184
2K
The amount of stuff we are gonna find on xz backdoor is gonna keep coming. This is a great find.
There are quite a few other things that suggest the author was complicit in the backdoor.
#xz
#xzbackdoor
Interesting note on the
#xz
backdoor:
If you plot Jai Tan's commit history over time, the cluster of offending commits occurs at an unusual time compared to rest of their activity.
If the dev was pwned, it could be a sign that the threat actor contributed in their own timezone
45
468
4K
7
119
1K
I call this the "Break & Enter dropbox" and it pairs well with my Amazon Key (smartlock & smartcam combo).
It's all current software. Amazon downplayed the last attack on this product because it needed an evil delivery driver to execute. This doesn't.
43
1K
1K
New details on the 2nd LastPass incident are fun:
- got into Sr DevOp's home via vuln media software
- installed keylogger
- got master pass to corp vault (seemingly because it was being accessed from home computer)
Cool to see that LastPass is sharing
27
370
1K
@dontpannic
They are misinformed, yet confident. And confident enough that they jump into peoples mentions to “correct” them with bad information. Those are just facts.
You are free to blame whoever you want.
14
9
1K
No joke: a bunch of OMG Cables recently infected the USB cable supply chain.
The manufacturer seems to have lost some OMG Cables and accidentally contaminated someone’s normal cable order. 🤣
Not quite sure how this will play out...
55
310
1K
Intel i7 MacBook Pro next to a M1 Pro Max MacBook Pro.
Both have been under the same light workload for the last hour.
I was pretty disappointed in the last 5 years of Macbook Pros. This new Apple silicon though... definitely changing my mind.
Remember the first time you went from HDD to SSD? That's the last time I remember a perf bump to such an extreme.
11
10
212
36
273
1K
Windows escalation with an OMG cable: from Guest account to System user!
Razer hasn’t fixed this for over a year now.
28
327
1K
Yes, if you aren’t aware, there are 8 possible spec compliant C to C cables.
Lets not count the non-compliant ones 😂
USB-IF has a labeling proposal to “fix” this. But mfgs are also YOLOing it and making cables look like NASCAR logos
🧵11
16
54
1K
Malicious hardware implant in the wild!
I helped
@LawrenceAbrams
dig into this. It’s a hardware wallet with a malicious implant added. It’s being mailed to targets.
Read about it here:
35
475
1K
Want some techniques that many Red Teams have been using to circumvent MFA protections on accounts? Yeah, even “unphishable” versions.
I’m sharing so that you can think about what’s coming, how you’ll do mitigations, etc. Its being seen in the wild more these days.
🧵1/n
18
410
1K
Here are the logos that USB-IF released in late 2021. Only cables that have been certified by USB-IF will be allowed to have the logos. And they must have the logo to get certified.
Yet somehow the Apple cable I bought yesterday doesn’t have any of them. 🤷♂️
🧵12
30
40
1K
To reiterate, a lot of companies are involved in the USB-IF now.
One of the most inspirational & enlightening people in the USB-C space, for me, is
@Laughing_Man
. He opened my eyes to the complexity, beauty, & horrors of USB-C.
🧵8
4
13
1K
Correction: The idea that Apple/Intel invented C & gave it to USB-IF is based on an industry rumor citation. It’s believable with the timing & numerous similarities with Lightning, but only rumor.
Apple is still on USB-IF, so trying to say C is anti-Apple is silly either way
🧵9
17
26
1K
Wall-of-Flipper
It logs the hardware address of Flippers running BLE. It also logs the specific packets being sent from each. Runs on a Raspberry Pi.
17
190
1K
@SwiftOnSecurity
Fully documented in the maintenance manuals too!
I’d assume some maintenance centers had pre-made “magic” connectors for it. But its not stopping people from doing a DIY version and accidentally mass-breeding Clippy
7
25
1K
Context: Kalani is on my friends list & basically a coworker. Receiving this was hilariously abnormal. I first assumed he sent to the wrong person. Then we dug in & realized what actually happened. He’s not the type to be ashamed of stuff, so was totally fine with posting this.
6
11
1K
I lost $150k in hardware during shipping. The carrier closed the investigation with “it’s gone, sorry”
So I started working through their org. Getting internal info. Eventually “bribing” some of the employees to dig a little deeper.
🧵1/n
23
111
985
Y’all just use 1 data blocker for safe USB charging?
Why not use 20 and hope you have enough layers to protect yourself, just like enterprise security services!
50
80
991
Those malicious USB cable prototypes from 2017? Here, have them. I’m calling it DemonSeed. It’s a good educational build.
Keep an eye on my feed during
@BlackHatEvents
&
@defcon
this year. I’ll have some free or near-cost build kits to hand out.
26
261
954
New dev board just dropped.
The developers of windows need to fix this huge security problem.
24
87
937
This marks 6 years since I started making malicious cables. This was another record year for the number of OMG Cables spreading around the globe.
So here is another check in & retrospective.
🧵1/n
12
74
933
Lotta people getting defensive 😂
USB C (& even earlier USB) is a confusing mess, as my thread shows & tries to inform. Especially with all the protocols & cable types.
The screenshots of confident-but-wrong “correction” reply guys isn’t purely a spec problem though :p
🧵10
8
10
932
KnowB4 customers are some of the easiest to spearphish. This is just one example of why.
Their official instructions tell customers to setup filter bypasses that any attacker can also use. In the instructions, they include absolutely no cautionary info about it. 🤡
35
215
885
DemonSeed EDU is here
Learn hardware hacking by making your own malicious USB cables. Every kit is a 2 pack. Share one with a friend? 🌚🔥
#OMGDemonSeedEDU
31
246
821
Heads up, for anyone changing an iOS passcode to keep someone out.
For iOS 17, old passcodes keeps working for 72 hours. Also, the old passcode can be used to reset your iCloud password!
You can manually expire them but..
🧵1/n
15
300
786
I’ve had people asking for a solid year about this but had to keep my mouth shut.
Here is your answer about OMG Cables and new 🍎 phone
16
129
707
Guess I have to remake this PCB.
The C in USB C stands for Chaos. (Especially when you intentionally violate the spec)
31
99
710
I’m starting a new job in a month or two. An offense security role that hits all my goals (red + research + teaching).
This will be fun 🌚🔥.
Thanks for all the support. There were a whole lot of you, & I appreciate it. Now, time to chase some personal projects before I start.
68
15
689
As a ClSSP certified in cyber, I think I need to inform Mike Lindell that the smoking gun is not in the routers. It is in the cables!
This was an anonymous submission from an OMG Cable owner.
38
141
677
Lots of screenshots going around about Uber but this one shows how wide the hack is.
"Security Response Break Glass Service Account" password 🔥
16
166
658
Woke up to like 100 tags on this iPhone implant. Which is found in this video here:
I don’t speak Russian, but I do have a first grade language fluency in hardware. So lets take a look!
Thread 1/n
Quite interesting, a hardware iPhone implant discovered in Russia
39
346
1K
10
192
647
Heads up to anyone in prison, domestic abuse victims, people in "no phone" secure facilities, and chem teachers hiding meth phones in the ceiling.
Oct 4 at 2:20pm ET all phones will get an emergency test message.
11
238
629
Want cliff notes on the chip shortage?
It’s fairly complex with all kinds of defensive & offensive tactics at play, but here is a summary from my position:
1/n
21
275
635
I will be dropping
#OMGCables
over the next few days of defcon.
I will also have 5g bags of DemonSeed, if that’s your thing.
I’ve been very busy with
@d3d0c3d
&
@clevernyyyy
.
Details and update here:
🌚🔥
33
196
603
The Razer & SteelSeries Windows PrivEsc vulns are fun, but there are tons of devices that may be vulnerable.
We have a list of ~2500 possible devices! The easiest way to test is to use something like an OMG Cable or BashBunny to spoof the VID/PID.
1/n
7
182
618
One of my favorite interactions at defcon was being paid with a respectable counterfeit.
Hologram strip, watermark, color shifting ink, security thread, embedded blue thread, etc. The wrong type of paper though :(
Got better? I’ll gladly take it off your hands
58
84
595
The recent spike in “no hook” phishing has been fun to watch.
If you have examples, share them!
Most of it seems to be for aging the numbers via interaction. An attempt to bypass automated spam detections.
(click to expand full image)
30
94
551
Yikes. I hadn’t heard about this till now. CloudFlare was lobbying the government to investigate security researchers and question the legality of public research in general.
9
160
558
This Google bug could seriously hurt a lot of people. The default editing tool had a bug that lets you unredact & uncrop all images.
Discord is used in this example because they don’t compress images. A good time to remind you: ALL image attachments are public links. Even for
Introducing acropalypse: a serious privacy vulnerability in the Google Pixel's inbuilt screenshot editing tool, Markup, enabling partial recovery of the original, unedited image data of a cropped and/or redacted screenshot. Huge thanks to
@David3141593
for his help throughout!
152
3K
9K
10
136
553
College Crim Justice textbook by
@schmalleger
shows Halo cosplay as "fully-functional undetectable 3D printed gun"
27
360
459
Don’t worry, you can play chaotic good as well. This is how you can use the
#log4j
vuln to patch itself!
7
203
519
Did you know that a flashlight is all you need to detect a malicious USB cable?
Well, some of them…
11
114
521
Normalize public shaming of people who do this… if they don’t get Flipper banned everywhere first.
When the annoy-a-tron & tv-b-gone were new, nobody was walking around with them pretending they were the main character in Watch Dogs. WTF
When you leave your iPhone Bluetooth on because you want to use your watch to keep an eye on your heart rate as I forgot my panic attack meds.. and some ass hat is out there turning off iPhones with the flipper zero.
…
13
7
158
25
51
516
Introducing: HIDX StealthLink
Run a remote shell through a “keyboard” that looks like a normal USB cable. It’s OMG Cable’s latest trick!
14
115
505
I got $500 worth of Arduino Nano’s from AliExpress from 4 different sources.
50% of them don’t even power on. Want to guess why? You can tell by careful examination of the boards.
Hint: they are all USB-C
31
110
493
Time to share the latest sibling to the OMG Cable.
You had to know this was coming… 😂
35
97
470
The US employees couldn’t properly communicate with their own coworkers in China, even with an official investigation. Not even when “bribed” to do so. But an outsider could!
Corporate efficiency at its best…
🧵3/n
2
10
449
2018 day 2 - 6 million cell tracking & spying devices have accidental backdoors.
2018 day 3 - Basically every internet attached device with a processor has an accidental backdoor.
Let's keep the pace up for the rest of the year!
11
210
423
The independent hardware community is small & it’s a difficult time to be in it. So it’s always really cool seeing people succeed. Nice work
@zhovner
& the whole Flipper team.
It physically feels solid & well designed. Haven’t had a chance to use it (I have plans with OMG Cable)
25
51
438
So,
@michaelossmann
& I made a malicious Ledger implant that is smaller than a grain of rice.
Special mentions in video:
@securelyfitz
@colinoflynn
@cryptotx
@nedos
@stacksmashing
CC Bloomberg
22
119
436
I just got my hands on a few other hardware keyloggers tonight. Most were released in the last year.
I think this gives some perspective on what the OMG Keylogger Cable is managing to pull off here.
14
89
437
I have been waiting for months to get these! I have some projects planned: sensor controlled air filters, logging, alarms, etc.
I have no idea how IKEA made air quality sensors $12 each. I’m used to seeing the raw modules for $30 & finished products for $60-200.
13
31
428
For people asking for details on “moving parts”, here’s a graphic. This is NOT the only way a connector fails, but cheap metal loses its spring much faster.
Spec says the connectors should achieve 10k+ mating cycles. But bottom price cables generally aren’t to spec…
🧵14
10
24
437
I just did some digging into that “USB Bomb” story.
So here is a quick thread on what it looked like, the damage it did, and the pretext.
🧵1/n
3
139
425
Did you know your Christmas tree uses more secure fuses than a lot of “secure” hardware? I learned about this because of a one in one million OMG Cable.
Time for a thread!
1/n
4
82
426
People send me OMG Cable sightings often. This is a funny one.
For the record: I own everything, Hak5 is my reseller, & I license DuckyScript from them.
The name was a joke on myself. Something I thought would last a few months.🫠 So, I retconned it to Mischief Gadgets
25
22
417
Had one of the neighbors tell me that they saw me on LinusTech last week. 😬😂
Maybe I should invite them over to help pack all these OMG Cables!
9
22
417
