- This video is part of my series showing you how to use O.MG
cables to hack networks. In this first video, I'm gonna show you how
to hack an Android phone, as well as an iOS device, in this case, an iPad using an O.MG cable. This is a USB-C to USB-C O.MG cable. Now the scariest thing about
these O.MG cables is that you can't see the difference between a traditional USB
cable, or lightening cable, and these O.MG cables. They look exactly the same, but they have access points within them, they allow you to run scripts on devices, such as Android devices and iOS devices. They also now are key loggers, so you can log keystrokes
using these O.MG cables. So in this first video, I'm gonna show you how
to Rickroll a person using an O.MG cable. I'll show you how to make a telephone call using an O.MG cable and an Android device. - [Phone] 4, 3, 7, 3, double
4, double 4 from another phone. - And I'll show you
how to take photographs using the O.MG cable. It's extremely worrying
and extremely scary what you can do with these cables. Never just trust any cable. Don't just plug in your
devices into some random cable or into some random USB port, because you never know
what's going to happen. As always, what I'm
demonstrating in this video is for educational purposes only. Do not go and use this
information and get into trouble. Make sure that you use this information to make people aware
of the vulnerabilities in the USB standard. Don't just trust any USB cable. Don't just trust any device. You need to act with security in mind. Don't just trust anyone. Don't just trust any device or cable. (bouncy music) Now before we continue, I'm really happy to
announce that MG and Darren from Hak5 are sponsoring a giveaway. One person is gonna win
a $180 Hak5 gift card. That will allow you to
purchase an O.MG cable such as this or one of the others. So one person is gonna
win a $180 Hak5 gift card, but you need to use a secret
code to enter this competition. So make sure that you
watch the entire video so that you can get to the secret code to enter the competition. In this example, I've plugged the cable
into an Android phone. Nothing else is connected, but what I can do is on
my iPhone as an example, connect to a access point
running within that cable. So in this example, I've configured it as the fbi network. You, when you set up this
cable can configure it with any kind of access
point name that you want to, any kind of security. I've previously connected to this network, so the password has been stored. I'm automatically connected to the device. By default, it uses an
address 192.168.4.1. I can connect to that network. And as you can see, I'm now connected to the O.MG cable connected to this Android phone. So what I could do is load a script. I'll load a script from slot 1. There are various slots here, you can preload scripts ready to deploy, or you can simply copy and
paste a script remotely onto the O.MG cable. So before I do anything, notice I'm not touching the
phone, not touching the cable, but what I'll do is press run and hopefully the phone will do something. Notice it's opening up a URL. And I'll unmute the phone. We get the famous Rickroll. So that's an example of
opening up a website. Now I can get it to do
all kinds of things. I could get that to go
to a malicious website if I wanted to. But in this example, let's try and get it to do something else. So let's run this script
and see what it does. - [Phone] This call can't be completed as your account balance is too low. - So what I got to do
there is make a phone call. This phone has a SIM card in that doesn't have enough
credit to make any phone calls. I need to top it up. It's just a top up SIM card. It doesn't have any credit on it, so it can't actually make the phone call, but notice it tries to dial a number, and I'll run that again. - [Phone] Could not be completed as your account balance is too low. To top up, purchase a
3 voucher and dial 444 from your 3 handset,
0843-373-4444 from another phone. - Okay, so it tried to make a phone call. Quite scary that. Let's try one last test
with an Android phone, and then I'll show you with iOS. So I'll load another script here. Press run. And what that just did was take a photo. So if I press here, notice
it's just taken two photos. Run that again as an example. So run that. What it should do, hopefully,
is take two photographs. And there you go, it just
took two extra photographs. So that's quite worrying
because this cable looks just like a normal USB-C to USB-C cable, but I can get it to do all
kinds of malicious things. So let's do it with an iPad. Now what I'll do in this
example is copy a script. Instead of loading a script, I'll simply copy a new script, and I'll paste it in to the O.MG cable. So I've connected my Mac to the O.MG cable using the fbi network. I've opened up a browser
to the O.MG cable. I've pasted in a script. Now, before I run, it
I'll change this string so it doesn't go to the O.MG website, but to a YouTube page
so that I can Rickroll the person using this iPad. So I'll run the payload. And what you'll notice
there is an ad is playing. ("Never Gonna Give You Up" by Rick Astley) And there you go. So I've been able to
Rickroll both an iPad, as well as an Android
phone using the O.MG cable. Really scary what you can
do with the O.MG cable. Now _MG_, the creator of the O.MG cable, gave me the scripts to open
up a web browser on Android, as well as iOS. I created the call script, as
well as the take photo script. I did those very, very quickly
in a short amount of time. So they're not perfect. They may not necessarily always work. If you're going to use them, you're probably gonna want to fix them and iterate them and make them better. But that was sort of a quick test to see if I could get
it to work and I did. As always, please don't
use the information that I'm sharing here
for malicious purposes, but be aware of the
issues of trusting cables. Don't just trust any
cable from your friends or from some random stranger, because it could be an
O.MG cable such as this. Again, the only way to
identify this as an O.MG cable, rather than a standard USB
cable is by this little tag. So if I took that off, I wouldn't be able to differentiate between this cable and
a standard USB cable. Now in this video, I simply
wanted to demonstrate some of the options with the O.MG cable. I've put links to the
scripts below this video if you want to try this yourself. Again, use it at your own risk. I'll cover the setup of the
O.MG cable in a separate video. I have discussed the
setup of the O.MG cable in a previous video, which
I've linked here and below, but I'll do an updated
version of that video. Process is very similar. The language used here is very similar to the Rubber Ducky language. I'll also create some additional videos on the Rubber Ducky language, because some of you have asked for that. This video does cover some of the basics if you're interested in learning how to set up the Rubber
Ducky as an example. Okay, so the secret code that
you need is OMGCABLEHACKS. Use the code OMGCABLEHACKS
to enter the competition using the link below. I want to wish you all the
very best for the competition, but more importantly, all the
very best for your career. Go out there and make
a success of your life. (bouncy music)