The CuVoodoo USB Bug Detector Safely Ferrets Out Those Sneaky Malicious O.MG Cables
Designed to find malicious USB cables hiding hardware for remote access or data exfiltration, this cable tester is simplicity itself to use.
Semi-pseudonymous maker "King Kévin" has designed a handy board built to find sneaky USB cables hiding malicious active electronics, with nothing more than a single button press, before they can make off with your data.
"The USB bug detector identifies USB Type-A cables (or devices) with integrated circuits," Kévin explains of the design — built with a particular interest in devices like Mike Grover's O.MG Cable, a seemingly-innocent USB cable originally designed for iPhone smartphones, which hides integrated circuitry offering hidden remote access to connected devices.
Using the compact gadget is simplicity itself: Pop a CR1220 coin cell into the holder, push the reset button, and connect the suspect USB cable. In theory, a malicious cable hiding a secret circuit will illuminate the "BUGGED" LED — while a stock cable with no unexpected electronics will leave it extinguished.
"When the LED is on, the USB bug detector draws 3mA," Kévin says of the device's battery life. "When the LED is off, the USB bug detector draws 64nA. This results in an idle battery life of 62 years (for a typical 35mAh CR1220 battery). This is on par with the [shelf] life of the battery (~1%/year)."
The way the tester works is with a NOR-gate SR latch, with the R signal triggered by the push of the reset button. When the USB cable is connected, a current draw of more than 1.6mA — indicating there's something within the "cable" drawing power — triggers the S signal and sets the latch, illuminating the LED. For those without a handy malicious cable, the same end-goal can be achieved by pushing the "SIMULATE" button — checking that both the detector and its battery are in working order.
"Because of the 1kOhm inline resistor, and limited 3.3V provided by the battery, a maximum of 3.3mA can be drawn by the USB plug," Kévin adds. "This is often not enough to power up integrated circuit properly, particularly if they use a radio interface. Thus it is safe to use the USB bug detector on bugs, without activating it."
Assembled detectors are available to buy from the CuVoodoo Tindie store at $8 each, while the EasyEDA design files are available on the CuVoodoo Git repository under the strongly-reciprocal version of the CERN Open Hardware License Version 2.