Security Researcher Develops Lightning Cable That Gives Hackers a Way to Remotely Infiltrate Your Computer

[PseudoRegister]

Anker is a foreign-owned company which, for even mid-level security regulations, disqualifies it right there.

Aren't all Apple-branded Lightening cables actually manufactured by "foreign-owned" companies? I suppose there might be Apple employees on site to do QC; employees who are not citizens of China; employees who are capable of making sure their spot-checks aren't being hacked in a building full of workers who might have to choose between "voluntary cooperation" with a harmless government request and satisfying Apple's security protocols.

I'm disconnecting my MacMini from my uranium centrifuge immediately!

 

[LizKat]

I'm more surprised people still connect their iPhones to their Macs. I don't think I've done that since I no longer required iTunes to activate a new iPhone.

There are other sorts of gear people might plug into a laptop for recharging via a USB port, and that would include gear that comes with a "free cable" but may not include a charging adapter since they figure you have a port in your car or adapters at home etc. -- stuff like rechargeable camp lights etc.

 

[IIGS User]

Shocker I know, but there are people out there with sensitive information on their Macs.

Well, duh. No. See, I live in a world where I think everyone has nothing but kitty pictures and memes on their Mac's

I also have "baby shark" on an never ending loop on my home stereo because it's an accurate depiction of the real world.

Or maybe, sarcasm....

 

[koruki]

$200 for a cable, wow they're even copying the same pricing patterns too. Would be impossible to tell the difference

 

[Crowbot]

I use wireless charging and BT headphones so I rarely plug in a Lightning cable. For people like me Apple could put in an option to cut off the connector's data connection by default. This is getting nuts.

 

[glowplug]

So one good reason to use the 3.99 lightning cables you can buy at a gas station.

 

[76ShovelHead]

Someone might access my collection of funny cat pictures and snapshots from train museums.

Doomed. Just doomed...

For consumers the issue is possible fraud (such as accessing the keychain or perhaps stored credit cards) with business and healthcare professionals I imagine it to be confidential files and PHI.

 

[tito2020]

Be wary of a guy in a trench coat handing out free Lightening Cables.

That's why iTunes no longer apple knew this

 

[atomic.flip]

This news and the “security researcher” are absolutely overdramatizing this “hack”. This is no different that’s any sort of USB cable being hacked with embedded components. It’s a USB security issue not an Apple Lightning cable issue. When this hacker makes something that can compromise the lightning end plugging into your iOS device then this could be newsworthy. Otherwise.... SMH.

 

[BeforeTheMeds]

Did any of you people read the article??? One dude made a few cables. It's a proof of concept. The hacker would need to get you to use his cable. Then he'd need to be within 300ft of you.

"But the cable can be configured to act as a client to a nearby wireless network. And if that wireless network has an internet connection, the distance basically becomes unlimited."

Somebody clearly didn’t read it.

 

[dantroline]

Good thing all of Apple's contractors are so trust worthy.

Yep, all made in good ol' US of A by hardworking good natured and honest folk. /s

 

[LauraJean]

Yet another reason to wirelessly sync your phone to Mac, for those that still sync the two.

Not if you sync with home WiFi off, if I correctly understand how this hack works.

 

[AustinIllini]

We give Apple a lot of crap for requiring Apple-specific hardware, but this is clearly why.
[doublepost=1565666044][/doublepost]

Yep, all made in good ol' US of A by hardworking good natured and honest folk. /s

God, it would be so much worse if they were made in the USA.

Without getting PRSI'd, I will say this seems like something Apple will be able to patch.

 

[FontGeek]

Time to go 100% wireless 100% of the time. Bring out the Qi charging for Macs, and we’re in business. If only Bluetooth/WiFi were “Lightning” fast.

 

[dantroline]

Time to go 100% wireless 100% of the time. Bring out the Qi charging for Macs, and we’re in business. If only Bluetooth/WiFi were “Lightning” fast.

Data travelling down all external wiring that may emit EMF needs to be encrypted. Then the cost benefit of wiretapping like this would make it impractical.
[doublepost=1565671005][/doublepost]

We give Apple a lot of crap for requiring Apple-specific hardware, but this is clearly why.
[doublepost=1565666044][/doublepost]
God, it would be so much worse if they were made in the USA.

Without getting PRSI'd, I will say this seems like something Apple will be able to patch.

The main advantage of geographical locality isn't some kind of magic properties of the people (although it can help), it's the ability to legislate, regulate and verify and prosecute. Try suing some poorly named company like "Green Flower Industrial, Shanghai" for something like this, or better still try getting your government to do it.

 

[djcraze]

I expect this to be patched in no time.

Unlikely since the device more than likely presents itself to the computer as a keyboard and mouse. The "attacker" just inputs commands via keyboard keystrokes and mouse movement/clicks. The only way I can see Apple preventing an "attack" like this is telling you about the connection of a new keyboard/mouse if you already have one attached.

 

[fairuz]

I expect this to be patched in no time.

Patch what? I'll bet it acts like a regular keyboard. It's lame news tbh.

 

[MikeSmoke]

I find it hard to sympathize with people who spend thousands on Apple iPhones and Macs and will jeopardize their devices and personal information to save 5 bucks on a non certified cable.

 

[Analog Kid]

Cool and scary at the same time.

Exactly my thoughts as I read this. Very cool to design and build, not cool at all to put into use...

 

[Shirasaki]

Yet another reason to wirelessly sync your phone to Mac, for those that still sync the two.

Yeah, let everybody near your house to tap into your sync process and sneak a few cat images to your iPhone for a nasty surprise.

You know they still have physical stores where you can walk in and buy things...

When someone is being targeted, do you think they still have the option to walk into a store without being noticed by police just to get a more legitimate cable?

Proof?

You know there is no proof. Speculation as usual.

Did any of you people read the article??? One dude made a few cables. It's a proof of concept. The hacker would need to get you to use his cable. Then he'd need to be within 300ft of you.

Yes, for the time being only a couple modified cables. But what if the technique is leaked to, say, China, and all of a sudden ALL cables produced in China, Vietnam and such have surveillance hardware and software installed on those charging cables? There are some dangerously huge potentials here. Don’t underestimate them.

 

[Ruggy]

So how does Apple ensure its supply chain isn't compromised?

Apple have been putting chips in their cables for many years to ensure this sort of thing doesn't happen.
The, 'This device is not compatible' message is down to that when you use a cable that is not MFI.
The chip communicates with the machine and is given the ok so I imagine if this becomes a problem they will be able to recognize it and fix it.
Apple thought of this at least a decade ago maybe more and as far as I know, they are the only people doing it.

 

[GadgetBen]

Don't give Apple ideas for more expensive cables!

 

[wellander1]

Wow. Scary.

"Those concerned should buy cables directly from Apple without accepting free cables from anyone."

People give out free cables?

Or an apple Authorised reseller.

 

[Taustin Powers]

This can be done with any USB cable or device, correct? It has nothing to do with the lightning connector.

 

[JGRE]

Wow. Scary.

"Those concerned should buy cables directly from Apple without accepting free cables from anyone."

People give out free cables?

Don't use cables, charge wireless and use Bluetooth for audio.
[doublepost=1565680632][/doublepost]

I think the scariest part of this is that it shows that should a supply chain be compromised, and secret components added to the manufacturing process, it would be virtually impossible to detect prior to normal use.

Good work though. It might lead to more 'do you trust this keyboard?' prompts though...

Made in China?
[doublepost=1565680726][/doublepost]

Someone might access my collection of funny cat pictures and snapshots from train museums.

Doomed. Just doomed...

Yep, you'r done!
[doublepost=1565680916][/doublepost]

@konqerror's post above shows they have USB-C charging cables with the same exploit embedded.

Apple should remove all the plugs.