Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Security Researcher Develops Lightning Cable That Gives Hackers a Way to Remotely Infiltrate Your Computer

now i see it said:
Oh great. So even a lightning cable purchased directly from Apple could have a man-in-the middle attack,!(as the FBI/CIA/NSA are known to do) and the seemingly genuine Aple cable is tainted w spyware.

Only safe way to buy electronic equipment nowadays is to walk into a store & pull the item off a stocked shelf. Man in the middle not possible then.
Click to expand...

Seems like it would be easy to walk into an Apple store and add some cables to the shelf.
 
The supply chain is incredibly vulnerable. It doesn't matter how great the company is at the consumer end... they have suppliers who in turn have suppliers, and many suppliers are under extreme price pressure, to the point of barely being profitable. Any of those, or even the people managing or making day to dat procurement decisions, could be vulnerable to coercion or bribery... You only have to research "Aggressive Supply Chain Management" and it's better-known example of it called "PICOS" to appreciate what kind of vulnerabilities exist. Search for the rules of PICOS, in particular rule 6f... ask VW how well their PICOS operations did in driving a car seat manufacturer to the wall such that for a while they couldn't get car seats, and production stopped... when under pressures like that people can do silly things, can be very vulnerable...

Still, we'll all be dead one day & it won't matter then.
Happy Tuesday!
 
DrJohnnyN said:
Wow. Scary.

"Those concerned should buy cables directly from Apple without accepting free cables from anyone."

People give out free cables?
Click to expand...
If someone is giving you something for free, that means that YOU are the product.
 
JordanNZ said:
Only if the ‘cable’ knew your wifi password beforehand.
Click to expand...

1: Work and many places share passwords. More likely in that scenario than at someone’s home. Good luck replacing my cable at my house.

2: who said the cable would have to know the password beforehand? It said it is capable of running scripts, that means it could feasibly contact through an existing internet connection.

But regardless, it’s more likely to occur in a non home setting.
 
Last edited:
Can someone explain this part "but he is teaming up with a company to produce them as a legitimate security tool."

How is this a security tool? Or does he want to produce these so people can figure out how to protect against it?
 
it would be pretty simple for this person making these to buy an apple cable from target/Best Buy/ Walmart ect... open the package and put their cable back in and return it. Most of these stores will put that returned package back on the shelf for the next person to buy not knowing what they are getting. Moral of the story is get Monoprice cables :D
 
Brilliant work. Finally someone has done something quite incredible. Just buy your cables directly from Apple and no issue
 
laz232 said:
??? the OP thinks that $200 is prohibitively expensive for a criminal organization, government spy agency, or industrial spy...
Heck a hobbyist or jealous partner could afford it...

Also because the original report on vice is made by ****** journalists for Clickbait it looks like it is not a user privilege escalation so this is effectively just a keyboard exploit
Click to expand...

Ahh assumed so
 
konqerror said:
Attacker has ability to embed a small computer and wireless transceiver in a tiny USB cable and covertly connect to it.
Attacker can't figure out how to use a Sharpie.
Click to expand...

So mark something more complex or better yet only use YOUR cable
 
mattyj2001 said:
This is the 'don't plug in random USB sticks you find lying around' all over again. What's old is new, I guess.

I'd almost not want to call this a remote exploit since:

1. It requires physical access to the computer.
2. You have to essentially be in the same room with it.
Click to expand...

Still, plenty of ways for someone to cause lots of damage.
One could, say, place these cables in a Starbucks, or McDonalds(two places, with USB outlets). Wait for an unsuspecting customer to come in and plug a MacBook or iPhone in to charge, now as long as the attacker is within 300 feet of these computers(like, he's waiting outside in a car), he just has to install a remote-access exploit onto the computer, now he doesn't have to be "in the same room with it", he could be in another country, and still gain access.

So, he only needs physical access, and being in the same room, for long enough for an unsuspecting person to plug in a USB cable(presumably thinking it's going to charge the device).

Or, one could just as easily stash a few of these in a pocket, and go to any store, place these on the shelves, next to the legit ones(they would have to be modeled after aftermarket cables though), and next thing you know, an unsuspecting customer comes in and buys a cable, get's an exploited one, and now, his computer can be exploited.

Hah, many public places like waiting rooms have USB charging stations, simply plug a cable in to this station, and sit back and wait for someone to plug a device in.
 
You can purchase a lightning cable similar to this which presents itself as a standard keyboard since keyboards are universally accepted without much issue. Once attached scripts can run to remove it from the USB listing as described in the article, act as a keylogger because after all it is a keyboard, connect through your WIFI to your attacker, etc... They are expensive yet fun to play with.
 
so with just a few bens i can c what my female does when im not around? Sounds interesting dude. I gonna check thiz could help me 2 see if she is spying me social networks when im cheating on her u know what i mean?
 
DrJohnnyN said:
Wow. Scary.

"Those concerned should buy cables directly from Apple without accepting free cables from anyone."

People give out free cables?
Click to expand...
If you're a target yeah, typical nobody no.
[doublepost=1565723240][/doublepost]
boccabella said:
Get a Sharpie and mark a soot on your cables. Problem solved.
Click to expand...
Depending on your value as a target.
[doublepost=1565723336][/doublepost]
mzs.112000 said:
Still, plenty of ways for someone to cause lots of damage.
One could, say, place these cables in a Starbucks, or McDonalds(two places, with USB outlets). Wait for an unsuspecting customer to come in and plug a MacBook or iPhone in to charge, now as long as the attacker is within 300 feet of these computers(like, he's waiting outside in a car), he just has to install a remote-access exploit onto the computer, now he doesn't have to be "in the same room with it", he could be in another country, and still gain access.

So, he only needs physical access, and being in the same room, for long enough for an unsuspecting person to plug in a USB cable(presumably thinking it's going to charge the device).

Or, one could just as easily stash a few of these in a pocket, and go to any store, place these on the shelves, next to the legit ones(they would have to be modeled after aftermarket cables though), and next thing you know, an unsuspecting customer comes in and buys a cable, get's an exploited one, and now, his computer can be exploited.

Hah, many public places like waiting rooms have USB charging stations, simply plug a cable in to this station, and sit back and wait for someone to plug a device in.
Click to expand...
Anybody who uses any public USB outlet is a fool deserving to be had. No need for cable the tech needed is available and deployed to build into USB enclosure in public places.
 
Last edited:
mzs.112000 said:
Hah, many public places like waiting rooms have USB charging stations, simply plug a cable in to this station, and sit back and wait for someone to plug a device in.
Click to expand...
Some people check into the Hilton Hotel ( or any public location ) and create a 'new' network named Hilton Hotel WiFi ( or duplicate the local free wifi ). You would be amazed at how many people log into their bank accounts, iCloud accounts, Email Accounts, corporate accounts from a lobby using 'free' wifi.
[doublepost=1565728328][/doublepost]
lostngone said:
Cables should not have logic in them.
Click to expand...
That would be illogical.
 
  • Like
Reactions: Edsel
Neat...hackers are getting smarter..

For the price, i hope Apple won't start selling them on the store. Otherwise you can bet people will buy them..

it these cables are undetectable, then Apple will be fooled as well.

lostngone said:
Cables should not have logic in them.
Click to expand...

Only bad ones,, not good ones.
 
laz232 said:
??? the OP thinks that $200 is prohibitively expensive for a criminal organization, government spy agency, or industrial spy...
Heck a hobbyist or jealous partner could afford it...

Also because the original report on vice is made by ****** journalists for Clickbait it looks like it is not a user privilege escalation so this is effectively just a keyboard exploit
Click to expand...

I think he means it's prohibitively expensive to slip into the supply chain randomly. It's cheap if you are targeting a specific person.
[doublepost=1565752665][/doublepost]
laz232 said:
A more realistic threat is as freebies at business to business tradeshows.

.
Click to expand...

At $200 per unit? I don't think so.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back