Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacRumors

macrumors bot
Original poster
Apr 12, 2001
68,706
39,622


A normal-looking Lightning cable that can used to steal data like passwords and send it to a hacker has been developed, Vice reports.

omg-lightning-cable-comparison.jpg
The "OMG Cable" compared to Apple's Lightning to USB cable.

The "OMG Cable" works exactly like a normal Lightning to USB cable and can log keystrokes from connected Mac keyboards, iPads, and iPhones, and then send this data to a bad actor who could be over a mile away. They work by creating a Wi-Fi hotspot that a hacker can connect to, and using a simple web app they can record keystrokes.

The cables also include geofencing features that allow users to trigger or block the device's payloads based on its location, preventing the leakage of payloads or keystrokes from other devices being collected. Other features include the ability to change keyboard mappings and the ability to forge the identity of USB devices.



The cables contain a small implanted chip and are physically the same size as authentic cables, making it extremely difficult to identify a malicious cable. The implant itself apparently takes up around half of the length of a USB-C connector's plastic shell, allowing the cable to continue to operate as normal.

omg-lightning-cable-x-ray.jpg
An x-ray view of the implanted chip inside the USB-C end of an OMG Cable.


The cables, made as part of a series of penetration testing tools by the security researcher known as "MG," have now entered mass production to be sold by the cybersecurity vendor Hak5. The cables are available in a number of versions, including Lightning to USB-C, and can visually mimic cables from a range of accessory manufacturers, making them a noteworthy threat to device security.

Article Link: Security Researcher Develops Lightning Cable With Hidden Chip to Steal Passwords
 
The scariest part of all is what if a batch of cable sold by Apple are cables that include compromised chips? Idk. Right now this looks like a more targeted attack on high-profile personnel, but mass production, especially when the cost is going down enough, could easily mean mass data collection that Apple cannot control.

USB-C version of this cable surely exists even though this one is for lightning devices.
 
None of your data is safe unless you have old enough devices from a simpler time, and they’re ineligible for updates. Maybe a Snow Leopard mac or original ipad or something. You just have to stay off the web with it to avoid security shortcomings. Leave your actual computer offline & restricted to your intranet only. Then consider a new device a burner, without any personal data on it, for internet use. Probably the only way forward in the total surveillance 0 privacy era.

We do something a little like this at my company for other reasons, just not so extreme. But i could see it for anyone who prefers a solid sense of security.
 
Last edited:
Bluetooth keyboards are fine tho? (bluetooth, unlike USB, is encrypted) The cable logs keystrokes only if keystrokes are passed through them.
 
  • Like
Reactions: gatortpk
Easier and more discreet to buy Pegasus, which remains unpatched.
 
This can only be a thread to device security, if I'm using cables which are randomly lying around or if I buy cables from stores/companies I don't know or trust.
 
It makes the computer or phone create the network

I'm going to call BS on this. A powerful compute module with memory, wifi with somehow a one mile range, and location services for geofencing, all in half a USB-C connector?It makes the computer create the network
 
  • Like
Reactions: gatortpk
So there's a lot of scaremongering and assumptions being thrown around here. For the key logging function you have to be using the cable to hook up between a keyboard and a device so the traffic can be sniffed. Wireless keyboard aren't affected. Onscreen keyboards aren't affected. iOS devices lock the USB port by default (the phone "unlock your phone to use the connected device" prompt you get when connecting to a car, etc) so it's not like this is going to allow an attacker any additional access to a locked phone.

Don't connect your device to random cables and you'll be fine.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.