Security Researcher Develops Lightning Cable With Hidden Chip to Steal Passwords

[MacRumors]

A normal-looking Lightning cable that can used to steal data like passwords and send it to a hacker has been developed, Vice reports.

The "OMG Cable" compared to Apple's Lightning to USB cable.​

The "OMG Cable" works exactly like a normal Lightning to USB cable and can log keystrokes from connected Mac keyboards, iPads, and iPhones, and then send this data to a bad actor who could be over a mile away. They work by creating a Wi-Fi hotspot that a hacker can connect to, and using a simple web app they can record keystrokes.

The cables also include geofencing features that allow users to trigger or block the device's payloads based on its location, preventing the leakage of payloads or keystrokes from other devices being collected. Other features include the ability to change keyboard mappings and the ability to forge the identity of USB devices.

The cables contain a small implanted chip and are physically the same size as authentic cables, making it extremely difficult to identify a malicious cable. The implant itself apparently takes up around half of the length of a USB-C connector's plastic shell, allowing the cable to continue to operate as normal.

An x-ray view of the implanted chip inside the USB-C end of an OMG Cable.​

The cables, made as part of a series of penetration testing tools by the security researcher known as "MG," have now entered mass production to be sold by the cybersecurity vendor Hak5. The cables are available in a number of versions, including Lightning to USB-C, and can visually mimic cables from a range of accessory manufacturers, making them a noteworthy threat to device security.

Article Link: Security Researcher Develops Lightning Cable With Hidden Chip to Steal Passwords

 

[jlc1978]

So who will they sell to?

 

[Glenny2lappies]

Scary!

 

[coachgq]

guess I should pay the $20 to apple instead of the $7 to an ebay seller to keep my info safe? Danggit that sucks!

 

[infiniteentropy]

"Thanks I hate it!"

 

[cmaier]

Cool, where do I buy them?

 

[AngerDanger]

guess I should pay the $20 to apple instead of the $7 to an ebay seller to keep my info safe? Danggit that sucks!

Haha, yeah, that’ll teach people to try and save money!

 

[matt_and_187_like_this]

Free marketing for Apple (or maybe... jk)

 

[Shirasaki]

The scariest part of all is what if a batch of cable sold by Apple are cables that include compromised chips? Idk. Right now this looks like a more targeted attack on high-profile personnel, but mass production, especially when the cost is going down enough, could easily mean mass data collection that Apple cannot control.

USB-C version of this cable surely exists even though this one is for lightning devices.

 

[TheYayAreaLiving 🎗️]

Wow! That’s very scary. Come up with a port less iPhone already, Apple in 2022.

 

[zorinlynx]

>and then send this data to a bad actor who could be over a mile away. They work by creating a Wi-Fi

"a mile away"

"Wi-Fi"

These hackers need to work for Asus, Ubiquity, Linksys, etc. and improve WiFi range!

 

[ThunderSkunk]

None of your data is safe unless you have old enough devices from a simpler time, and they’re ineligible for updates. Maybe a Snow Leopard mac or original ipad or something. You just have to stay off the web with it to avoid security shortcomings. Leave your actual computer offline & restricted to your intranet only. Then consider a new device a burner, without any personal data on it, for internet use. Probably the only way forward in the total surveillance 0 privacy era.

We do something a little like this at my company for other reasons, just not so extreme. But i could see it for anyone who prefers a solid sense of security.

 

[Maclver]

So who will they sell to?

No one.... They will probably sit in the airport and plug them into the charging stations

 

[abbeybound]

I'm going to call BS on this. A powerful compute module with memory, wifi with somehow a one mile range, and location services for geofencing, all in half a USB-C connector?

 

[bearda]

So who will they sell to?

Anyone who's willing to pay for it.

 

[Reindeer_Legal]

Bluetooth keyboards are fine tho? (bluetooth, unlike USB, is encrypted) The cable logs keystrokes only if keystrokes are passed through them.

 

[xpxp2002]

Old news...

Security researcher says this modified Lightning cable can hack your Mac

It looks like a harmless Lightning cable but looks can be deceiving.

www.imore.com

 

[JPack]

Easier and more discreet to buy Pegasus, which remains unpatched.

 

[B4U]

And why are they mass producing them now? 🤔

 

[Mr.Blacky]

This can only be a thread to device security, if I'm using cables which are randomly lying around or if I buy cables from stores/companies I don't know or trust.

 

[JPack]

And why are they mass producing them now? 🤔

To make money.

 

[ersan191]

"who could be over a mile away"

Damn the WiFi in my house barely reaches my garage, maybe I need one of these cables.

 

[Satch111]

It makes the computer or phone create the network

I'm going to call BS on this. A powerful compute module with memory, wifi with somehow a one mile range, and location services for geofencing, all in half a USB-C connector?It makes the computer create the network

 

[SactoGuy18]

I'll just keep buying Anker cables from Amazon.

 

[bearda]

So there's a lot of scaremongering and assumptions being thrown around here. For the key logging function you have to be using the cable to hook up between a keyboard and a device so the traffic can be sniffed. Wireless keyboard aren't affected. Onscreen keyboards aren't affected. iOS devices lock the USB port by default (the phone "unlock your phone to use the connected device" prompt you get when connecting to a car, etc) so it's not like this is going to allow an attacker any additional access to a locked phone.

Don't connect your device to random cables and you'll be fine.