Security Researcher Develops Lightning Cable With Hidden Chip to Steal Passwords

[Henry S]

1. Buy cables from reputable manufacturers.
2. Don't plug in a random cable you find lying around somewhere.
Problem solved

 

[verpeiler]

Ok, so I guess if a random person offers you a lightning-to-usb charging cable, don't accept it? It seems that the only realistic threat here would be someone close to you (friend or family member) switching your cable for this one.

So, you frequently hook up a keyboard on your phone? This is not about charging an iPhone, nothing happens when you do that with the mentioned cable.

 

[libertysat]

A chip that has wifi and can go nearly a mile - sorry but I ain't buyin it

 

[rpmurray]

That's why a USB data blocker is essential for traveling. The ones from Portapow work well:

Amazon.com: PortaPow

Amazon.com: PortaPow

www.amazon.com

Note to myself: Build key logger into counterfeit PortaPow.
Mass Produce.
Profit!

 

[usagora]

So, you frequently hook up a keyboard on your phone? This is not about charging an iPhone, nothing happens when you do that with the mentioned cable.

I called it a "charging cable" out of habit (and of course it IS charging your device when connected to a computer). My point still stands: this isn't really a viable threat unless you're in the habit of accepting cables from random strangers. Someone close to you would have to switch yours for this one. I don't see that as something that would be a common problem, but maybe I'm way off?

 

[usagora]

1. Buy cables from reputable manufacturers.
2. Don't plug in a random cable you find lying around somewhere.
Problem solved

Here's a potential scenario. You have a "friend" or colleague who decides to take advantage of you and switches out your standard cable for this one when you're not looking.

 

[_Spinn_]

Moral of the story is to never trust a random cable.

 

[tridley68]

Someone should figure out away that if you not knowingly are using one of these cables it should install a crypto lock or something like a worm that will Jack up the hackers machine

 

[Rigby]

Note to myself: Build key logger into counterfeit PortaPow.
Mass Produce.
Profit!

Won't fool me: the originals have a "window" in the plug through which you can see that there are no contacts for the data lines.

 

[justperry]

Scary!

Not at all, scaremongering.

1. you need to sell a target a cable which they might not need.
2. You might offer a cable to a target which, at this point in time, they don't need because their battery is charged.
3. The attacker needs to be in a certain range of the hotspot created, those do not have wide coverage.
4. The target needs to type something important, which is rarer than we might think, how often do we type a (new) password (for instance), most are autofilled.


Edit: And other reasons like the poster mentioned below.

So there's a lot of scaremongering and assumptions being thrown around here. For the key logging function you have to be using the cable to hook up between a keyboard and a device so the traffic can be sniffed. Wireless keyboard aren't affected. Onscreen keyboards aren't affected. iOS devices lock the USB port by default (the phone "unlock your phone to use the connected device" prompt you get when connecting to a car, etc) so it's not like this is going to allow an attacker any additional access to a locked phone.

Don't connect your device to random cables and you'll be fine.

Exactly this.

 

[genovelle]

Haha, yeah, that’ll teach people to try and save money!

That’ll teach them to not cheap out. I had a cheap cable take one of my devices and another where the plug melted after 2 weeks of use.
Never again.

 

[centauratlas]

None of your data is safe unless you have old enough devices from a simpler time, and they’re ineligible for updates. Maybe a Snow Leopard mac or original ipad or something. You just have to stay off the web with it to avoid security shortcomings. Leave your actual computer offline & restricted to your intranet only. Then consider a new device a burner, without any personal data on it, for internet use. Probably the only way forward in the total surveillance 0 privacy era.

We do something a little like this at my company for other reasons, just not so extreme. But i could see it for anyone who prefers a solid sense of security.

Back right after grad school, I worked at a place that had extreme precautions: for most devices, no network access at all. Doors to rooms with classified material were locked and access tracked. Internal only rooms for this material (so no exterior walls where there could access to the inside), where floors were raised in rooms so that they could verify what was going in/out below, ceilings monitored, walls/floors/ceilings that were EM shielded so that no EM radiation could escape. etc. No outside electronics, paper, pads, pens, pencils etc could go into the rooms or removed from the rooms.

Pretty much the opposite of everything today where the number of potential security holes is mind numbing.

 

[jlc1978]

What ? How can you ask such a question ? Why isn’t it legal to grow tobacco in your backyard - because it can seriously harm you ?!?!

It's perfectly legal in the US to grow tobacco for personal use, just not for sale. One of teh reasons sale is regulated it keeps prices higher since supply is controlled as well as creates a tobacco rowing license that you can sell if you own land that has it and do not grow it. In short, follow the money...

I could see the FBI and CIA wanting these for their surveillance efforts, however you just can't trust (by definition) that the people who sell these cables don't also have other back door capabilities built into the cables that could then get those organizations in trouble!

I suspect the CIA and NSA already have these types of devices only much better. These seem amateurish in terms of actual value for serious espionage.

Ok, so I guess if a random person offers you a lightning-to-usb cable, don't accept it? It seems that the only realistic threat here would be someone close to you (friend or family member) switching your cable for this one.

Nah, just drop them on the ground around your target; people tend to trust what they find and will likely try it out to see if it works.

 

[LV426]

So who will they sell to?

Perhaps it will come as standard with the new spiPhone 13.

 

[usagora]

Nah, just drop them on the ground around your target; people tend to trust what they find and will likely try it out to see if it works.

Good point. Of course, they'll need to follow the person to stay within range of them (or know where they live/work).

 

[Amazing Iceman]

So this is a Security Researcher who promotes illegal privacy breaches by manufacturing and selling this cable.
What makes him think it will not reach out to the masses?

What makes us think that there may not be already be a mass production of this cable in China?

I'm going to have to start buying my Lightning cables from Apple or a reputable vendor like Satechi or Choetech.

 

[jlc1978]

So it uses WiFI and an app, apparently; which would mean it broadcasts a signal, on public WiFi bands, that can be detected, even if they hide the SSID. Sniffing for new networks and seeing what happens when you plug / unplug a cable would help detect it, as code a spectrum analyzer near the suspect cable.

 

[x-evil-x]

Hope apple keeps their cables white because i never use them anyway. Barely use a cable anymore already.

 

[crescentmoon]

So who will they sell to?

state and federal law enforcement, NSA, CIA to name a few....

 

[docbop]

guess I should pay the $20 to apple instead of the $7 to an ebay seller to keep my info safe? Danggit that sucks!

Yes that way you know who's selling your demographic data to marketing companies and others.

 

[ChrisA]

>and then send this data to a bad actor who could be over a mile away. They work by creating a Wi-Fi

"a mile away"

"Wi-Fi"

These hackers need to work for Asus, Ubiquity, Linksys, etc. and improve WiFi range!

Just buy a directional (high gain) WiFi antenna and you can get over a mile of range. These are sold on Amazon, Newegg and other places.

 

[cmaier]

Patent violations?

Violating patents is not against the law. It’s a civil issue.

 

[Andrew Stone]

Looking at the picture at the top of the article, one of those cables seems to be a USB-A to Lightning cable, and the other appears to be a USB-C to USB-A cable, which Apple has never made.

 

[coachgq]

Why would eBay sellers sell these at $7 when they would cost far more than a "normal" cable? The most likely use of these is people planting a cable on somebody they know and can monitor nearby (read the article). This has nothing to do with cheap knock-offs vs original Apple cables.

I did (read the article). Learn to (recognize a joke).

 

[bearda]

Looking at the picture at the top of the article, one of those cables seems to be a USB-A to Lightning cable, and the other appears to be a USB-C to USB-A cable, which Apple has never made.

The've made a whole array of cables to target other devices besides Apple gear. Only the one with the lighting connector is new.