New malicious Lightning cable can steal user data from a mile away
A new and upgraded version of a malicious Lightning cable that can steal user data and remotely send it to an attacker illustrates the threat of untrusted accessories.
Credit: MG
The OMG Cable, which looks exactly like a standard Lightning to USB cable, was first demoed back in 2019 by security researcher MG. Since then, MG was able to work with cybersecurity vendor Hak5 to mass-produce the cables for researchers and penetration testers.
Although users would be hard-pressed to find anything unusual about the cables from the outside, they pack some under-the-hood modifications that make them useful to hackers. An OMG cable plugged into a Mac to connect Apple's Magic Keyboard could, as an example, log passwords or anything else a user types and send that data to a remote attacker.
The new version of the OMG cable includes a Lightning to USB-C option and other upgraded capabilities for security researchers to test out, Vice reported Thursday.
"There were people who said that Type C cables were safe from this type of implant because there isn't enough space. So, clearly, I had to prove that wrong," security researcher MG told Vice.
For example, MG says the new cables have geofencing features that can switch attacks based on a victim's physical location. The range of the cables has also been improved, with researchers able to trigger malicious payloads from more than a mile away. The addition of USB-C connectivity could also -- in theory -- allow the cable to carry out attacks like mobile devices like the iPhone.
OMG cables, which are available from Hak5 for about $120, work by creating a Wi-Fi hotspot that an attacker can connect to from their own devices. Once connected, they can use a normal web browser interface to log keystrokes or carry out other attacks.
Read on AppleInsider
Credit: MG
The OMG Cable, which looks exactly like a standard Lightning to USB cable, was first demoed back in 2019 by security researcher MG. Since then, MG was able to work with cybersecurity vendor Hak5 to mass-produce the cables for researchers and penetration testers.
Although users would be hard-pressed to find anything unusual about the cables from the outside, they pack some under-the-hood modifications that make them useful to hackers. An OMG cable plugged into a Mac to connect Apple's Magic Keyboard could, as an example, log passwords or anything else a user types and send that data to a remote attacker.
The new version of the OMG cable includes a Lightning to USB-C option and other upgraded capabilities for security researchers to test out, Vice reported Thursday.
"There were people who said that Type C cables were safe from this type of implant because there isn't enough space. So, clearly, I had to prove that wrong," security researcher MG told Vice.
For example, MG says the new cables have geofencing features that can switch attacks based on a victim's physical location. The range of the cables has also been improved, with researchers able to trigger malicious payloads from more than a mile away. The addition of USB-C connectivity could also -- in theory -- allow the cable to carry out attacks like mobile devices like the iPhone.
OMG cables, which are available from Hak5 for about $120, work by creating a Wi-Fi hotspot that an attacker can connect to from their own devices. Once connected, they can use a normal web browser interface to log keystrokes or carry out other attacks.
Read on AppleInsider
Comments
https://www.vice.com/en/article/k789me/omg-cables-keylogger-usbc-lightning
So if people will go to the extent of this cable hack, imagine what that might do if that had executable code on your phone that has not been vetted nor is monitored?
If you sandbox third party apps to prevent data leakage, then you would lose access to everything else that makes an iPhone great - I doubt Apple would allow such external apps connectivity to Messages, Mail, Contacts, Files, Game Center, Photos, password manager, Wallet, Face or Touch ID, Continuity, Safari, Calendar, etc, etc, etc.....
Frankly, I'm not very worried about this cable hack. But a third party app story would be extraordinarily detrimental and potentially dangerous.
Spend a few bucks and get a DC power connector that has only power connections, no data. Keep it in your kit and put it between your Mac and any foreign power supply or cable. Problem solved. Crisis averted.
“It looks like a Lightning cable, it works like a Lightning cable, and I can use it to connect my keyboard to my Mac.”
All the articles I’ve seen are highly misleading. They imply that simply plugging this cable into a device suddenly grants it access to all your passwords. It appears it’s nothing more than a keylogger hidden inside a cable that mimics a keyboard.
I want to see it actually stealing a password. I mean, if that’s what you’re claiming then prove it.
Simple solution is to only use Apple certified cables.
Question tho: re keylogging passwords though - if I’m opening my phone with Face ID, enabling Apple ID to stay logged in, use password manager to autofill required logins, can any of this be captured?