New malicious Lightning cable can steal user data from a mile away

2»

Comments

  • Reply 21 of 31
    Mike WuertheleMike Wuerthele Posts: 6,858administrator
    lkrupp said:
    Notice the disclaimer at the bottom of the article on the main page. If you buy this cable AppleInsider gets a commission? Can I buy this cable to snoop on and stalk my mistress?
    Generic disclaimer.
  • Reply 22 of 31
    gatorguygatorguy Posts: 24,176member
    Vermelho said:
    This will be your own cable if you buy it from somewhere like Amazon. If enough are sold, then hackers can look for them being used at cafes, airports, etc. 

    Simple solution is to only use Apple certified cables. 

    On a related note, was it just a rumor that data could be stolen using USB-A charging ports?
    The components are too expensive to seed into a competitive market for random access.

    But YES. A USB charging block or hub is much easier to implement this.  The miniaturization is very impressive on this cable, ostensibly to fool those who know real hardware is a dangerous vulnerability to physically connect to.  But, setting up a “charging station” where AC outlets are not readily available is a perfect ploy for the unwitting. You’d need a specific charging only cable for protection, and keeping track of which one (must be a dozen in my place) is an extra chore.

    Question tho: re keylogging passwords though - if I’m opening my phone with Face ID, enabling Apple ID to stay logged in, use password manager to autofill required logins, can any of this be captured?
    This is only a proof of concept, presumably made available so that security folks can create mitigations for it. 
    muthuk_vanalingam
  • Reply 23 of 31
    fred1fred1 Posts: 1,112member
    Vermelho said:
    The components are too expensive to seed into a competitive market for random access.

    Yes, but they wouldn’t be sold in order to make a profit, or even break even. They’d be sold at a financial loss in order to gain access. 
    cornchipwatto_cobra
  • Reply 24 of 31
    dewmedewme Posts: 5,335member
    macgui said:
    maestro64 said:
    How many of you just plugged your phone into a cable which was just laying on a table.
    I do. Because I know my cables. Do you go to some commune and not have your own kit? Geeze fkn Louise.

    Spend a few bucks and get a DC power connector that has only power connections, no data. Keep it in your kit and put it between your Mac and any foreign power supply or cable. Problem solved. Crisis averted.
    The issue here is that, at least for USB-A to Lighting, there’s no way to tell if a cable is only using the power pins. I’d imagine the new iMac 24’s power plug with integrated Ethernet design could be modified quite easily to it into a packet capture and telemetry device. It has power, it has access to the Ethernet pins, and it’s plugged directly into the target device. Hackers could probably put a microphone in it too. If you start seeing third party replacements for the iMac 24’s power brick/network connector on the web, or if a computer repair person offers to replace your power brick, think twice about it.

    I think the lesson here is to be cautious about anything that’s plugged into your device, just like you need to be caution about what WiFi networks you attach to. This Lightning cable hack is very analogous to the many different flavors of “skimmers” that are used to capture financial transaction credentials from POS terminals, pin pads, and ATMs.

    Also, keep in mind that it’s not always a single tap/probe method that is used to implement the hack. Hackers/skimmers sometimes have a nearby companion device to relay the captured data to a remote location or to store it locally for the later collection.    
    watto_cobra
  • Reply 25 of 31
    tundraboytundraboy Posts: 1,884member
    The cable was designed by a 'security researcher' for use by 'researchers and penetration testers'.  So it's supposed to be made with the best intentions for ethical use.

    But they chose to make it indistinguishable from standard cables.

    Yeah right, their motives are all above board.
    StrangeDayscornchiproundaboutnowwatto_cobra
  • Reply 26 of 31
    Really a non-worry. 
    Simple solution is use your own cables and chargers. 
    That only works if the third-party cable looks different from the Apple cable or if there's no way anyone could ever swap your cable for this one.

    A better solution is to place the iPhone and charger inside a Faraday bag right up to the USB dongle that you are connecting the cable to. But this assumes that nobody can tamper with your Faraday bag and replace it with a bag that looks like a Faraday bag, but isn't.

    watto_cobra
  • Reply 27 of 31
    Really a non-worry. 
    Simple solution is use your own cables and chargers. 
    That only works if the third-party cable looks different from the Apple cable or if there's no way anyone could ever swap your cable for this one.

    A better solution is to place the iPhone and charger inside a Faraday bag right up to the USB dongle that you are connecting the cable to. But this assumes that nobody can tamper with your Faraday bag and replace it with a bag that looks like a Faraday bag, but isn't.

    No that isn’t a good solution. If you put the phone and charger in a Faraday bag, then your phone will have no way of communicating. In fact if you leave your cellular on, the phone will consume more energy looking for a signal as the phone increases the RF power. This isn’t going to be used against the average person. Again, use your own cables and chargers would avoid problems for most people. If you want to be extra careful, wrap your cables with metal tape, decorate and label them, so no one can swap them without you knowing. The metal tape would shield the cables.
    watto_cobra
  • Reply 28 of 31
    thrang said:
    And yet people actively voice they want to open iOS to third party app stores that who content is developed, delivered, and transacts data without Apple's security and privacy layers. And don't say "well don't use a third party app store if it's a concern".... Given how we currently share information between family and friends in a secure iOS, environment, it doesn't take much to see how someone else using a nefarious third party app may unwittingly expose some identifiable information about me even if I steadfastly avoid third party apps.

    So if people will go to the extent of this cable hack, imagine what that might do if that had executable code on your phone that has not been vetted nor is monitored?

    If you sandbox third party apps to prevent data leakage, then you would lose access to everything else that makes an iPhone great - I doubt Apple would allow such external apps connectivity to Messages, Mail, Contacts, Files, Game Center, Photos, password manager, Wallet, Face or Touch ID, Continuity, Safari, Calendar, etc, etc, etc.....

    Frankly, I'm not very worried about this cable hack. But a third party app story would be extraordinarily detrimental and potentially dangerous.
    I agree, but remember we can mitigated our personal risk by not using third-party stores or payments.  I will be giving the respective government the finger by “voting” with my wallet.  I will only buy through the Apple App Store, I will only use Apple checkout or another trusted one like PayPal.  

    Just be cause some crooked politicians thinks forcing Apple to cut holes in the walled garden, doesn’t mean I will walk through them.
    Fidonet127watto_cobra
  • Reply 29 of 31
    eriamjheriamjh Posts: 1,631member
    Well, I freaking LOVE magsafe for iPhones even more now.
    watto_cobra
  • Reply 30 of 31
    Wow, what a misleading title to this article!

    You make it sound like the cable can be a mile away and steal my data. I'm pretty sure it has to be plugged into one of my devices, NOT be a mile away.


    watto_cobra
  • Reply 31 of 31
    danoxdanox Posts: 2,804member
    macgui said:
    maestro64 said:
    How many of you just plugged your phone into a cable which was just laying on a table.
    I do. Because I know my cables. Do you go to some commune and not have your own kit? Geeze fkn Louise.

    Spend a few bucks and get a DC power connector that has only power connections, no data. Keep it in your kit and put it between your Mac and any foreign power supply or cable. Problem solved. Crisis averted.
    Roommates, schools, and work easy targets.
Sign In or Register to comment.