This Seemingly Normal Lightning Cable Will Leak Whatever You Type
Piracy. Disinformation. Monitoring. CYBER is Motherboard’s podcast and feature story on the dark underbelly of the Internet.
It looks like a Lightning cable, it works like a Lightning cable, and I can use it to connect my keyboard to my Mac. But it’s actually a malicious cable that can record anything I type, including passwords, and wirelessly send that data to a hacker who might be over a mile away. .
This is the newest version of a series of penetration testing tools designed by the security researcher known as MG. MG previously demonstrated an earlier version of the cables for the motherboard at the 2019 DEF CON hack conference. mass and cybersecurity vendor Hak5 started selling the cables.
But the most recent cables come in new physical variants, including Lightning to USB-C, and include more capabilities for hackers.
“There were people who said Type C cables were safe from this type of implant because there was not enough space. So clearly I had to prove that I was wrong. :), “MG told Motherboard in an online chat.
OMG cables, as they are called, work by creating a Wi-Fi hotspot on their own that a hacker can connect to from their own device. From there, an interface in a regular web browser allows the hacker to start logging keystrokes. The malicious implant itself takes up about half the length of the plastic shell, MG said.
MG said the new cables now have geolocation capabilities, where a user can trigger or block device payloads based on the physical location of the cable.
“It pairs well with the self-destruct feature if an OMG cable goes out of range of your engagement and you don’t want your payloads leaking or accidentally executed against random computers,” he said.
The motherboard only tested cables in relatively close proximity, but MG said it improved the range of the cables.
“We tested this in downtown Oakland and were able to trigger payloads over 1 mile,” he added.
He said Type-C cables allow the same type of attacks to be carried out on smartphones and tablets. Various other enhancements include the ability to change keyboard mappings, the ability to forge the identity of specific USB devices, for example by pretending to be a device that exploits a particular vulnerability on a system.
Apple did not respond to a request for comment. The MG cable set provided to the motherboard for testing also included a black USB-C to USB-C cable, which is said to be designed to mimic cables tied to various non-Apple products.
The ongoing pandemic has also complicated the cable manufacturing process, MG said.
“The pandemic has made an already difficult process much more difficult with the shortage of chips. If an individual component is out of stock, it is virtually impossible to find a replacement when fractions of millimeters are large. 12 months for some parts to be in stock, ”MG told Motherboard in an online chat. “We will easily lose $ 10,000 in cables when testing a process change. During the chip shortage, it’s hard not to look at such a loss and see a whole bunch of dead components that can’t be replaced for. more than a year.”
Subscribe to our CYBER cybersecurity podcast, here.