A brand new and upgraded model of a malicious Lightning cable that may steal consumer knowledge and remotely ship it to an attacker illustrates the specter of untrusted equipment.
The OMG Cable, which appears to be like precisely like a regular Lightning to USB cable, was first demoed again in 2019 by safety researcher MG. Since then, MG was capable of work with cybersecurity vendor Hak5 to mass-produce the cables for researchers and penetration testers.
Though customers can be hard-pressed to seek out something uncommon concerning the cables from the skin, they pack some under-the-hood modifications that make them helpful to hackers. An OMG cable plugged right into a Mac to attach Apple’s Magic Keyboard may, for example, log passwords or the rest a consumer varieties and ship that knowledge to a distant attacker.
The brand new model of the OMG cable features a Lightning to USB-C choice and different upgraded capabilities for safety researchers to check out, Vice reported Thursday.
“There have been individuals who mentioned that Sort C cables had been secure from the sort of implant as a result of there is not sufficient area. So, clearly, I needed to show that fallacious,” safety researcher MG instructed Vice.
For instance, MG says the brand new cables have geofencing options that may swap assaults primarily based on a sufferer’s bodily location. The vary of the cables has additionally been improved, with researchers capable of set off malicious payloads from greater than a mile away. The addition of USB-C connectivity may additionally — in concept — enable the cable to hold out assaults like cell units just like the iPhone.
OMG cables, which can be found from Hak5 for about $120, work by making a Wi-Fi hotspot that an attacker can hook up with from their very own units. As soon as linked, they’ll use a standard internet browser interface to log keystrokes or perform different assaults.