Security researchers always warn about not borrowing chargers, cables, or other electronic peripherals. A new USB Lightning Cable for the iPhone, called ‘OMG’, once again highlights the need for these words of wisdom.
A normal-looking USB Lightning Cable can easily record keystrokes, activate Wi-Fi Hotspots, ensure it remains undetected, and perform other malicious tasks. Threat actors have to merely ensure an unsuspecting Apple MacBook, iPhone, or iPad user plugs the same into the device.
Apple Inc. may have to fend off a new type of hardware-based hack using the ‘OMG’ Lightning Cable:
A security researcher who calls himself MG has crafted and demonstrated a new Lightning Cable, which has a USB Type-C version as well. The new cable looks identical to the standard Lightning Cable. In other words, there are no physical indications that could raise suspicions.
Underneath the plastic shell, the rogue Lightning Cable hides a microchip that offers multiple functions to eavesdrop and steal data, including keystrokes. In other words, a simple cable can steal user data, usernames, passwords, etc.
The rogue cable can log keystrokes when connected to the MacBook, iPad, and even iPhones. It then sends the captured data back to any unauthorized person
Concerningly, the threat actor need not have physical access to the victim’s device. The Lightning cable reportedly creates a Wi-Fi hotspot that is accessible by the hacker.
Rough Lightning Cable can cause a lot of harm while ensuring it stays undetected:
Using a web app, a threat actor can record keystrokes that the OMG Lightning Cable captures. Needless to add, the captured data is quite valuable for a number of reasons.
A new and upgraded version of a malicious Lightning cable that can steal user data and remotely send it to an attacker illustrates the threat of untrusted accessories. #OMGCable https://t.co/wVe9nUVm4t pic.twitter.com/eMLAo7Xzkq
— AppleInsider (@appleinsider) September 2, 2021
If that’s not concerning enough, the Lightning-like OMG cable also includes a geofencing feature. This feature, when triggered, can block the payloads of the device as per its location. In other words, the cable can understand and decipher its actual location, and can then decide about delivering the payload.
If you find a vuln, you can optionally automate an attack the way it was done here on the OMG Cable: https://t.co/1FNLHrDu6E
— _MG_ (@_MG_) August 27, 2021
Other improvements include being able to change keyboard mappings, and the ability to forge the identity of specific USB devices, such as pretending to be a device that leverages a particular vulnerability on a system.
The OMG Cable also has a USB Type-C to USB Type-C variant as well. Hence, technically, it is possible to weaponize the fastest-growing wired connection peripheral.
I can respect the work & effort that goes into this, esp with Geofencing … but also omg. I should be able to trust a damn cable. https://t.co/VgyLcsQMuu
— Robert McGovern (@tarasis) September 2, 2021
For reasons yet unknown, the security researcher has started mass producing the rogue cables. Needless to mention, these cables are a threat to an average user and the data their devices hold along with other information.