BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Apple iPhone Warning: Dangerous New Lightning Cable Now On Sale

Following
This article is more than 4 years old.

Another reminder of the dangers of borrowing USB cables arrived over the weekend, with the news that an adapted iPhone Lightning cable that enables remote hacking of connected devices is now on sale. The OMG Cable, which looks and behaves just like an everyday Apple cable, was demonstrated to great effect at Def Con in August. It has now been prepared for “mass production.”

Despite operating as normal—phones charge, iTunes opens, the usual dialog boxes appear—the OMG Cable contains a nifty wireless implant that can be accessed from an attacker in its vicinity. The transparency of this project is interesting—a capability normally kept behind closed doors within security agencies or on the dark web. And, as such, this does provide a powerful warning to users as to the risk of using cables or accessories from anything but fully trusted sources.

The OMG Cables will be sold at Hak5, for around $100. The site describes the product as “a highly covert malicious USB cable—as soon as the cable is plugged in, it can be controlled through the wireless network interface that lives inside the cable.” At Def Con, the cable’s developer Mike Grover (MG) claimed he could access a device at up to 300 feet away, and if he configured the cable "to act as a client to a nearby wireless network,” the distance would become unlimited.

According to Hak5, the cable “allows new payloads to be created, saved, and transmitted entirely remotely. The cable is built with Red Teams in mind with features like additional boot payloads, no USB enumeration until payload execution, and the ability to forensically erase the firmware, which causes the cable to fall entirely back to an innocuous state. And these are just the features that have been revealed so far.”

After-market adaptations of USB cables are not unique. Security shows frequently exhibit dangerous charging cables that will access smart devices. Here the target is the computer to which the cable is attached, but the principle is the same. The OMG Cable is presented as a capability for the good guys, but it has frightening implications. Cables given as corporate gifts, provided by hotels or airport lounges, taxis or airlines, swapped out... the options are endless.

“The USB Police are gonna get me,” MG joked on Twitter, before warning that “Apple already makes this the hardest to do. They are the only ones doing a lot of it. Other types of cables are quite a bit easier to pull off.”

MG developed the OMG Cable as a “personal hardware learning project," before it morphed into a full-scale development project. And it is this evolution from prototype to production-ready unit that has been occupying his time. Intel agencies around the world specialize in after-market adaptations of original equipment to ensure they pass muster and don't arouse suspicion. The highly-publicised availability of this kind of capability raises serious questions for manufacturers and the security community.

This has been a difficult few weeks for Apple on the security front, with various stories about iOS hacks and exploits, undermining its reputation as the more secure of the mass market device manufacturers. The OMG Cable isn’t helping.

MG told me that the cables “will be available in all the places Hak5 sells their tools,” assuring me when I asked about the safety of such sales that the site “has a well established way of handling the sales of pentest hardware like this.”

As for concerns that his technology might be misused, MG said people should be more aware than concerned. “And awareness is exactly what this drives. It also drives an increase in defensive measures. Malicious cables have existed for over a decade now,” he said, “but people just have not been aware.”

MG told me that he had something else in the works, with “a killer hardware feature.” If the OMG Cable is anything to go by, I can’t wait to see it.

Follow me on Twitter or LinkedIn