Legit-Looking iPhone Lightning Cables That Hack You Will Be Mass Produced and Sold

An anonymous reader quotes a report from Motherboard: Soon it may be easier to get your hands on a cable that looks just like a legitimate Apple lightning cable, but which actually lets you remotely take over a computer. The security researcher behind the recently developed tool announced over the weekend that the cable has been successfully made in a factory. MG is the creator of the O.MG Cable. It charges phones and transfers data in the same way an Apple cable does, but it also contains a wireless hotspot that a hacker can connect to. Once they've done that, a hacker can run commands on the computer, potentially rummaging through a victim's files, for instance.

After demoing the cable for Motherboard at the Def Con hacking conference this summer, MG said "It's like being able to sit at the keyboard and mouse of the victim but without actually being there." At the time, MG was selling the handmade cables at the conference for $200 each. Now that production process has been streamlined. This doesn't necessarily mean that factories are churning out O.MG Cables right now, but it shows that their manufacture can be fully outsourced, and MG doesn't have to make the cables by hand.

Solution

[93 Escort Wagon]

Don't let other people charge their devices by plugging into your computer's USB ports.

Re:

[thegreatbob]

Would be nice if USB had more facilities for a configurable firewall (both in software, and at the chipset); I think VEN/DEV whitelisting and brute force detection would probably be adequate for most cases, but some sort of additional authentication/pairing system would be potentially useful (if inconvenient, by necessity).

Re:

[scdeimos]

That'll be coming along soon enough, I'm sure. In the interests of "Trusted Platforms" they'll probably require certificates signed by a Microsoft CA, though, instead of just relying on vid/pid combinations (which can actually be reprogrammed on a lot of things).

Re:

[The New Guy 2.0]

The problem here is that there's a WiFi chip hidden the the connector... it's just as bad as any other USB takeover. Firewall won't solve this, it claims to be your iPhone and you'd never block that.

Re:

[subreality]

It's already somewhat doable. I'm typing this on a computer running Qubes [qubes-os.org], which takes security seriously.

The USB controllers are attached to a dedicated VM using VT-d. When I plug in a keyboard or phone to my computer, only that VM will see it. If I want to transfer files, then it's handled by a service which just transfers files between VMs. If I want to use it as a keyboard, I have to explicitly allow it. If I want another VM to have raw access to the USB device, I have to select it from a menu and

Re:

[The New Guy 2.0]

The USB system in general accepts pass-through connections... so this comes in yelling "I've got 2 ports, one for the iPhone and one for WiFi."

Re:

[subreality]

Not so with Qubes! It proxies each endpoint separately. If this cable presents itself as a hub with an iPhone and a keyboard, you will see two devices in the menu. If you tell it to attach the iPhone to an application VM, it proxies just the iPhone. The root, hub, and keyboard don't get presented to the AppVM.

Re:Solution

[110010001000]

What if she is really cute?

Re:Solution

[Mattcelt]

Automatically suspicious. What the hell is she doing talking to me?

Re:

[onepoint]

thank you, I laughed so loud that people turned around to look if I was a mass killer.

Re:

[93 Escort Wagon]

What if she is really cute?

Ask her “are you virus-free?” - I’m sure she’ll take it in the spirit it was intended.

use an USG filter?

[Herve5]

like, you know, https://github.com/robertfisk/... [github.com]
(I own two -the simple ones not the big more recent- and, I must say, very rarely use them, but then it's because I never met her ;-)

Re:

[Chelloveck]

Do what you should always do: wear protection [amazon.com]. (I was amused to find that this particular brand actually comes in a little 2" square foil packet.)

Re:

[The New Guy 2.0]

I'm not sure why we connect over USB anymore. Right now my iPhone's on a dock stand for wireless power... which is connected to power, not my computer. Sync'ing happens over WiFi.

Re:

[AmiMoJo]

The optimal solution is to make the OS not automatically install and use any random USB device that gets plugged in. Instead have it ask for permission each time.

Unfortunately that would be very annoying for the user. There is no way to authenticate USB devices (many don't have a serial number and it's easily cloned anyway) so it would have to ask every time. It would only really work on laptops too because obviously you need some way to give permission to use your external USB keyboard/mouse.

Re:

[drinkypoo]

"It would only really work on laptops too because obviously you need some way to give permission to use your external USB keyboard/mouse."

Press the power button once within five seconds in order to recognize a new input device. Problem solved.

Re:

[Misagon]

This is why PCs in security-conscious environments don't have any open ports.
All USB ports are inside a lockable enclosure with a grate with metal fingers for the cables to go through.
All new devices have to be inspected by the IT department before being allowed. Extension cables/Type B ports are not allowed.

No issue here

[thegreatbob]

My 486 doesn't even support USB.

Re:

[AndyKron]

I've got a card...

Re:

[thegreatbob]

Bwahah! All the slots are full!

Re:

[Glenn Quagmire]

Giggity!

Seriously?

[mattyj]

If you're plugging random cables into your laptop, you deserve to have all your business stolen.

I hardly see how this would be considered a 'hack'. This is like someone leaving their key under the doormat. That doesn't make a burglar a master lock picker.

Re:Seriously?

[joe_frisch]

If the look like standard cables it might be possible to swap one - in a hotel room, or maybe even on an airplane or in an office. Could also sell them on amazon to selected customers.

Re:

[vux984]

Yeah! That's why you only use brand new sealed cables, from a trustworthy vendor.

The moment you lose continuous visual contact with any cable you immediately shred it, and then open a new package.

Sure, If some creepy weirdo handed me a cable and then giggled as he walked away I'd think twice about using it, but one of my many cables, or dongles, got swapped with a reasonable facsimile when i wasn't looking... I wouldn't likely notice.

"This is like someone leaving their key under the doormat."

Its more like someone swapping your doormat with one of their own that mo

Re:

[AmiMoJo]

Even sealed cables are not necessarily safe. We know that the NSA intercepts Cisco equipment during shipping to the customer, and installs hardware backdoors before sending it on. Presumably other vendors are affected and they could easily open up your iPhone package to replace the cable.

Call me paranoid but I always buy cables and hard drives/SSDs in person with cash at different shops. On older ones I used to desolder the firmware flash memory and verify it against a known good image, but these days the f

Thats bad, but worse

[110010001000]

What if someone mass produced a device that looked like a thumbdrive that connected to USB that contained a hotspot? No one would be safe. Want to donate to my Kickstarter?

Re:

[Retired ICS]

No. You can already get these and have been able to do so for at least as long as USB has existed.

Re:

[110010001000]

Whoosh

Re:

[The New Guy 2.0]

What if someone mass produced a device that looked like a thumbdrive that connected to USB that contained a hotspot?

Patent failed, this already exists. Look for "USB Wifi"

Re:

[110010001000]

Andddd....whooosh

The market may be goverment's 3 letter agencies

[Streetlight]

... as well as local police departments, foreign governments, etc. And, $200 seems pretty cheap for these things. The developer probably could charge in the tens of thousands of dollars or more for each cable.

Watch out for that price coming from the rafters..

[The New Guy 2.0]

$200 was the price of this handmade... now they're mass-producing them with machines so the price is scheduled to drop.

Re:

[DontBeAMoran]

Why would the price drop? His profit margins will simply increase.

Re:

[phantomfive]

I'll be buying one.

Re:

[account_deleted]

Comment removed based on user account deletion

Easy to solve

[backslashdot]

Force USB drivers to be unable to transfer data without end to end encryption. I mean, we are able to make it hard to get hacked through wifi .. which is even crazier. Anyway, require and force end to end encryption before processing any data. The only parts that will require secure coding then is the encryption setup between the pears .. but that shouldn't be impossible -- check the bounds and format of every input. Yes I am aware of the recent iOS "unfixable" usb hack, but that stuff can be protected agai

Re:

[The New Guy 2.0]

Current WiFi is easy to breach still... it just requires somebody giving up the password. This report is that a USB cable given permission to touch iTunes gets enough info for a takeover or leak.

We used to say images could not contain viruses... but that fell a long time ago. This is like a MiFi chip, it turns the USB connector into a WiFi system that the spy can use.

Re:

[Solandri]

Data transfer speeds are approaching the limits of practical hardware AES. Other encryption algorithms are too slow, so are just used for the initial exchange of an AES key. Subsequent data transfers are encrypted with hardware AES. While it's possible for AES to hit Tbps speeds if you throw an entire gaming GPU at it, the AES chips typically found on computers max out at Gbps speeds. Heck, USB with Thunderbolt already supports DMA (direct memory access - the Thunderbolt device can read data straight fr

Is this painted blue?

[The New Guy 2.0]

Sounds like this is a cool Hacker toy... the police and Feds would love having a few of those.

Re:

[Cmdln Daco]

I'm sure the feds have had them for many years already.

Re:

[stealth_finger]

I'm sure the feds have had them for many years already.

I like the way you assume they are competent.

SUPER easy fix on the OS side

[Ryzilynt]

SUPER easy fix on the OS side.

Game over man.

Please correct me if I am wrong.

Re:

[The New Guy 2.0]

How does the OS recognize this? it just uses the standard USB drivers.

Will this require ...

[PPH]

... that a driver be installed for that hidden WiFi device I just plugged into my USB port? Because if I get a popup to that effect, I'm going to be really, really suspicious.

Re:

[dromgodis]

No, I believe it says that it is a keyboard, and you probably already have drivers installed for that. The Wifi part in the device is just for the attacker to have something to connect so that she can command the device.

I would guess that when activated, the device does something like imitating a keyboard sending "[Command]-Space terminal.app [Enter]" and then use keystrokes or curl to put whatever code the attacker wants onto the machine.

But but - its Apple

[Duh-People-Really]

Apple products can't be hacked.......
They are certified UNIX and we all know UNIX can not be hacked.

Re:

[The New Guy 2.0]

Nope... this thing can insert keystrokes into any Mac with USB. It just has to register as a wireless keyboard/mouse.. and you'll notice that modern connections for such things are small enough to fit in the connector.

Re:

[angel'o'sphere]

Not wireless, it conencts as USB keyboard.
Bluetooth/wireless devices can not automatically connect to a Mac, the user has to authenticate them first.

But ...

[hcs_$reboot]

Isn't the data exchanged between a PC and an iPhone being encrypted?

Re:

[The New Guy 2.0]

Encryption isn't the solution here... the iPhone-PC link is secure, but the WiFi chip in the connector can insert keystrokes and mouse movements by claiming it's HID, and that gives up most of the PC.

the RESPONSE to this could get annoying

[v1]

We already have pairing authentication on bluetooth keyboards, and occasionally on mice.

"Type this number displayed above on the keyboard and press RETURN to finish pairing"

Currently, many USB devices have a serial number they send on connect, although the format isn't very standardized. It's possible to identify, for example, a USB flash drive by its serial number when plugged in. "this one's safe, we don't have to do any validation on it". The same could be done with HID devices, which would at least a

Re:

[Mattcelt]

This device is almost literally a man-in-the-middle. How would you ensure that a machine that knows nothing a priori about the peripheral to accept only connections from that peripheral, rather than the cable simply replaying the serial number?

Shocking!

[cormandy]

Presumably it would be pretty easy to build something that both detects and fries the offending circuit. A charging cable should be nothing but two connectors and a cable. By running high voltage and the max current tolerated by the connectors and cable it should be possible to destroy the embedded circuit. Anyone for a Kickstarter to build such a device?

The ultimate problem is DMA attacks

[GlobalEcho]

As laptops and desktops go to USB-C/Thunderbolt, the problem with attaching peripherals becomes worse and worse.

Old-school USB typically goes through standard operating system I/O but the modern stuff all allows Direct Memory Access attacks. These are very tricky [thehackernews.com] to harden against. Devices or device cables that implement them are much more worrying than USB-mode malware.

what's the legal ramification in the USA

[onepoint]

I have to wonder,
if someone gave me a cable to help me charge my phone
and it was one of these types that are for spying, what
legal rights do I have?

I see this as one heck of an issue happening in dating when
you visit someone's house and you just "plug in" to get charged
up.

Also, I did not read the article, any basic alerts you can set up
to prevent this or observe what the spy/hacker is doing?