How many of you pay attention to what accessories you use with your iPhone, iPad, or Mac? Well, after reading this article you will definitely take all the cautionary steps before plugging in any accessories!
Security researchers have created an innocuous-looking USB-C to Lightning cable that conceals a keylogger that can steal your passwords and other sensitive data. According to Motherboard’s Vice, security researcher MG developed an ordinary-looking Lightning cable for recording what users type on a keyboard and broadcasting it to a hacker who might be hundreds of yards away.
MG has updated its original O.MG cable developed two years ago so that it will work the other way. Hackers could wirelessly access the USB port of any device the cable was plugged into and take control of any Mac, iPhone, iPad, or other device that can accept input from a USB keyboard.
O.MG Cable began as a proof-of-concept, but MG went on to mass produce and sold it as part of the Mischief Gadgets Collection by Hak5, a company that sells cybersecurity tools. O.MG has however created a USB-C version of the original OMG Cable as well as a keylogger cable that captures and transmits keystrokes rather than taking them from the hacker.
In an online chat with Motherboard, MG explained that the USB-C cable version was created in response to people who insisted that “Type C cables are safe from this type of implant because there is not enough space.”
The USB-C end of the cable is not only crammed with the necessary components, but it is also rendered almost indistinguishable from a legitimate Apple cable, at least to the untrained eye. In addition, new O.MG Cables offer much greater programmability than previous versions, enabling users to switch keyboard mappings, impersonate other USB devices, and even geofence the cable to only activate at certain locations.
In addition to working just like normal Lightning to USB-C cables, you can also sync to iTunes and charge your iPhone or iPad through the cables. The malicious implant is half the length of the plastic shell, so it does not interfere with the normal operation of the cable.
Although MG claimed he could receive data up to a mile away from the cable, that’s probably the best case scenario. To be fair, logging keystrokes requires only a very small amount of bandwidth, so you can still use the interface even with a weak signal. A mile-long range is unlikely, however, except under near-perfect conditions, such as outdoors in an unobstructed line-of-sight path on a clear day.
What are the risks?
In addition, it should be noted that the O.MG Cable is a keylogger, which means it records only keystrokes that pass through it.
You don’t need to worry about a hacker stealing your information simply by connecting these cables to your iPhone or iPad if you happen to find them. There’s no way to record keystrokes from the onscreen keyboard since they are not sent out the Lightning port, nor can it capture input from a Bluetooth keyboard even if the cable is also being used to charge the iPhone or iPad. As few people use wired keyboards with their iPhones and iPads, and even fewer do so with an untrusted cable, chances of falling victim to this are rather slim.
Since it allows attackers to send keystrokes to your iPhone or iPad, the original O.MG Cable, now available in a USB-C version, actually presents a slightly higher risk. However, since they can’t override the lock code, you’re only likely to notice if they manage to enter the device while you’re still using it, in which case you’ll know immediately. Also, the O.MG cable cannot record what’s happening on your screen, so the hacker will have to work blind unless they are already within eyeshot of your device.
Additionally, these cables aren’t cheap. Neither the O.MG Cable nor the keylogging one are cheap, so it’s not like hackers are going to buy a bunch and leave them lying around in hopes that someone might pick one up and use it. Effectively, they can only be used for targeted attacks.
Regardless, it serves as a good reminder of why it’s important to buy MFi-certified cables and to watch out for counterfeit accessories. It doesn’t matter if you don’t fall victim to the O.MG Cable unless you are specifically targeted, unauthorized and counterfeit accessories can still pose a wide range of safety risks.