Apple's Beats brand in April unveiled the Powerbeats Pro, a redesigned wire-free version of its popular fitness-oriented Powerbeats earbuds.
Security Researcher Develops Lightning Cable That Gives Hackers a Way to Remotely Infiltrate Your Computer
A security researcher named MG has developed a Lightning cable replacement that can give hackers a way to remotely access your computer, reports Motherboard.
The cables in question (dubbed O.MG Cables) are cables directly from Apple that have been opened up to allow for additional components to be implanted, but the modifications are undetectable and there's no way to distinguish the hacked cable from the original.
Image via Motherboard
When plugged into a target computer, the cable behaves as a typical cable does, connecting to and charging iOS devices, but it also lets hackers remotely connect to a machine to run commands. It comes equipped with scripts and commands that a hacker can run on a victim's machine, along with tools to "kill" the USB implant to hide evidence of its existence.
It's not clear if there is any defense against this kind of hack, but it sounds like these cables are prohibitively expensive and limited in availability at the current time. Those concerned should buy cables directly from Apple without accepting free cables from anyone. Apple may also be developing a mitigation and has previously restricted other USB access techniques through USB Restricted Mode.
The cables in question (dubbed O.MG Cables) are cables directly from Apple that have been opened up to allow for additional components to be implanted, but the modifications are undetectable and there's no way to distinguish the hacked cable from the original.
When plugged into a target computer, the cable behaves as a typical cable does, connecting to and charging iOS devices, but it also lets hackers remotely connect to a machine to run commands. It comes equipped with scripts and commands that a hacker can run on a victim's machine, along with tools to "kill" the USB implant to hide evidence of its existence.
MG typed in the IP address of the fake cable on his own phone's browser, and was presented with a list of options, such as opening a terminal on my Mac. From here, a hacker can run all sorts of tools on the victim's computer.In a test with Motherboard, MG was able to connect his phone to a WiFi hotspot that the cable was emitting. He said he needed to be within 300 feet to access the target machine, but also said that the cable can be configured to act as a client for a nearby wireless network, potentially allowing for hacking from an unlimited distance.
"It's like being able to sit at the keyboard and mouse of the victim but without actually being there," MG said.
"I'm currently seeing up to 300 feet with a smartphone when connecting directly," he said, when asked how close an attacker needs to be to take advantage of the cable once a victim has plugged it into their machine. A hacker could use a stronger antenna to reach further if necessary, "But the cable can be configured to act as a client to a nearby wireless network. And if that wireless network has an internet connection, the distance basically becomes unlimited."MG imagines the cable could be swapped in for a target's legitimate cable or gifted to someone because it looks exactly like an Apple cable, complete with accurate packaging. Each of these cables were made by hand and are being sold by MG for $200, but he is teaming up with a company to produce them as a legitimate security tool.
It's not clear if there is any defense against this kind of hack, but it sounds like these cables are prohibitively expensive and limited in availability at the current time. Those concerned should buy cables directly from Apple without accepting free cables from anyone. Apple may also be developing a mitigation and has previously restricted other USB access techniques through USB Restricted Mode.
[ 161 comments ]
Top Rated Comments
(View all)
2 weeks ago
Wow. Scary.
"Those concerned should buy cables directly from Apple without accepting free cables from anyone."
People give out free cables?
"Those concerned should buy cables directly from Apple without accepting free cables from anyone."
People give out free cables?
2 weeks ago
I think the scariest part of this is that it shows that should a supply chain be compromised, and secret components added to the manufacturing process, it would be virtually impossible to detect prior to normal use.
Good work though. It might lead to more 'do you trust this keyboard?' prompts though...
Good work though. It might lead to more 'do you trust this keyboard?' prompts though...
2 weeks ago
Get a Sharpie and mark a soot on your cables. Problem solved.
Attacker has ability to embed a small computer and wireless transceiver in a tiny USB cable and covertly connect to it.
Attacker can't figure out how to use a Sharpie.
2 weeks ago
I'm finding that Anker makes pretty good alternatives.
That would be the opposite of what you want. You want a supplier that you know has strong supply chain security protections. Anker is a foreign-owned company which, for even mid-level security regulations, disqualifies it right there.
Plus, buying from Amazon is the absolute worst because they co-mingle inventory. Somebody could send tampered cables for sale via FBA, and they would send them to you as sold by Amazon or Anker. Buying from mail order allows for targeted attacks, even somebody swapping the package on your porch. The safest would be to walk right into a random Apple store and select a box off the shelf.
2 weeks ago
This isn't even new. Its been around for a year:
https://www.bleepingcomputer.com/news/security/usbharpoon-is-a-badusb-attack-with-a-twist/
https://www.bleepingcomputer.com/news/security/usbharpoon-is-a-badusb-attack-with-a-twist/
2 weeks ago
Each of these cables were made by hand and are being sold by MG for $200, but he is teaming up with a company to produce them as a legitimate security tool.
..., but it sounds like these cables are prohibitively expensive
??? the OP thinks that $200 is prohibitively expensive for a criminal organization, government spy agency, or industrial spy...
Heck a hobbyist or jealous partner could afford it...
Also because the original report on vice is made by ****** journalists for Clickbait it looks like it is not a user privilege escalation so this is effectively just a keyboard exploit
[ Read All Comments ]
Netflix is testing a human curated discovery feature on iOS called "Collections" that surfaces TV shows and movies the user might be interested to watch (via TechCrunch).
Collections in...
Following a couple of weeks of trickling out early invitations, Apple this week launched Apple Card for all U.S. customers, offering broad access to the new digital and physical credit card issued in...
For this week's giveaway, we've teamed up with Vessel to offer MacRumors readers a chance to win a Signature 2.0 Backpack.
Vessel makes all kinds of backpacks, briefcases, and bags, but...
Discounts on the latest iMacs remain ongoing this month, with Amazon and B&H Photo now offering a new all-time-low price on the 27-inch Retina iMac with 8GB RAM and a 1TB Fusion Drive. This model...
Google and Apple calendars are not playing friendly right now.
As alerted to us by multiple MacRumors readers, there appears to be a syncing issue with Google Calendar and Apple's...
Apple Music today launched a new curated playlist called "New Music Daily," which as the name suggests, is updated every day with fresh songs.
Made up of "new music you simply...
Taylor Swift revealed today on Instagram that she will be the next partner in Apple's "Music Lab" sessions, which are available in Apple retail stores.
The Music Lab session will...
Satechi today announced the Type-C Dual Multimedia Adapter, which plugs into two of the MacBook Pro's USB-C ports to offer a handful of add-on ports.
In total, this includes: one 4K HDMI...
