Researcher Makes Legit-Looking iPhone Lightning Cables That Will Hijack Your Computer (vice.com) 42
A researcher known as MG has modified Lightning cables with extra components to let him remotely connect to the computers that the cables are connected to. "It looks like a legitimate cable and works just like one. Not even your computer will notice a difference. Until I, as an attacker, wirelessly take control of the cable," MG said. Motherboard reports: One idea is to take this malicious tool, dubbed O.MG Cable, and swap it for a target's legitimate one. MG suggested you may even give the malicious version as a gift to the target -- the cables even come with some of the correct little pieces of packaging holding them together. MG typed in the IP address of the fake cable on his own phone's browser, and was presented with a list of options, such as opening a terminal on my Mac. From here, a hacker can run all sorts of tools on the victim's computer.
The cable comes with various payloads, or scripts and commands that an attacker can run on the victim's machine. A hacker can also remotely "kill" the USB implant, hopefully hiding some evidence of its use or existence. MG made the cables by hand, painstakingly modifying real Apple cables to include the implant. "In the end, I was able to create 100 percent of the implant in my kitchen and then integrate it into a cable. And these prototypes at Def con were mostly done the same way," he said. MG did point to other researchers who worked on the implant and graphical user interface. He is selling the cables for $200 each.
The cable comes with various payloads, or scripts and commands that an attacker can run on the victim's machine. A hacker can also remotely "kill" the USB implant, hopefully hiding some evidence of its use or existence. MG made the cables by hand, painstakingly modifying real Apple cables to include the implant. "In the end, I was able to create 100 percent of the implant in my kitchen and then integrate it into a cable. And these prototypes at Def con were mostly done the same way," he said. MG did point to other researchers who worked on the implant and graphical user interface. He is selling the cables for $200 each.
Can't trust cables now. (Score:2)
Re: (Score:1)
I'm safe. I don't own any hardware that a darkening cable can plug into.
Re: (Score:2)
I'm safe. I don't own any hardware that a darkening cable can plug into.
Right, because this kind of an attack could never be adapted to work on a USB charging cable for anything other than an Apple phone and not attack anything other than a computer running macOS.
Why did this article not mention the possibility to attack anything other than Apple products?
Re: (Score:1)
It's an article about something real that has been produced, not possibilities.
Re: (Score:2)
What next? Do I need to be afraid if someone gives me a necktie?
Klaatu Verate Necktie...
Re: (Score:2)
Everyone who caught your reference should reply to your post. Both of us.
Old news: ripoff of old NSA idea (Score:1)
Re: (Score:2)
The real story is that he's selling lightning cables for only $200. After parts and labor, he's got to be taking a loss on each one. And if he's making them on his kitchen table by hand, he can't make up for it with volume.
Given that price tag, I'd bet that these cables would be more popular than the unmodified ones for a solid percent of Mac users.
New Rule: Security over Speed (Score:2)
Re:New Rule: Security over Speed (Score:5, Insightful)
I'm not sure it was a lack of common sense that caused this.
If I designed the USB spec in 1996, I would not have thought that a complicated chip could be embedded into a charging cable with no noticeable visual indicator that could pretend to be a keyboard - that could then send input to run pre-defined malicious commands.
It's pretty clever hack, even if not totally original, though the packages might be.
I'm not sure what the cure is, I guess a pairing step similar to Bluetooth where the device also has to identify what kind of device it is. Even then half the people would just click yes to everything.
Re: (Score:2)
I'm not sure what the cure is, I guess a pairing step similar to Bluetooth where the device also has to identify what kind of device it is. Even then half the people would just click yes to everything.
Two-step verification every time a cable is plugged in?
Re: (Score:1)
Re: (Score:2)
How would that even work against this scenario? You accept that a new cable has been plugged in because you just plugged in the new cable you bought (but got swapped without your knowledge and without you noticing). Bam, payload delivered.
Re: (Score:2)
I suppose the device can authenticate with the manufacturer, your computer being the intermediary. And then your computer knows it can trust this device. The cable can have the usual public/private key and do the usual thing. At least you mitigate some degree of risk there.
Obviously, this is worthless in a number of common scenarios, like my computer is not fully up and running and connected to the internet. Click yes. Click yes.
Furthermore, someone who is scavenging parts from a real deal cable from a
Re: (Score:2)
One wonders how long it has been / or will be before the cheap cables you buy (from China, or indeed elsewhere) on Amazon have malicious chips built in?
I suspect right now the chips are such poor quality that they're literally getting "chinese whispers" rather than any real data from such cables (certainly if my recent cable-buying experience is anything to go by). But I'm sure "they" can solve that problem if they wish.
Re: (Score:2)
You mean like this?: https://www.bloomberg.com/news... [bloomberg.com]
Re: (Score:2)
Re: (Score:2)
It's not really the fault of the spec at all, as there is no reasonable solution on the hardware side.
The fix is as you suggest. When you plug something like a keyboard in the OS asks if you want to activate it. Well, it asks if you already have another keyboard or mouse plugged in, otherwise you couldn't answer the question.
It should at the very least warn you with something clear like "new KEYBOARD connected, if this isn't want you expected unplug now" with a big keyboard icon. If the user is dumb enough
Code execution? (Score:1)
Re: Code execution? (Score:1)
Possibly is there a mass storage component buried in the cable with an autorun on it?
The cable has to be mimicking something that a PC will default recognize.
Re: (Score:2)
It is an iPhone Lightning cable, and targets Macs. FTA:
Maybe have a passing familiarity with the subject matter before offering up your "expertise"?
Re: (Score:2)
I believe it functions as a Rubber Duck and runs the commands as a type of keyboard. This method tends to be more successful as an exploit than a USB drive with autorun.
Re: (Score:2)
Yes. The keyboard driver. You open up a terminal and redirect the TTY output to it. (This may or may not be how it is done in this case as details are sparse.)
Re: (Score:2)
Re: Somewhat Irresponsible (Score:1)
Re: (Score:2)
Re:Why does anybody need this? (Score:2)
Pentesting. An untested defense is an unknown defense.
Re: (Score:2)
Re: (Score:2)
Picture of Siemens PLC, the kind that was infected by Stuxnet: https://commons.wikimedia.org/... [wikimedia.org] There are a couple cables (not sure what kind) coming out of the bottom.
USB HID (Score:1)
So, I'm assuming it detects as USB HID when plugged in, drops payload via opening terminal and typing in code. That is essentially the backdoor. When done it disconnects data lines, bypassing the 8-bit microprocessor and making it a regular data cable.
Any way to not trust USB HID devices by default in MacOS, Windows?
Re: (Score:2)
on Windows, Yes, but good luck logging in to undo it if you have any issues.
Hard reboot 3-4 times in a row without logging in or shutting down properly used to start recovery mode, where you can load your last known good config.
Re: (Score:2)
Re: (Score:2)
A physical switch on the data lines.
Nothing new, but definitely cheaper than the NSA (Score:2)
The NSA was doing this ten years ago with COTTONMOUTH; while their product looks a lot more capable, it also costs $1M for 50 units; half the functionality for a tiny percentage of the price is a pretty good tradeoff.
https://en.wikipedia.org/wiki/... [wikipedia.org]
"Hi-Jack" chip (Score:2)
A chip like this could literally be placed inside almost any device. How do you know the keyboard you already own doesn't have a chip "sleeping" inside, waiting for it's master to wake it?
A new wireless keyboard comes out. For the first year they ship them with no secret chips. People have all the time in the world to do tear-downs, inspections, reviews, etc. Once people move on and the price drops it looks more attractive. Then they start putting the chip in , and no one is the wiser. Who is going to do
How it works (Score:2)
From what I gather from the article, it poses as a keyboard and opens a terminal (shell/command prompt) using a keyboard shortcut.
Control + Option + Shift + T”, it will open a new Terminal window
So basically, you can see it on the screen.. and the hacker has no way of seeing the output on the terminal.
And if the computer is locked, there is no way this will work while you are away?
Perhaps if the cable emulated a display, the hacker could see something.
Re: (Score:2)
I believe there's a USB class for display devices as well... at least that's how those driverless docking stations work where you plug in a USB 3 cable and get HDMI/DIsplayport outputs as well. It's not terribly great (bad framerate) but hey.
“the IP address of the cable”!? (Score:1)
Re: (Score:1)
The cable emulates keyboard when connected to computer, opens a terminal, writes a small stage1 script that fetches stage2 RAT software off the Internet. Exits the terminal and closes window. It happens so fast that you'd only see a window pop up for a split second.
The stage2 software connects to command and control servers. That's it.
Cable has such limited functionality required that an 8-bit microchip can do that.
The cable does not have an IP address. Implementing a functional TCP/IP stack on 8-bit AVR ch
unwanted deliveries (Score:2)