Lightning cable leaks everything you type

Security researchers developed an innocuous-looking USB-C to Lightning cable that hides a keylogger capable of stealing your passwords and other personal information. This is another cautionary example of why you should be cautious about which accessories you plug into your iPhone, iPad, or Mac.

Vice reports that a security researcher who goes by the moniker of MG has developed a Lightning cable that records everything a user types when they are attached to a keyboard, then wirelessly transmits the data to hackers up to a mile away.

Image: Motherboard

The MG cable has been updated from the original technology developed two years ago. By connecting wirelessly to USB ports of devices, hackers could control Macs, iPhones, iPads, and other devices that supported USB keyboard input.

O.MG Cable was initially a proof-of-concept, which MG later turned into mass production, where it is now sold by Hak5, a company that sells cybersecurity tools, as part of its Mischief Gadgets Collection.

In addition to the original OMG Cable, MG now offers the O.MG Keylogger Cable which captures and transmits input directly from the user instead of receiving it from a hacker.

The USB-C cables were created in response to people who argued Type C cables were unsuitable for this type of implant because they didn’t have enough space.

interior of an OMG Cable. pic credit: MG

Yet, in addition to packing all the components into the USB-C end of the cable, MG also managed to hide them in such a way that it is virtually indistinguishable from a legitimate Apple cable.

Unlike previous cables, they can also be programmable and customized in a large number of ways.
The attacker can even alter keyboard mappings, impersonate other USB devices, or geofence a cable to only activate at specific locations.

Besides that, the cables work just like normal Lightning to USB-C cables, so you can charge your iPhone or iPad and sync it with iTunes. Because the malicious implant occupies only half of the cable, it doesn’t interfere with the normal functioning of the cable.

Who’s at Risk?

O.MG Cables are keyloggers, which are designed only to record keystrokes that flow through the cable.

By creating a Wi-Fi hotspot, the OMG Cable creates a safe haven that hackers can use to access sensitive information. The hacker starts recording keystrokes using an interface in a normal web browser. A malicious implant takes up about half the length of the plastic shell, MG explained.

One of these is a malicious OMG Cable. Image: Motherboard.

By simply plugging one of these cables into your iPhone or iPad, a hacker cannot steal any information from you. Since onscreen keystrokes are not sent through the Lightning port, and Bluetooth keyboard input will not be logged, even when the cable is also being used to charge the phone or tablet at the same time.

Since few people use wired keyboards with their iPhones and iPads, and even fewer people use untrusted cable, there is little chance of getting stung.

The cables are also not inexpensive. There’s no way hackers would buy a bunch of these and then leave them lying around in hopes that someone might pick one up and use it. The O.MG Cable sells for $130, while the keylogging one costs $180. The use of these is limited to targeted attacks. Apple failed to respond to a comment request.

Yet, it’s a reminder of why it’s crucial to use MFi-certified cables and avoid fake accessories. Unless someone is intentionally trying to harm you, you’re unlikely to fall victim to the O.MG Cable. However, unauthorized and counterfeit accessories can still cause many other safety issues. The same applies to devices. It is best to buy refurbished Apple products from recognized sellers who can provide some kind of guarantee or warranty for the product to ensure that you are getting a quality product.



Share on facebook
Share on twitter
Share on linkedin

2 Responses

  1. Awanit Kumar says:

    I didn’t know that.
    Really amazing
    Informative article

  2. Impressive!Thanks for the post

Leave a Reply

Your email address will not be published.