If your home, or your office, is anything like mine, you’ll know that it’s not unusual for family members and colleagues to borrow charging cables for their phone. This information relates specifically to iPhones.
Zak Doffman writes: “How do you fancy an iPhone charging cable that looks like an Apple original and acts like one as well, but which will tap into a connected device and steal all its secrets, and which has its own radio transmitter to send all that stolen data over the air to a waiting attacker.” Did you ever think that could happen?
Last year the early version of the O.MG cable caused a stir at Def Con. It’s an iPhone Lightning cable that has been configured to enable remote, malicious access to a computer. It looks and works like an original Apple USB cable, but when the O.MG cable is used to connect a phone to a Mac, it enables an attacker to mount a wireless hijack of the computer.
According to its developer, Mike Grover (the MG in O.MG) in the past you could tell the difference between his cable and an original Apple model, but that is not the case now. He has been working on it over the last year and told Doffman that the result has been “a game-changing improvement to replicate the Apple original.”
As Doffman points out, this is not a major threat to us iPhone users, but it has the potential to be a problem. For example, Doffman says, “If you plug it into your Mac, it will access your computer and log your keystrokes.” It could also drop malware into your devices: “In short, you’re compromised—an attack vector usually consigned to the dark web is now openly for sale online,” Doffman states.
It is unlikely that those of us who swap cables with our kids or colleagues will be affected. But imagine that you work in a government service, the military or you’re a trade negotiator, and you travel frequently, staying in numerous hotels and waiting at airports, then you may be more at risk.
It is easy for criminal to target such iPhone users. In a 2019 article Doffman highlighted the dangers of using public USB charging points, because there is a risk that those USB sockets carry data as they deliver power: “criminals load malware onto charging stations or cables they leave plugged in.”
On the other hand Grover has had positive feedback about the O.MG cable. He said: “I have received countless stories from people who tell us that the O.MG Cable has become one of the most powerful tools for delivering security training, many aspiring hackers tell us how fast the UI is for rapid payload development. And that really makes it worth the effort we put into continually improving our work.” So, let’s be clear, Grover is not the bad guy here. His invention is meant to be a help and his focus is on logging the credentials as they’re entered into the computer—both username and password, enabling a payload to be pushed across.
However, as Grover and Doffman report, “once you open up the world of mass-produced replicas, you can start to play with power adapters and other cables, and you can shift the focus from key logging to infection, and from computers to smart devices.”
As cyber threats grow, it’s time to think more seriously about how we connect our devices and what we use to do that, wherever we are.