Dummy Lightning cables that allow an attacker to gain remote control of computers they’re plugged into are slated to hit mass production, per a Wednesday report in Motherboard.
Mike Grover, who goes by the pseudonym MG, designed the “O.MG cable” to look and function exactly like a legitimate Lightning cable made by Apple — but they are modified with hardware (including a very tiny wireless access point) that allows a hacker to remotely run various scripts and commands and hijack a targeted device.
MG advertised and sold the cable earlier this year at the DEF CON security conference in August 2019 for around $300, telling Motherboard they had to be painstakingly crafted by hand in his kitchen. At the time, Motherboard found that the only hint was that a connected iPod produced a pop-up asking the user to verify they trusted this computer, a par for the course prompt that could easily be overlooked.
Now, Motherboard reported, MG says that he has verified the cables can be made in a factory setting, setting the stage for the devices to be mass-produced. In fact, security company Hak5 already has a page set up to order the cables when they hit the market, billing it as the “result of months of work that has resulted in a highly covert malicious USB cable.”
I will be dropping #OMGCables over the next few days of defcon.
I will also have 5g bags of DemonSeed, if that’s your thing.
I’ve been very busy with @d3d0c3d & @clevernyyyy.
Details and update here: https://t.co/0vJf68nxMx
???????? pic.twitter.com/lARWTYHZU1
— _MG_ (@_MG_) August 9, 2019
After months of work, I am now holding the very first fully manufactured #OMGCable. I can’t wait to get these up on https://t.co/mVYIMD3v7g
Now time for a fully destructive teardown to make sure they meet all my requirements for a fully field-ready piece of attack hardware. pic.twitter.com/lMVBv5RRjw
— _MG_ (@_MG_) September 29, 2019
The Hak5 page claims numerous features for red teams (researchers and security experts who perform penetration testing on secure systems), including the ability to “forensically erase” its firmware, reverting it back to a mundane Lighting cable:
The O.MG Cable allows new payloads to be created, saved, and transmitted entirely remotely. The cable is built with Red Teams in mind with features like additional boot payloads, no USB enumeration until payload execution, and the ability to forensically erase the firmware, which causes the cable to fall entirely back to an innocuous state. And these are just the features that have been revealed so far.
On their website, MG says the mass-produced cables will run for around $150.
“I’ve completely torn the cable apart to make sure there aren’t any production stoppers,” MG told Motherboard, adding that “I’m just being super transparent about the process” and mostly “everyone who manufactures something is going to keep it quiet up until release day when they unveil the entire thing and it’s ready for sale or they at least have a sale date.”
“The first batch of production samples are confidence inspiring,” Hak5’s Darren Kitchen told Motherboard. “We’re balancing a number of factors in getting these mischief gadgets produced — and I think everyone is going to be excited by the finished products. The production process has been pretty straightforward, given our experience making pentest [penetration testing] implants.”
The modified cables still need to be programmed and undergo quality assurance, MG told the site. When reached for comment, Apple referred Motherboard to the section of its support page where it “recommends using only accessories that Apple has certified and that come with the MFi badge” — something that isn’t likely to be helpful for anyone who unknowingly encounters one in the wild.
This type of security threat is far from new. For example, USB drives with malicious firmware have been a security threat for years.
MG’s prior projects also include similarly rigged MacBook chargers and a USB drive that detonates after uploading malicious code, and the U.S. National Security Agency has made similar devices in the past. The O.MG cable is, however, another reminder that it’s not a good idea for a user to plug anything that’s not verifiably safe into their devices, whether it’s a cable found on the street or an unsolicited gift from someone at a conference.