
Legit-Looking iPhone Lightning Cables Will Hijack Your Computer - kccqzy
https://www.vice.com/en_us/article/evj4qw/these-iphone-lightning-cables-will-hack-your-computer
======
jimrandomh
Reposting from 4 months ago
([https://news.ycombinator.com/item?id=19609745](https://news.ycombinator.com/item?id=19609745)):

It's a severe discredit to the major operating system vendors that plugging in
a USB stick can still compromise a system.

If a USB device identifies itself as a keyboard, the system shouldn't accept
its keystrokes until either that keyboard has typed the user's login password,
or the user uses a different input device to authorize it. If it identifies
itself as a storage device, the filesystem driver should be hardened. If it
identifies itself as an obscure 90s printer with a buggy driver written in C,
it should prompt the user to confirm the device type before it loads the
driver.

It's 2019. Why the f* haven't Windows, MacOS and Linux all implemented these
basic precautions?

~~~
gitgud
> _If a USB device identifies itself as a keyboard, the system shouldn 't
> accept its keystrokes until either that keyboard has typed the user's login
> password, or the user uses a different input device to authorize it._

An interesting solution, it would definitely prompt the user to understand
what the device is trying to do.

But I'm sure that it's extremely hard to prevent something malicious, once it
has physical access to a port on your computer...

~~~
squarefoot
"An interesting solution, it would definitely prompt the user to understand
what the device is trying to do."

But then it could simply wait for the user to enter the password (1), then
read it by sniffing the traffic from the keyboard and store it internally for
later use, since it's all in clear ad it cannot be encrypted before entering
the machine unless most (all) USB consumer hardware get some heavy
modifications.

1- very simple algorithm: store in the internal flash memory whatever the user
enters between connecting the keyboard and hitting the 2nd enter key; if it's
mostly the same words, then it's very likely an user/password pair.

"But I'm sure that it's extremely hard to prevent something malicious, once it
has physical access to a port on your computer... "

Very true. Malicious plug in hardware was just a matter of time; we badly need
some active protection for these things, or it would be a mess. This is the
perfect weapon in the hands of people with a thing for vandalism, I hope
mainstream media _won 't_ cover that story.

~~~
jimrandomh
You're assuming the malicious device is a keyboard, or is on the signal path
between the motherboard and a keyboard. That's not the common case, nor is it
the case here. No one types their password into an iPhone cable, because the
cable has no keys to type with.

------
MichaelApproved
> _One idea is to take this malicious tool, dubbed O.MG Cable, and swap it for
> a target 's legitimate one. MG suggested you may even give the malicious
> version as a gift to the target_

Even more frightening, people selling them as seemingly legitimate cables on
Amazon? People will pay you and you get a new botnet.

How many could you sell before it's discovered?

How can I, as a consumer, even tell? Amazon will even allow you to sell your
malcable under the Apple brand.

~~~
Scoundreller
Your attack would need to be targeted since you can’t connect to your cable
over-the-internet, only over the wifi interface, limiting you to that range.

~~~
michaelt
If you were mailing the cables to random people, you wouldn't use wifi, it's
true. You'd just want the fake keyboard to just use a terminal to download and
install a trojan.

If you can fire off a successful "curl | bash" on an internet-connected
machine, wireless isn't needed.

Of course, without wifi you've only got a USB Rubber Ducky clone [1] whereas
with wifi, you've got an NSA COTTONMOUTH clone [2] which I imagine is much
more likely to get your talk accepted at DEFCON :)

[1] [https://shop.hak5.org/collections/physical-
access/products/u...](https://shop.hak5.org/collections/physical-
access/products/usb-rubber-ducky-deluxe) [2]
[https://en.wikipedia.org/wiki/NSA_ANT_catalog](https://en.wikipedia.org/wiki/NSA_ANT_catalog)

~~~
Scoundreller
At that point, just pre-load the cable with a flash drive and copy the malware
onboard.

~~~
nixpulvis
Seeing now why counterfeits are a _serious_ problem for resellers!

------
paulsutter
Really need a setting “never trust any device ever”. I’ve never once had a use
case with my phone to do anything but charge. Really hate when I plug in my
phone to charge in a car and the car takes over my UI. All bad ideas. If I
want to move photos I use the network.

~~~
gambiting
This device shows up as a keyboard - should keyboards never be trusted ever?
How would that work?

~~~
Tharkun
It would be nice of my OS had an option to disallow any and all USB devices.
Plug something in? Ask whether I want to allow it. I guess this would get
annoying after a bit. But still, I only use a couple of USB devices on a daily
basis, but I click on boatloads of cookie warnings every day.

~~~
kalleboo
> _It would be nice of my OS had an option to disallow any and all USB
> devices_

Any desktop computer would have to be redesigned to add a "allow new device"
button since they have no other input.

Even on many laptops, the internal keyboard and mouse are USB devices, when
you install a new OS, do you have to accept trust to those as well? Or how
will you stop an external device from spoofing them with the same
vendor/device ID?

~~~
derefr
How about, trusted peripherals should speak DTLS over their USB/Thunderbolt
PHY, and the OS should keep a certificate store for recognizing them?

This sounds like something that creates a chicken-and-egg problem of there not
already being any such DTLS-speaking USB devices... but how about if vendors
just create a little USB dongle that wraps whatever's plugged into it in
"authentication" using DTLS? Ship the dongle with the laptop; tell people that
if they want to install a new OS, they have to plug a USB keyboard in through
the dongle.

~~~
bsder
> This sounds like something that creates a chicken-and-egg problem of there
> not already being any such DTLS-speaking USB devices...

Or only allow completely unauthenticated devices as a fallback when there is
_no_ other available authenticated device.

A computer not having any keyboard is a rare case. Most of the time you have
what is built-in (and should be authenticated) or what came with the computer
(and should be authenticated).

Allowing unauthenticated keyboards only on detection of _no_ authenticated
ones probably covers 99.9% of all use cases and increases security
dramatically.

~~~
modsiw
Aren’t we trying to prevent an attacker with physical access? They could
simply unplug everything first.

------
3JPLW
I've not found many details about how this is actually working — there's some
info on his
D̴̹̭͂ë̷̗́̃̿̓̾͜ṃ̸͔͚̗̙̪̎̄̋ȏ̸̝̤̱͜n̶͇͇͙̻̩͑͑S̴̳̩̮̥͚̥̚ė̸̟̃͋͂͝e̷̪̲̪̰̣̿̀͠d̵̡̂͗
cable here [1], but apparently the O.MG cable is "a very different piece of
hardware that does a whole lot more."

Does anyone have any insight into how this attack works? My guess is that it
acts like a hub that exposes both the iPhone lightning connector and a
keyboard/mouse. And then the keyboard/mouse is controllable via some near-
range wireless like WiFi or bluetooth? I suppose it could even scan for open
networks and try to join to allow a more remote exploit. Anyone find more
information anywhere?

1\. [https://github.com/O-MG/DemonSeed](https://github.com/O-MG/DemonSeed)

~~~
tda
I'm guessing the cable has an esp8266 on board which you can get cheaply and
is only a few mm2. It has WiFi and WiFi direct support and is powerful enough
to run a webserver. Probably there are plenty chips that do the job, but the
esp8266 (and its successor esp32) is very popular for custom hardware due to
being cheap and easy to program

~~~
MuffinFlavored
How would the board in the cable know what WiFi to connect to, and how would
it run shell commands via USB?

~~~
eridius
If you know the wifi environment of your intended victim, you could pre-
configure it with the network in question.

------
ege_erdogan
I have this USB-C looking like this[0] (not the same one though). The thing is
whenever it is plugged into my MacBook Pro, the hub starts to overheat, even
when there is nothing connected to it. I once tried plugging it into the MBP
adapter and charging my phone through the USB port on it, and it did not heat
at all.

I am suspecting it is running some program in the background (a miner maybe).
Is there a way I can check if such a program is running?

[0] [https://www.amazon.com/Purgo-Adapter-2018-2016-Delivery-
Thun...](https://www.amazon.com/Purgo-Adapter-2018-2016-Delivery-
Thunderbolt/dp/B07K5ZR6HS/ref=sr_1_17?keywords=usb+c+hub&qid=1565706339&s=gateway&sr=8-17)

~~~
Eric_WVGG
You could install Little Snitch on your Mac to see if it phones home.

IMO more likely that it's shoddy hardware; either way it's munching your
battery, so I'd send it to the recyclers and find something more reputable.

------
jcheng
> Now MG wants to get the cables produced as a legitimate security tool

Can someone explain how these could be considered a "legitimate" security
tool? What legitimate use would require the cable to look like a genuine Apple
cable? (I'm honestly asking.)

~~~
par
onsite pentesting for example. You want to train your employees to be aware of
random cables and usb drives laying around, this is a good test to ensure your
training worked.

------
qrbLPHiKpiux
Ask your dentist to take an x-ray of the cable you may be concerned about.
We're all digital and it only takes a second. If your guy is cool, he'll do
it.

~~~
HyperTalk2
Where do you find these "cool doctors"? I once tried to bribe six different
doctors in my area with $3000 in exchange for agreeing to allow me to get an
exploratory MRI and they all said no.

~~~
falcolas
An exploratory MRI has inherit risk (even if minuscule) to your life, and thus
their livelyhood. A very big difference from asking for an x-ray of a cable.

~~~
ebg13
> _An exploratory MRI has inherit risk (even if minuscule) to your life_

As far as I've ever heard, an MRI without contrast has no risk itself, and any
risk comes from acting on the data.

~~~
ska
That is not true. It doesn’t involve ionizing radiation, so not a dose risk
like CT. But look up PNS and SAR (peripheral nerve stimulation and specific
absorption rate), for example. This is mostly handled well for standard pulse
sequences of course, but not “zero risk”.

Beyond that, there is a reliance that you do not have any implants etc., even
some tattoos. And you tell the truth about it. From the clinics point of view
too risky.

~~~
mattkrause
I don't think that's what they're especially worried about; those are fairly
minor.

Instead, think about interacting with someone who a) is so convinced that they
need an exploratory MRI but b) can't convince a doctor of that need. I'd be
afraid that either I'll be stuck dealing with someone perseverating over a
totally normal anatomical variation (and everyone has a few). If they get sick
later, I might also get dragged into a debate over whether I should have
noticed something on that scan, done a different scan, or whatever, possibly
with big legal implications.

This is why our techs will happily scan a fruit or something, but don't run an
ad-hoc clinic.

~~~
ska
I agree that in the parent comment case, there is no reason to risk a review
or lawsuit which is probably mainly why a clinician wouldn't do it; I alluded
that that in another comment.

This one was specifically a comment about "zero risk" on MRI, it's not true.
Low risk, sure. But people have been hurt.

I also suspect any clinician is going to look askance at a low risk action
that isn't necessary, but the potential liability is the kicker here.

~~~
mattkrause
It's pretty close.

Nothing is totally risk free, but compared to most medical procedures--and
most activities of daily living--MRIs are a walk in the park. For a subject
with no implanted devices, I would bet the drive to the scan center is _much_
more dangerous. I just flipped through MAUDE
([https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfMAUDE/d...](https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfMAUDE/detail.cfm?mdrfoi__id=8367269&pc=LNH))
and I couldn't find any adverse events that were more severe than a small burn
or blister.

~~~
ska
Agree it's low risk, I was being pedantic.

There have been deaths of course, also, but not due to normal operation.

------
hansdieter1337
Get a USB condom! [https://shop.syncstop.com/products/usb-
condom?variant=354300...](https://shop.syncstop.com/products/usb-
condom?variant=35430087052)

~~~
ihuman
How do you know you can trust that? Couldn't it be doing the same thing as the
fake lightning cable?

~~~
digsy
They block (or just dont have) the USB data pins - so all it can do is draw
power.

------
tunesmith
Is there a piece of cheap validation hardware where you can plug in both ends
of your cable and a little display will tell you what kind of cable it is and
if it is legitimate?

~~~
avian
Maybe just have something like the USB killer [1] to "sterilize" cables. Zap
the cable with a high voltage/high energy pulse, beyond what normal on-die ESD
protection could handle. A bunch of copper and plastic won't get damaged
(unless you really get crazy and it arcs over and carbonizes or something),
but it will probably burn out any covert semiconductors in the cable. It's
hard to absorb high energy pulses in small packages.

[1] [https://usbkill.com/](https://usbkill.com/)

~~~
chendragon
Type-C cables have an E-Marker IC inside them by design, so this would
probably render the cable non-functional or worse-functional unfortunately.

------
jiveturkey
> up to 300 feet

which means 50 feet, which is still impressive in that it's a useful distance.
I remember the earlier version being more like 5 feet, which sounds pitiful
but is still enough. In fact no wifi at all (0 ft) is enough to plant software
(CMD-space Terminal RET curl | bash && exit) if you take your chances that the
target is inattentive.

I learned of the earlier version here on HN but I can't find the link now. It
was maybe 4 months ago?

Given that the attack is that it's a USB keyboard, nothing to do with the
lightning aspect, except that the victim is likely to need a lightning cable
at some point, any USB dongle will do.

Given the attack methodology for this specific device, of being in visual
distance of the victim, just use an unpaired apple keyboard. Macs will
automatically pair to them, so you just need to turn it on when the victim
looks away (a brief 2-second overlay appears on the screen upon connecting).
You could force this by creating a distraction: drop a glass. No dependence
then on the victim using the cable.

------
perfectphase
There's an interview with MG talking about these cables on the Amp Hour
podcast this week [https://theamphour.com/the-amp-hour-454-mike-
grover/](https://theamphour.com/the-amp-hour-454-mike-grover/)

------
digsy
I saw Kevin Mitnik (FBIs most wanted hacker in the 1990s) at a conference plug
one of these into laptop with a fully patched version of Windows 10 and one of
the very common security suite of apps.

The laptop was completely compromised in seconds.

From a remote laptop, he had complete access to the target machines full
filesystem, started the webcam and turned on the microphone without any
notifications to the target user and connected a bluetooth hard drive
remotely.

And this was using a rogue cable that he just bought off ebay.

I was honestly shocked at how easy it would be to compromise someones machine.
I'll never look at a USB cable the same way.

------
lostgame
I still don't get why iPhones don't use USB-C. OOTB, there's issues between a
brand new iPhone and a brand new MacBook Pro.

~~~
jmull
I think it's just an accident of timing and history.

The old 30-pin connector (inherited from the iPod) had various issues so I
think Apple was eager to replace it. The lightning connector was their
solution. It predates USB-C by a few years, so that wasn't an option at the
time (I guess it might have been on Apple's radar by the time the lightning
cable was introduced, but if so, they must have made the call not to wait.)

Since USB-C has made its way to some iPads, my guess is Apple is in the
process of phasing out lightning connectors entirely.

~~~
kccqzy
Instead I've heard that Apple essentially designed the USB-C standard after
the successful design of Lightning, and gave the standard to USB-IF. (Apple is
a member of the USB-IF.)

~~~
macintux
I’ve heard here from someone who claimed to have been involved that Apple’s
contributions were relatively late and minor, but I don’t have any idea how to
judge the accuracy of either assertion.

And it’s possible both viewpoints have merit depending on what aspects of the
standard are considered significant.

------
BluSyn
Any thoughts on how someone could validate a set of cables to ensure no
trojans exist?

------
scohesc
I don't see how Hak5 can create exact replicas of Apple Lightning cables with
hacking tools embedded in them and NOT have Apples dream litigation team
blasting down their doors

It's pretty amazing how technology has gotten so small we can hide a wifi chip
and keyboard emulator into the end of a USB port plug.

~~~
jagger27
No, they are modified genuine cables.

~~~
orpheline
The demo was a modified cable, but the article said Hak5 was interested in
manufacturing them.

