It's a severe discredit to the major operating system vendors that plugging in a USB stick can still compromise a system.
If a USB device identifies itself as a keyboard, the system shouldn't accept its keystrokes until either that keyboard has typed the user's login password, or the user uses a different input device to authorize it. If it identifies itself as a storage device, the filesystem driver should be hardened. If it identifies itself as an obscure 90s printer with a buggy driver written in C, it should prompt the user to confirm the device type before it loads the driver.
It's 2019. Why the f* haven't Windows, MacOS and Linux all implemented these basic precautions?
An interesting solution, it would definitely prompt the user to understand what the device is trying to do.
But I'm sure that it's extremely hard to prevent something malicious, once it has physical access to a port on your computer...
But then it could simply wait for the user to enter the password (1), then read it by sniffing the traffic from the keyboard and store it internally for later use, since it's all in clear ad it cannot be encrypted before entering the machine unless most (all) USB consumer hardware get some heavy modifications.
1- very simple algorithm: store in the internal flash memory whatever the user enters between connecting the keyboard and hitting the 2nd enter key; if it's mostly the same words, then it's very likely an user/password pair.
"But I'm sure that it's extremely hard to prevent something malicious, once it has physical access to a port on your computer... "
Very true. Malicious plug in hardware was just a matter of time; we badly need some active protection for these things, or it would be a mess. This is the perfect weapon in the hands of people with a thing for vandalism, I hope mainstream media won't cover that story.
Even more frightening, people selling them as seemingly legitimate cables on Amazon? People will pay you and you get a new botnet.
How many could you sell before it's discovered?
How can I, as a consumer, even tell? Amazon will even allow you to sell your malcable under the Apple brand.
If you can fire off a successful "curl | bash" on an internet-connected machine, wireless isn't needed.
Of course, without wifi you've only got a USB Rubber Ducky clone  whereas with wifi, you've got an NSA COTTONMOUTH clone  which I imagine is much more likely to get your talk accepted at DEFCON :)
 https://shop.hak5.org/collections/physical-access/products/u...  https://en.wikipedia.org/wiki/NSA_ANT_catalog
But if the terminal only flashes up for 100ms, plenty won't notice or will think it was just a glitch.
The wifi's just so you can control it remotely.
> "But the cable can be configured to act as a client to a nearby wireless network. And if that wireless network has an internet connection, the distance basically becomes unlimited."
Then there's the Shaw hotspots which they expose on a dedicated side-channel of the routers of people who pay for their business Internet plans, which allow arbitrary other Shaw customers with authenticated MAC addresses to connect to them. Those are all over the place, and it'd be pretty easy to steal a list of a few hundred registered MACs and rely on that network to connect.
I rarely plug my phone into a computer, but I suppose this works just as well for any other USB device with a removable cord.
USB-C is probably safe for now on account of the smaller connectors.
Ditto. Further, I do not buy lightning cables or iPhone chargers from anywhere but an Apple Store.
This has been a good idea for years, even before this, when HN was all aflutter about fake chargers frying phones, or with embedded computers that tried to hack your phone.
I wonder what HN thinks of Anker cables? I've always loved them because they are rugged and well made. Though I know they are a Chinese company...
Unfortunately all three weakened near the connector within a few months to the point where they only intermittently charge. Really disappointing.
I'd venture to say those aren't real Ankers. The ones I have are built like tanks. I personally abuse some of my lightning cables, pulling on them, stuffing in bags in a rush, etc. They've lasted years and look new.
Note: I do buy the ones that come with nylon, not sure if that makes a difference.
A few months ago, I had a stock Lenovo laptop charger failing. I thought something was up with the physical port on the laptop, because the power button was blinking when I was plugging it in, but even after an hour of being plugged in, it still refused to turn on. As a last ditch attempt I tried my work-provided MBP cable, and it turned on after a minute. However, since it was a work laptop and not a personal one, it could've been that whoever used the laptop before abused the cable endlessly, so I attributed it to that.
Most recently, it happened with a personal device of mine, Oculus Quest. After a month of use, it refused to charge at all using the provided cable. I tried plugging it in a bajillion different ways, nothing worked. I thought it was a headset issue, because I used the cable very gently and only at home, and people reported that problem occurring and that resetting the headset might help. Obviously, it didn't resolve the issue in my scenario. Plugged it into my personal MBP cable, it started charging immediately.
Amazon reviewers would quickly notice terminal windows pop up on their screens or keystrokes happening at inopportune times, assuming a more advanced exploit isn’t used. (many of these attacks simply try to spawn a terminal window and type commands, a very noisy approach) Scary device regardless, I just think the Amazon vector is overhyped.
If you are a high value target, pay close attention to your supply chain and how you receive packages.
Back in the day sure, but with the way amazon works now I don't think this would be the case. I stopped purchasing items from amazon because one of the things they do is lump "like" or "same" items and reviews together, the only problem is sometimes the items are actually completely different. I've bough electronics, components, cables, and other items from amazon before and then received a similar item but from a completely different brand, manufacturer, seller, etc. When I went back to look at reviews they are all lumped under one page of amazon so you can't get details about a particular product. You can order a cable on a page that's called "apple lightning cable" with reviews for legitimate products but then receive a cheap lightning cable from china with no way to leave a review for that particular product. One way I've found of identifying pages like this is by examining pictures that people upload in reviews, and many times you'll find a variety of products being reviewed/received.
Allowing me to use the car's interface to control my phone is a nice tool. It probably adds to the safety of my driving, since I can skip audio tracks using physical controls on my steering wheel instead of a touch screen.
As an added bonus, my iphone wouldn't automatically crank up itunes on my mac every single friggin time I plug it into the dock.
I've had better luck using a USB battery to "filter" USB connections in random rental cars.
But hardly any new cars have that ….
> Allowing me to use the car's interface to control my phone is a nice tool. It probably adds to the safety of my driving, since I can skip audio tracks using physical controls on my steering wheel instead of a touch screen.
It seemed that paulsutter (https://news.ycombinator.com/item?id=20686844) was suggesting a setting that prevents this automatically for people who never want it, not removing the capability for people like you who do want it.
I'm in a 2019 Subaru Outback, and I have two. One for the front seat, one for the back.
WRT a setting - CarPlay must be explicitly enabled, and has a per-vehicle pairing. I imagine Android has a similar requirement.
Even a Tesla Model 3 still has a 12 Volt cigarette adapter port. New cars still include them because of all the accessories out there like inverters and tire inflaters people want to use.
Going back to PS/2 could be an option? Guess that wouldn't be too different from allowing all devices only on a single USB port.
Any desktop computer would have to be redesigned to add a "allow new device" button since they have no other input.
Even on many laptops, the internal keyboard and mouse are USB devices, when you install a new OS, do you have to accept trust to those as well? Or how will you stop an external device from spoofing them with the same vendor/device ID?
This sounds like something that creates a chicken-and-egg problem of there not already being any such DTLS-speaking USB devices... but how about if vendors just create a little USB dongle that wraps whatever's plugged into it in "authentication" using DTLS? Ship the dongle with the laptop; tell people that if they want to install a new OS, they have to plug a USB keyboard in through the dongle.
Or only allow completely unauthenticated devices as a fallback when there is no other available authenticated device.
A computer not having any keyboard is a rare case. Most of the time you have what is built-in (and should be authenticated) or what came with the computer (and should be authenticated).
Allowing unauthenticated keyboards only on detection of no authenticated ones probably covers 99.9% of all use cases and increases security dramatically.
hell, simply through acquisition and acquiescence, the market already accepted locked-down platforms. at this point, we ought to have more benefits from this instead of just making these platforms hard to install Linux on.
Not sure if I just mis-configured my windows, but it is certainly lacking on that front. The Settings -> Devices -> USB having just a single checkbox for error popups is probably not a good sign.
Usability could be optimized depending on how uniquely identifiable keyboards are (to reduce when trust prompts are shown).
For every phone owner who thinks this way, there are probably a dozen others who hate it when they plug in their phone and the car doesn't mirror the phone's UI. I'd be in the latter group.
"A new (unneeded if devices sufficiently uniquely identifiable?) keyboard has been plugged in, please type <random char sequence> to confirm"
This is changing in the upcoming iOS 13, so the car display and the phone will be much more independent. As someone who's often a passenger with their phone plugged in, I'm happy for this.
But, then, I am shifting trust to my data blocker...
Does anyone have any insight into how this attack works? My guess is that it acts like a hub that exposes both the iPhone lightning connector and a keyboard/mouse. And then the keyboard/mouse is controllable via some near-range wireless like WiFi or bluetooth? I suppose it could even scan for open networks and try to join to allow a more remote exploit. Anyone find more information anywhere?
It probably switches on the Keyboard/Mouse Logic as necessary.
But from there you could play an “Open Terminal” and be quite creative. Don’t know if you could send much information back, but I don’t see why it couldn’t have a few gb of flash storage to copy from/to, e.g. occasional screenshots to see what’s there. Or files.
I think the real value of this attack is against air-gapped computers... that people charge their wireless devices with? That would be stupid.
This is how Stuxnet ruined Iran's nuclear centrifuges.
> "But the cable can be configured to act as a client to a nearby wireless network. And if that wireless network has an internet connection, the distance basically becomes unlimited." he added.
I am suspecting it is running some program in the background (a miner maybe). Is there a way I can check if such a program is running?
IMO more likely that it's shoddy hardware; either way it's munching your battery, so I'd send it to the recyclers and find something more reputable.
Can someone explain how these could be considered a "legitimate" security tool? What legitimate use would require the cable to look like a genuine Apple cable? (I'm honestly asking.)
You can find a few examples of x-ray images they took on their twitter feeds as well: https://twitter.com/FauthNiklas/status/1125606579540246528 and https://twitter.com/JanHenrikH/status/1127033349246279680 and https://twitter.com/FauthNiklas/status/1149386796352069633
That looks like a bog-standard USB cable, but Apple's Lightning and USB-C cables are far more complicated, with actual chips onboard.
I don't think there's much possibility of me vetting one of these sorts of third-party cable based on an x-ray, or even a physical teardown.
If I was a random clinician there is no way I would have helped you either.
If you do want a MRI done out of curiosity your best bet is to go through biomedical imaging research group who needs subjects, I would guess. Unless you happen to live near a manufacturer.
As far as I've ever heard, an MRI without contrast has no risk itself, and any risk comes from acting on the data.
Beyond that, there is a reliance that you do not have any implants etc., even some tattoos. And you tell the truth about it. From the clinics point of view too risky.
Instead, think about interacting with someone who a) is so convinced that they need an exploratory MRI but b) can't convince a doctor of that need. I'd be afraid that either I'll be stuck dealing with someone perseverating over a totally normal anatomical variation (and everyone has a few). If they get sick later, I might also get dragged into a debate over whether I should have noticed something on that scan, done a different scan, or whatever, possibly with big legal implications.
This is why our techs will happily scan a fruit or something, but don't run an ad-hoc clinic.
This one was specifically a comment about "zero risk" on MRI, it's not true. Low risk, sure. But people have been hurt.
I also suspect any clinician is going to look askance at a low risk action that isn't necessary, but the potential liability is the kicker here.
Nothing is totally risk free, but compared to most medical procedures--and most activities of daily living--MRIs are a walk in the park. For a subject with no implanted devices, I would bet the drive to the scan center is much more dangerous. I just flipped through MAUDE (https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfMAUDE/d...) and I couldn't find any adverse events that were more severe than a small burn or blister.
There have been deaths of course, also, but not due to normal operation.
> The magnetic fields that change with time create loud knocking noises which may harm hearing if adequate ear protection is not used. They may also cause peripheral muscle or nerve stimulation that may feel like a twitching sensation.
> The radiofrequency energy used during the MRI scan could lead to heating of the body. The potential for heating is greater during long MRI examinations.
Minimal, perhaps negligible? Absolutely. Worth risking a license for a mere $3k? Probably not.
I also lied for the sake of brevity. In reality I wanted an MRI in order to look for evidence of diverticulitis. They all said I needed to either get a CT scan or get lost. CT scans are more dangerous than MRIs. Doctors can't possibly be exposed to more malpractice risk from a harmless MRI than from a dangerous CT scan.
Though checking to see what USB / PCI devices are advertised could be useful.
Device / USB whitelisting looks like it will need to be a default thing Real Soon Now.
which means 50 feet, which is still impressive in that it's a useful distance. I remember the earlier version being more like 5 feet, which sounds pitiful but is still enough. In fact no wifi at all (0 ft) is enough to plant software (CMD-space Terminal RET curl | bash && exit) if you take your chances that the target is inattentive.
I learned of the earlier version here on HN but I can't find the link now. It was maybe 4 months ago?
Given that the attack is that it's a USB keyboard, nothing to do with the lightning aspect, except that the victim is likely to need a lightning cable at some point, any USB dongle will do.
Given the attack methodology for this specific device, of being in visual distance of the victim, just use an unpaired apple keyboard. Macs will automatically pair to them, so you just need to turn it on when the victim looks away (a brief 2-second overlay appears on the screen upon connecting). You could force this by creating a distraction: drop a glass. No dependence then on the victim using the cable.
The laptop was completely compromised in seconds.
From a remote laptop, he had complete access to the target machines full filesystem, started the webcam and turned on the microphone without any notifications to the target user and connected a bluetooth hard drive remotely.
And this was using a rogue cable that he just bought off ebay.
I was honestly shocked at how easy it would be to compromise someones machine. I'll never look at a USB cable the same way.
The old 30-pin connector (inherited from the iPod) had various issues so I think Apple was eager to replace it. The lightning connector was their solution. It predates USB-C by a few years, so that wasn't an option at the time (I guess it might have been on Apple's radar by the time the lightning cable was introduced, but if so, they must have made the call not to wait.)
Since USB-C has made its way to some iPads, my guess is Apple is in the process of phasing out lightning connectors entirely.
It could also be more that Apple is trying to position the iPad Pro as a "laptop replacement" - and their laptop has type-C ports - so having the same port makes it feel and work more like a laptop.
More generally, the lightning port is actually slightly slimmer than a USB-C port, which is important. While the iPad isn't any thicker than an iPhone, it has squared-off edges, versus the iPhone's rounded edges, so switching the iPhone to USB-C would likely require either making it thicker or making the area around the charge port flat.
And it’s possible both viewpoints have merit depending on what aspects of the standard are considered significant.
It's pretty amazing how technology has gotten so small we can hide a wifi chip and keyboard emulator into the end of a USB port plug.