A security researcher from California discovered a new way to hack your iPhone, with just the lightning cable. The researcher, Mike Grover or MG came up with a new way to modify the lightning cable to attack victims.
The modified cable works just like any other lightning cable when plugged into a computer. When plugged in, iTunes detects the cable and the pop-up asking ‘Do you trust this computer’ comes up. There is no indication to the user that the cable is malicious.
However, the cable, dubbed O.MG Cable, is fitted with components that allow the attacker to remotely connect to the computer. MG created the malicious hardware using legitimate Apple cables. Modifying the cable with a Wi-Fi enabled implant and then putting it back together by hand. This process takes about four hours for each cable.
To begin the attack, the malicious actor must first deliver the cable to his victim. This means using social engineering and using the human factor to get the victim to use the cable. MG stated that you can simply give the cable as a gift or swap out the legitimate with the fake. Once delivered to the victim, the actor must wait for his target to plug in the cable to the computer; this includes any Linux, Mac, and Windows computers. The actor then wirelessly takes control of the victim’s computer. The attack begins simply by typing in the IP address of the O.MG cable into a browser. A list of options is then displayed to the attacker, who can then choose to open up the terminal on the victim’s computer and begin running malicious payloads.
MG told Vice:
“It’s like being able to sit at the keyboard and mouse of the victim but without actually being there”
You like wifi in your malicious USB cables?
The O•MG cable
(Offensive MG kit)https://t.co/Pkv9pQrmHt
This was a fun way to pick up a bunch of new skills.
Not possible without help from: @d3d0c3d, @cnlohr, @IanColdwater, @hook_s3c, @exploit_agency #OMGCable pic.twitter.com/isQfMKHYQR
— _MG_ (@_MG_) February 10, 2019
MG debuted the cables at the Def Con hacking conference, selling the prototype versions for $200 each. He plans on modifying other USB cables as well. MG says he focused on the Apple product first because:
“Apple just happens to be the most difficult to implant, so it was a good proof of capabilities.”
MG created these cables as a learning project, but along the way developed a strong piece of hardware. He also hopes to educate and assist red teamers in developing, focusing and thinking about new defense mechanisms for this new type of threat.
“Most people know not to plug in random flash drives these days, but they aren’t expecting a cable to be a threat…So this helps drive home education that goes deeper.”
He is currently developing new ways to improve the functionality of O.MG Cable and has worked with other hackers to create new exploits for the cable. Further, MG has contracted with Hak5 to begin selling these cables as legitimate security tools for about $100 in the near future.
If your organization was hit with malware contact LIFARS immediately
Image Credits: Hak5