“The world’s most dangerous USB cable has just gotten more powerful,” says a new ad, which should serve as a serious warning to anyone using someone else’s iPhone or iPad cables. If you plug such a cable into your device, you won’t even realize that you have been attacked until it’s too late.
As pen test site Hak5 writes, “Before you had to have a million dollar budget to get such a cable.” Now you only need $ 139.99 and a PayPal account. Meet the O.MG Lightning cable – so close to the original Apple cable you can’t tell the difference. But this cable is much more high-tech than the original.
O.MG cables first became widely known at the DEFCON convention back in 2019. At that time, the problem of hacking smartphones while recharging was widely discussed in the media. You probably remember that tantrum. Do not connect to a charger in public places, otherwise you may lose your data – because the USB port in which you plugged your cable may be secretly connected to a hidden computer.
“Free recharging of your phone can result in the disappearance of all money from your bank account,” they warned at the time. Despite being hysterical, this is good enough advice. You really shouldn’t plug your unlocked phone into the first USB port you come across. If you need to recharge your phone in a public place, use a charger. Preferably your own. Remember that USB cables were invented for data transfer.
O.MG cables take a whole different twist to this story. It doesn’t matter which device you plug such a cable into, because the cable itself is an attacking device. Independent WiFi hotspot, your saved files, the ability to determine your location, the ability to track keystrokes or press the keys yourself – all these functions can be controlled on the fly.
Each such cable is controlled using a browser: you can connect directly to the cable’s hotspot or plug this cable into the network to find a suitable route to you.
These cables were not designed to attack iPhones, but to attack Macs and other computers to which they were connected for charging or syncing. Originally each of these cables was handcrafted by its inventor Mike Grover, and at that time they could be easily distinguished from the originals. “Then I just wanted to see if I could do it – build something small enough,” Grover told me.
But then the appearance of the cables was improved, they turned into exact copies, and now the originals of USB-A are being supplanted by newer USB-C cables. That is, the iPad Pro and many Android smartphones are at risk. Perhaps we don’t really need an iPhone with USB-C.
Grover chose the Lightning cable for his experiments because it was the hardest to work with: the cable is small, very dense and sleek. Grover doesn’t ship his cables to intruder hackers – it’s not his cables that you should worry about. He claims that his experiments should serve as a warning. If he can do it, so can others. And you will never know about these others in advance.
Secret government laboratories have to do this sort of thing, and huge sums of money have to be spent on these developments. For many years it was like that. These kinds of devices are an attack tool that intelligence agencies are very fond of. One of Grover’s missions is to work with companies and train their staff to conduct special drills in which employees’ devices are hacked to teach them a harsh lesson on how to protect the safety of their devices while traveling.
Moving to USB-C isn’t the only change. The payload storage is larger, and this opens up the possibility of direct attacks using malware. In addition, new “attack modes” have appeared. The cables can arm themselves when they are connected to a victim device, and destroy their “weapon” when their location changes. There is an attack cycle where keystrokes are first read and then pressed without the owner’s knowledge. This allows the device to first collect the necessary data when the owner of the smartphone uses his gadget, and then attack it.
Although this threat cannot yet be called widespread and large-scale, it has ceased to be exclusively part of intelligence operations. Think about theft of employee data, the rise in ransomware attacks, attacks on key infrastructure, and attacks on supply chains. In a world where malicious hacker attacks generate hundreds of millions of dollars, where do you think this money can be invested and what we get as a result of such investments.
In fact, this new cable is not the most dangerous in the world. Grover deliberately made sure that his cables did not switch to “attack mode” when plugged into charging phones “to limit the possibility of abuse,” he explained. Its cable was designed for demonstration and training, as well as for testing external threats.
Grover says many of the companies he has provided his product to say these cables are one of the most powerful tools for teaching employees a harsh lesson and showing how their devices can be compromised. “Wait! Grover parodied. – What cable is attacking?
In fact, the cables you should worry about are not sold online. “This is not a threat that an ordinary person might face,” Grover explained. Such cables will not appear in stores, “although it is possible, it is impractical because there are easier ways to stalk people.” However, the existence of such cables is clear evidence of what can be done and how easy it is.
If you travel a lot for work, if you are in the service of the government or are an employee of some important enterprise, if you are a famous person or a government-persecuted lawyer or journalist, you must remember: do not use cables if you do not know where they came from.