“The world's most hazardous USB cable just became more powerful,” says the new commercial, which serves as a stark warning to anybody borrowing an iPhone or iPad cord. If you insert a wire like this into your device, you will not be aware that you have been hacked until it is too late.
“You used to require a million-dollar budget to buy a cable like this,” according to pen-testing website Hak5. You only need $139.99 and a PayPal account to get started. Meet the O.MG Lightning cable, a near-perfect duplicate of the Apple original. This one, on the other hand, is far more technologically advanced than the first.
O.MG's attack cables initially gained attention at DEFCON in 2019. Juice jacking was making news at the time. You'll recall the uproar. Don't use public charging stations because you're afraid of losing all of your data. The notion was that the useful USB socket into which you inserted your cable was covertly connected to a hidden computer.
“A free charge might end up draining your financial account,” the Los Angeles District Attorney's office warned. Regardless of the hoopla, it's sound counsel.
You should never plug your unlocked phone into a random USB port. Use a genuine charger if you need to charge in public. Ideally, one of your own.
Remember, USB cords are intended for data transfer.
O.MG cables are a unique take on the topic. It makes no difference what you hook the cable into because the cable is the attack device. It has a separate WiFi access point, payload storage, geofencing capability, and the ability to track or inject its own keystrokes—all of which can be directed on the fly.
A browser can control each cable—you may log directly into the cable's access point or have the cable connect to a network to find its own path to you.
The cords were not meant to attack iPhones, but rather the Macs and other computers into which they are hooked for charging or syncing. Originally hand-built by inventor Mike Grover, each is easily distinguishable from the originals.
“At the time,” Grover says, “all I wanted to do was test if I could accomplish it—shrink something down tiny enough.”
However, when the design was refined, they became exact reproductions, and the USB-A originals have since been replaced by a USB-C upgrade. As a result, iPad Pros and many Android cellphones are in jeopardy. Perhaps we don't need a USB-C iPhone after all.
Grover chose the Lightning cable as a compromise since it was the most difficult—small, well confined, and wonderfully manufactured. He's not in the business of providing aggressive hackers, so don't worry about his wires. His intention is for this to act as a warning. If he can achieve it, then so can others. And you won't be aware of the others.
This should be the stuff of clandestine government laboratories and astronomical expenditures. And it has been for many years. This type of equipment is a favorite of intelligence services. As a result, one of Grover's aims is to work with organizations to educate their workers by conducting red team exercises in which workers are compromised in order to learn a painful lesson about how to strengthen their security when traveling.
The switch to USB-C isn't the only thing that's changed. The payload storage is larger, which opens the door to direct malware assaults. There are also new "attack modes." Cables have the ability to self-arm when they are on target and self-destruct when their location changes. There is an attack cycle that captures user keystrokes before inserting its own. This allows a device to acquire information when a user is near their gadget and attack it while they are not.
And, although this isn't a widespread threat, it's also no longer the domain of high-level intelligence operations. Consider the loss of company credentials as the number of ransomware, critical infrastructure assaults, and supply chain hacks increases. Consider where some of that money may be put and what may happen to those investments in a world where illegal cyber-attacks generate hundreds of millions of dollars.
In actuality, this isn't the most dangerous wire in the world. Grover has purposefully prohibited cords in “mobile attack mode” from charging or synchronizing phones, “so you have a limited opportunity to misuse it without the victim knowing,” he adds. This cable is intended for demonstrations and training, as well as red teaming and pen-testing.
Grover tells me that many of the businesses he works with tell him that the cable is one of their most potent tools for teaching employees a real-world lesson about how they might be compromised. “Wait!” he says, imitating, “the cable assaults what?”
In actuality, the cables you should be concerned about are not those offered online. “This is not the type of threat that the typical individual will face,” Grover adds. It will not be placed in retail businesses, “although it is entirely conceivable, but it makes no sense since there are quicker methods to go after someone.”
This, on the other hand, is physical evidence of what can be done and how simply it can be done.
Whether you travel for business, whether you work for the government or in a high-value business, if you're a celebrity or a government-targeted lawyer or journalist, this exposure should convey a clear message: Don't use cables if you don't know where they came from.