Hacker’s iPhone charging cable can hijack your computer. Most people don’t believe twice about picking up and plugging a phone charging cable. But the project of one hacker intends to alter that and increase awareness about the hazards of possibly malicious charging wires.
A hacker who walks by the online handle MG took an innocent-looking Apple USB Lightning cable and triggered it with a small Wi-Fi-enabled implant that, when plugged into a computer, allows a nearby hacker to run commands like sitting in front of the screen.
Hacker’s iPhone charging cable can hijack your computer
Dubbed the O.MG cable, it looks and works from an iPhone charging cable almost indistinguishable. But all that an attacker has to do is swap the legitimate cable to the malicious cable and wait until it is plugged into their computer by a target.
An attacker can wirelessly transmit malicious payloads on the computer from a nearby device and within Wi-Fi range (or attached to a nearby Wi-Fi network), either from pre-set commands or from an attacker’s own code.
Once plugged in, an attacker can control the affected computer remotely to send realistic-looking phishing pages to a victim’s screen or lock a computer screen remotely to collect the user’s password when they log in. MG focused his first attempt on an Apple Lightning cable, but the implant can be used against most target computers in almost any cable.
“This specific Lightning cable enables cross-platform attack charges, and the implant I have created is easily adapted to other types of USB cables,” MG said. “Apple is the hardest to the implant, so it’s been a good proof of capabilities.”
He creates innovative hacking methods and techniques in his day-to-day work as a red teamer at Verizon Media (owned by TechCrunch) to recognize and solve security vulnerabilities before malicious attackers discover them. Although a personal project, MG said his malicious cable may help red teamers think about defending themselves against various types of threats.
“Suddenly we now have victim-deployed hardware that may not be noticed for a long time,” he explained. “This changes the way you believe about tactics of protection. We’ve seen that the NSA has had similar capabilities for over a decade, but it’s not really common enough in the threat models of most people.
“Most people these days don’t know how to plug in random flash drives, but they don’t expect risk to be a cable,” he said. “This helps to drive deeper home education.”
MG spent thousands of dollars of his own money working on his project and countless hours. Each cable took him to assemble for about four hours. He also worked with several other hackers to write some of the code and create exploits, and gave to Def Con participants his supply of hand-built wires with a plan to sell them online in the near future, he said.
But the O.MG cable has not yet been done. MG said he is working with others to improve the functionality of the cable and expand its set of features. “At this point, it really only comes down to time and resources. I have in my head a huge list that needs to become a reality,” he said.
Source: Tech Crunch