You probably already know that plugging unknown USB flash drives into your computer is risky. There’s a chance that a malicious program could give a hacker access to your personal data. But now, it’s not just drives to be wary of. A security researcher has shown how USB cables, even ones that look like Apple’s Lightning cable, could hijack your machine.
Mike Grover, a security researcher who reportedly works for Verizon Media and goes by “MG” online, has developed modified Lightning cables that can hack someone’s computer, as first reported by Motherboard. MG sold a handful of the “O.MG cables” at the security conference Def Con, and is working with online security products store Hak5 to sell a version of the Lightning-lookalike cable for around $100, he hopes.
MG tells The Verge that his cables look and function like the standard Lightning cable you get with your iPhone. But MG hid software and hardware, including a wireless access point, inside its USB connector. When the cable is plugged into a computer, it can be triggered remotely to attempt to steal a user’s login credentials or install malicious software.
Cables like the O.MG cable have existed for over a decade, according to MG. “A lot of these capabilities, a lot of the attack surface, is really nothing new,” he says. The NSA also reportedly made a cable that, from what I can tell, is pretty similar — it was called COTTONMOUTH and could be plugged into someone’s computer to wirelessly send software to it.
But MG didn’t need the resources of the NSA. He did it in his kitchen, taking an off-the-shelf Lightning cable and modifying it with tiny circuit boards that he cut himself using a small personal circuit board milling machine from Bantam Tools. He developed the software that runs on the cable with a small team of collaborators. “It doesn’t require a nation-state anymore to do this,” he says.
MG previous hardware hacking history includes a modified Apple USB-C laptop charger that could hijack a user’s computer and a USB thumb drive that literally explodes after installing malicious software. He picked a Lightning cable for this project because, “out of all of the USB-A connectors, the Apple ones are the hardest to interface with because they’re so small.” He figured that if he could modify a Lightning cable to be a hacking device, he could modify other types of USB cables, too.
Though MG intends for the cable to be used by security researchers, it’s pretty important to note that he’s not just selling to them. Anyone could theoretically buy it — including a bad actor — which seems risky. But maybe that’s the point here; perhaps there needs to be a real threat for us to take it seriously. MG says he hopes that by documenting his work and selling the cable at a store where security researchers already shop, those researchers will think to defend against these malicious USB cables ahead of potential attacks.