Apple’s Lightning cable is one of the most ubiquitous accessories on the planet. First introduced in 2012 with the release of the iPhone 5, it’s since been included with every iPhone, iPod Touch, and iPad (with the exception of 2018’s iPad Pros). It’s shipped on billions of devices.
But even though every Apple gadget that requires a Lightning cable comes with one, many of us lose them, replace them, or buy extras. Many times we also forget our cables at home, leading us to ask a friend—or even a stranger—if we can borrow one to revive a dead phone. This is never more evident than at an airport or a major conference. You’re sure to run into someone asking if they have a spare Lightning cable they can use for a moment.
But from now on, asking a stranger to borrow a Lightning cable, or accepting an offer by a stranger to give you one, is the last thing you’ll want to do if you’re scrupulous about protecting your data. That’s because a hacker has created the first Lightning cable that, when plugged into your Mac or PC, will allow someone to remotely take over your computer. Worse, this hacked Lightning cable, called the O.MG Cable, isn’t a bespoke one-off. It’s being mass-produced in factories so anyone can buy and use them to target your data.
The stuff of security nightmares
The O.MG Cable was first reported by Motherboard’s Joseph Cox when the security researcher who created it, a person known as “MG,” first demoed his handmade prototype at the Def Con hacking conference last summer. The O.MG Cable looks like an ordinary Apple-made Lightning cable and works exactly the same—it will charge a device and transfer data to and from the device just like an authentic Lightning cable.
However, the O.MG Cable also contains a built-in wireless hotspot. This allows attackers to remotely run commands on the Mac or Windows PC the cable is plugged into, which allows them to do, well, pretty much whatever they want—including reading or even deleting your data. After MG demoed the prototype cable to Motherboard’s Cox, he told the reporter, “It’s like being able to sit at the keyboard and mouse of the victim but without actually being there.” He also said that the cable supports both hackers who are within Wi-Fi range and ones who might be tapping into its connection over the internet. (Using the cable to charge your iPhone by plugging it into the wall should theoretically be safe, since it’s your Mac or PC that’s vulnerable to attack.)
The good news at the time was that the O.MG cable needed to be handmade and was relatively expensive—$200 a pop. But now MG says that he’s found a way to mass-produce the cable in a factory, which will allow thousands of them to roll off an assembly line.
Now time for a fully destructive teardown to make sure they meet all my requirements for a fully field-ready piece of attack hardware. pic.twitter.com/lMVBv5RRjw
— _MG_ (@_MG_) September 29, 2019
The cable is currently listed on the Hak5 hacking website, where potential customers can sign up to be notified when it’s available for purchase, with no price yet announced. The site’s description should send shivers through everyone in the privacy and security industries:
The O.MG Cable™ is the result of months of work that has resulted in a highly covert malicious USB cable. As soon as the cable is plugged in, it can be controlled through the wireless network interface that lives inside the cable.
The O.MG Cable allows new payloads to be created, saved, and transmitted entirely remotely. The cable is built with Red Teams in mind with features like additional boot payloads, no USB enumeration until payload execution, and the ability to forensically erase the firmware, which causes the cable to fall entirely back to an innocuous state. And these are just the features that have been revealed so far.
(“Red Team” hacking refers to a company hiring security experts to do all they can to break into its systems, thereby exposing vulnerabilities.)
Seemingly no data will be off-limits—emails, photos, medical records, you name it—to the attacker for victims who plug one of these cables into their computer thinking they are charging their iPhone.
Keeping yourself safe
The O.MG Cable is the first known remote hacking tool disguised as a Lightning cable to be mass-produced. However, it’s not the first Lightning cable that could cause harm to your devices or data.
Soon after Apple unveiled the cable in 2012, an entire cottage industry of third-party Lightning cables flooded the market. Many of these replacement cables can leave an iPhone or iPad vulnerable to damage from power surges. Third-party Lightning cables can even be a fire hazard.
This is why Apple runs the MFi Program. The program, which stands for “Made for iPhone/iPad/iPod” certifies that third-party accessories, including Lightning cables, pass Apple’s engineering standards and are safe to use and won’t damage a user’s product or data.
When you buy a Lighting cable, it’s important to make sure the MFi logo is on the package. However, be aware that unscrupulous accessory makers will sometimes simply stamp the MFi logo on their packaging without actually submitting their product to be certified. (Apple offers advice on how to spot counterfeit or uncertified Lightning cables.)
Buying a Lightning cable directly from Apple is the safest thing to do. However, buying a MFi-certified cable from a reputable accessory maker such as Anker, Belkin, or Amazon’s AmazonBasics brand should not present any risks.
But making sure you buy a certified Lightning cable is only half the battle, now that malicious cables like the O.MG could be in the wild. Just like candy, you shouldn’t accept a Lightning cable from a stranger. Without taking it apart, there’s no way for you to know if that cable is actually a gateway for the stranger to access your computer. Likewise, if you see a Lightning cable laying on the ground or left out in the open, seemingly abandoned, don’t think you just got lucky.
Now, it’s true that the O.MG cable is likely most alluring to a hacker who had a specific victim in mind and is willing to go to extremes to get that person to use it. But it’s still better to be overly cautious than to put yourself at risk—and we already know that many people are far too blithe about what they plug into their devices. In a 2016 research experiment involving dropping USB drives around the University of Illinois, almost half of the drives got plugged into a computer, usually within hours. Those particular drives merely alerted the researchers and provided information on how to return them, but they could have been far more hazardous.
It’s also important to note that Lightning cables aren’t the only kind open to this type of manipulation. In theory, hackers can now create a USB-C or MicroUSB cable incorporating a dangerous Wi-Fi connection. It just so happens that the first cable built to do this was a Lightning cable. But it surely won’t be the last.