This Innocuous Looking Lightning Cable Can Steal Your Passwords

In another cautionary example of why you should be careful about which accessories you plug into your iPhone, iPad, or Mac, security researchers have developed an innocuous-looking USB-C to Lightning cable that conceals a keylogger able to steal your passwords and other sensitive information.

According to Motherboard’s Vice, a security researcher who goes by the moniker MG has developed a new ordinary-looking Lightning cable that can record everything that a user types from an attached keyboard and send that data wirelessly to a hacker who could be up to a mile away.

This latest development is an updated version of MG’s original O.MG cable developed two years ago to work in the opposite direction. The first iteration of the cable allowed a hacker to wirelessly access the USB port of whatever device the cable is plugged into and take remote control of a Mac, iPhone, iPad, or any other device that supports input from a USB keyboard.

While the O.MG Cable originally began as a proof-of-concept, MG later moved it into mass production, where it is now sold by Hak5, a company that sells cybersecurity tools, as part of its Mischief Gadgets Collection.

Now, however, MG has created a new USB-C version of the original OMG Cable, plus a new O.MG Keylogger Cable that can capture and transmit keyboard input from the user rather than receiving it from the hacker.

As MG told Motherboard in an online chat, the USB-C version of the cables was created in response to people who insisted that “Type C cables were safe from this type of implant because there wasn’t enough space.”

However, not only did MG manage to cram the necessary components into the USB-C end of the cable, but he also did this in such a way that the cable is virtually indistinguishable from a legitimate Apple cable, at least to the untrained eye.

The new O.MG Cables are also considerably more programmable and customizable than previous versions, offering the ability to change keyboard mappings, forge the identity of other USB devices, and even use geofencing to activate the cable only at certain locations.

Naturally, the cables otherwise work just like normal Lightning to USB-C cables, meaning you’ll be able to charge your iPhone or iPad and even sync it via iTunes. The malicious implant only takes up half the length of the plastic shell, so it doesn’t get in the way of the normal functionality of the cable.

While MG claimed he could receive data at a range of up to a mile away from the cable, that’s probably a best-case scenario. To be fair, logging keystrokes requires an extremely small amount of bandwidth, so a weak Wi-Fi signal would still be usable. Still, you’re unlikely to get a mile range except under near-perfect conditions, such as using it outdoors in an unobstructed line-of-sight path on a clear day.

What’s the Risk?

To be clear, the new version of the O.MG Cable is a keylogger, which means that it’s only designed to log keystrokes that pass through the cable.

In other words, if you happen to come across one of these cables, simply plugging it into your iPhone or iPad is not going to allow a hacker to steal any information from you. It can’t log keystrokes from the onscreen keyboard, as these are not sent out the Lightning port, nor will it capture input from a Bluetooth keyboard, even if the cable is being used to charge the iPhone or iPad at the same time.

Since few people use wired keyboards with their iPhone and iPad, and even fewer people are likely to do this with a random, untrusted cable, the likelihood of falling victim to this one is pretty slim.

The original O.MG Cable, now available in a USB-C version, actually presents a slightly higher risk since it allows an attacker to send keystrokes to your iPhone or iPad. However, since they can’t override your device’s lock code, this is only likely to be a problem while you’re using your device, in which case you’d almost certainly notice if somebody else had taken control of it. Further, the O.MG cable can’t record what’s happening on your screen, so the hacker will be working blind unless they’re already within eyesight of your device.

It’s also worth noting that these cables don’t come cheap. The O.MG Cable sells for $130, and the keylogging one goes for $180, so it’s not like hackers are going to buy a bunch of these and leave them lying around in hopes that some random person might pick one up and use it. These are effectively only useful for targeted attacks.

Still, it’s another good reminder of why it’s important to buy MFi-certified cables and keep an eye out for counterfeit accessories. While you’re unlikely to fall victim to the O.MG Cable unless somebody is specifically out to get you, unauthorized and counterfeit accessories can still pose many other safety risks.