This Normal-Looking Lightning Cable Actually Steals All of Your Data

This Normal-Looking Lightning Cable Actually Steals All of Your Data

Here’s some Mr. Robot-level intrigue for you: Imagine an innocuous-looking USB-to-Lightning cable that, once plugged into your machine, actually helps hackers steal all of the date from your iPhone and inject malware onto your device. If that sounds like something from a far-fetched TV show, it is, surprise, actually a thing.

Motherboard recently wrote about just such a tricky little product, sold by cybersecurity company Hak5 and dubbed the “OMG cable” after its inventor, security researcher MG. The cord, which looks almost exactly like an Apple Lightning cable and is sold in a USB-C or USB-A format, is loaded with a hidden chip and gives a user the ability to remotely steal data or deploy malicious software onto MacBooks, iPads, and iPhones. The product, which was previously demoed at the cyber conference DEFCON in 2019, is used as a penetration testing tool, Vice reports.

How it works: Once plugged in, the OMG essentially sets up a wifi hotspot, which a remote user can then connect to. From there, an online interface that comes with the product allows the hacker to record and log activity from the target device. The keylogger logs as much as 650,000 keystrokes, according to Hak5. The company describes it as being “built for covert field-use, with features that enhance remote execution, stealth, forensics evasion, all while being able to quickly change your tooling on the fly.”

There are a fair amount of videos on YouTube that walk you through how the entire thing works. As example, here’s one from tech vlogger David Bombal:

Naturally, you can imagine some pretty nefarious scenarios involving this product. For a spy to hack you, all they would really need to do is wait for you to go to the bathroom at a coffee shop, then stealthily swap out your actual Lightning cable for the OMG. From there, it’s just a little bit of remote finessing to get all of your data back to their own server.

While there’s a limited geographic scope to its functionality, it apparently works from a fairly good distance. “We tested this out in downtown Oakland and were able to trigger payloads at over 2 km,” MG told Motherboard.

Yes, impressive, but also, yikes. In short: Keep your ports protected and be safe out there.