There’s a new potential security threat cloaked in an innocent-looking package: the charging cable.
The cord that came with your device isn’t the problem. After-market cables, or the one left on the table at Starbucks, or that one you borrow from that nice stranger? Stop right there!
A security researcher is now selling mass-produced Lightning cables, designed to hack into your computer’s Wi-Fi.
The cords look just like any other average USB power cable, but its creator managed to squeeze a Wi-Fi chip inside. As long as you use the cord to connect your phone to your computer—whether you’re working on a PC or a Mac—a hacker up to 300 feet away can access your computer and do all kinds of bad things.
Called the O.MG Cable, it’s designed so your computer thinks it’s just another peripheral device, like a mouse or keyboard. This allows the hacker to send information right to your computer screen, such as malicious Google log-in screen to collect your username and password. Worse, the cable can be programmed to connect to a network, such as a Wi-Fi or cellular hot spot, expanding the possibilities for potential attacks.
Although using USB power cables is new, don’t forget that the equally ubiquitous USB thumb drives have been a potential source of malware for a long time. In fact, criminals will even target victims. PC World reports that a Hollywood exec received a package with a USB that appeared to be from a well-known production company. On the drive was a movie trailer that actually installed malware.
An ounce of prevention is worth a pound of cure
With USB-based hacks now expanding beyond thumb drives, what can you do?
- Bring your own cable. Don’t ask to borrow a Lightning cable from a stranger, and don’t pick up ones you find in the wild. Cables with an unknown past could be dangerous (and there is no way to know just by looking).
- Don’t assume other types of cords are safe. The O.MG cable is proof of concept for cord-based hacks. Other types of malicious USB cables may already be available on the dark corners of the web.
- Buy cords that are Made for iPhone/iPad/iPod certified (aka: MFi). Apple allows the stamp to be used if third-party accessories—including cables—pass their engineering standards. Of course, bad actors could put that stamp on fake goods, which is why Apple has a whole page of images that show you what to look for. Stick with well-known brands and you should be okay.
- Get a “USB condom.” Yeah, the name is funny but the devices work by only letting power be exchanged across the USB port—no data. Note: the same security researcher who is making the O.MG cables? He’s also made a BadUSB condom as well, so bring your own.
- Consider deploying an Endpoint Detection and Response (EDR) software. This continuous monitoring software keeps an eye on your endpoint (in other words: your computer) and your network. It uses analytic tools to watch for suspicious looking commands or malicious downloaded software.