New malicious Lightning cable can steal user data from a mile away

A new and upgraded version of a malicious Lightning cable that can steal user data and remotely send it to an attacker illustrates the threat of untrusted accessories.

The OMG Cable, which looks exactly like a standard Lightning to USB cable, was first demoed back in 2019 by security researcher MG. Since then, MG was able to work with cybersecurity vendor Hak5 to mass-produce the cables for researchers and penetration testers.

Although users would be hard-pressed to find anything unusual about the cables from the outside, they pack some under-the-hood modifications that make them useful to hackers. An OMG cable plugged into a Mac to connect Apple's Magic Keyboard could, as an example, log passwords or anything else a user types and send that data to a remote attacker.

The new version of the OMG cable includes a Lightning to USB-C option and other upgraded capabilities for security researchers to test out, Vice reported Thursday.

"There were people who said that Type C cables were safe from this type of implant because there isn't enough space. So, clearly, I had to prove that wrong," security researcher MG told Vice.

For example, MG says the new cables have geofencing features that can switch attacks based on a victim's physical location. The range of the cables has also been improved, with researchers able to trigger malicious payloads from more than a mile away. The addition of USB-C connectivity could also — in theory — allow the cable to carry out attacks like mobile devices like the iPhone.

OMG cables, which are available from Hak5 for about $120, work by creating a Wi-Fi hotspot that an attacker can connect to from their own devices. Once connected, they can use a normal web browser interface to log keystrokes or carry out other attacks.