“The world’s most dangerous USB cable just got more powerful,” runs the new ad—a serious warning for anyone borrowing an iPhone or iPad cable. If you do plug a cable like this into your device, you won’t know you’ve been attacked until it’s too late.
According to pen-test site Hak5, “you used to need a million-dollar budget to get a cable like this.” Now you just need $139.99 and a PayPal account. Meet the O.MG Lightning cable, a perfect enough replica of the Apple original that you wouldn’t know the difference. But this one is way more high-tech than the original.
O.MG’s attack cables first came to prominence at DEFCON back in 2019. At the time, juice jacking was generating headlines. You’ll remember the hysteria. Don’t use public charging stations for fear of losing all your data. The idea being that the helpful USB socket you plugged your cable into was secretly connected to a hidden computer.
“A free charge could end up draining your bank account,” the LA DA’s office warned. Despite the hysteria, it’s good advice. You really shouldn’t plug your unlocked phone into a random USB socket. If you need to charge in public, use an actual charger. Preferably one of your own. USB cables are designed for data, remember.
O.MG cables are a very different twist on the theme. It doesn’t matter what you plug the cable into—because the cable itself is the attack device. An independent WiFi access point, payload storage, geofencing capacity, the capacity to log keystrokes or inject its own—it can be instructed on the fly.
Each cable can be controlled by a browser—you can log directly into the cable’s access point or have the cable connect to a network to find its own route to you.
The cables were not designed to attack iPhones, but the Macs and other computers they’re plugged into for a charge or a sync. Originally, each was hand-built by inventor Mike Grover and fairly easy to distinguish from the originals. “At the time,” Grover tells me, “I just wanted to see if I could do it—shrink something down small enough.”
Watch my interview with Mike Grover in the video at the top of this story.
But then the design was perfected, and they became direct replicas, and now the USB-A originals have been supplanted by a USB-C update. And so iPad Pros and many Android smartphones are at risk. Maybe we don’t want a USB-C iPhone after all.
Grover picked the Lightning cable to compromise as it was the hardest—small, tightly contained, beautifully built. He’s not in the business of supplying offensive hackers—it’s not his cables you need to worry about. His intent is that this serves as a warning. If he can do this, then others can too. And you won’t know about those other ones.
This should be the stuff of shadowy government labs and eye-watering budgets. And for many years it has been. This kind of device is an offensive tool beloved of intel agencies. And so, one of Grover’s missions is working with businesses to educate their staff, running red team exercises where employees are compromised to learn a hard lesson as to how they need to harden their security when travelling.
The shift to USB-C isn’t the only change. The payload storage is bigger, and that opens up the possibility for direct malware attacks. And there are new “attack modes.” Cables can self-arm when on target and self-destruct when their location changes. There’s an attack cycle, capturing user keystrokes and then injecting its own. This enables a device to gather intel when a user is at their device, to attack it when they’re not.
And while this isn’t a broad-scale threat, neither is it the stuff of high-end intel operations anymore. Think theft of enterprise creds as the spate of ransomware, critical infrastructure attacks and supply chain compromises heighten. In a world where criminal cyber-attacks garner hundreds of millions of dollars, think where some of that money might be invested and what may become of those investments.
In reality, this isn’t really the world’s most dangerous cable. Grover has deliberately prevented cables in “mobile attack mode” from charging or syncing phones, “so you’ve got a limited ability to abuse that without the target knowing,” he explains. This cable is designed for demos and training, for red teaming and pen-testing.
Grover tells me that many of the companies he supplies tell him the cable is one of their most powerful tools for teaching employees a real-world lesson as to how they can be compromised. “Wait!” he mimics, “the cable attacks what?”
In reality, the cables you need to worry about are not the ones sold online. “This isn’t the kind of threat the average person is going to encounter,” Grover says. It won’t end up planted in retail stores, “although it’s totally possible, but it doesn’t make any sense as there are easier pathways to go after somebody.” What this is, though, is tangible evidence as to what can be done and how easily it can be done.
If you travel for work, if you’re in government service or a high-value industry, if you’re a celebrity or a government targeted lawyer or journalist, this publicity should send a clear message: Don’t use cables if you don’t know where they come from.