When iPhone Cables ATTACK!

Would you willingly plug a device into your smartphone or computer that would allow a stranger to see everything you type, steal your data, and install malware on your machine?

Of course you wouldn’t.

And, if you’ve read our recent article on Removable Media & Cybersecurity, you already know that you shouldn’t plug an unfamiliar USB stick or portable hard drive into your computer. But what if we told you that even an iPhone charging cable can be malicious?

The “OMG Cable” is designed to look and act exactly like an Apple or Samsung charging cable – the same type of cable you would use to charge your phone or connect a keyboard to your computer. But it contains a hidden chip that allows hackers to connect to any device it’s plugged into, record keystrokes, transmit sensitive data including passwords, and inject malicious software.

How Does it Work?

Imagine you’re at a coffee shop getting some work done, and you notice that your mobile phone is about to die. You look around frantically for a charging cable and gratefully accept one from a mysterious stranger in a hooded sweatshirt and Guy Fawkes mask…

OK, rewind. You wouldn’t do that.

But you still desperately need to charge your phone and spot a charger that the last person at your table must have left behind. It looks like a plain old, normal cable that comes with every iPhone, so you declare finders keepers and plug in your phone.

No, no, rewind again. You still wouldn’t do that. You’re smarter than that.

You’re smart enough to bring your own charger and not touch any cable that you didn’t purchase yourself from a legitimate Best Buy. BUT then you take a bathroom break and leave your laptop and phone charging at the table. Cue the guy in the hooded sweatshirt (who is indeed a hacker). He sneaks over to your table while you’re in the restroom and switches cables. You return from the restroom and pick up where you left off, with no idea that your legit cable has been swapped out with a malicious one.

Now the malicious cable is plugged into your device and has started transmitting a signal, which is essentially a Wi-Fi hotspot. The hacker, who is now seated four tables away, hops onto the signal and is now connected to your phone. From there, he can start “listening” to your device to discover every website you visit, every text message you send, and every password you enter. He can also remotely execute a payload and inject spyware or ransomware onto your phone.

On top of all this, if you plugged your phone into your laptop instead of a wall charger, he’d have access to your laptop as well.

And, once he’s done, he can cover his tracks by sending a self-destruct command to the cable.

How Can You Protect Yourself?

We asked the experts at AllSafe IT how people can protect themselves from hackers employing the OMG cable or other attack hardware.

• Ben, our Senior Service Desk Engineer, says he’d flat out tell people not to use any cable they didn’t purchase themselves.
• Don’t leave your phone, computer or any other devices unlocked and unattended.
• Spencer, our Centralized Services Manager, advises to make sure your antivirus/malware protection is up to date so if a bad cable is plugged in, it will catch it.
• If you happen to find a cable that looks suspicious, change your passwords immediately and submit it to your IT provider for analysis.

And of course, make sure your employees are trained on security awareness so they are aware of every type of threat (not just phishing!) and know how to respond to them.

‍