New Lightning cable can steal user password data from a mile away

1 view
Skip to first unread message

NewsKrawler

unread,
Sep 2, 2021, 7:52:50 PMSep 2
to
New malicious Lightning cable can steal user data from a mile away
https://appleinsider.com/articles/21/09/02/new-malicious-lightning-cable-can-steal-user-data-from-a-mile-away

Lightning Cable With Hidden Chip to Steal Passwords
https://www.macrumors.com/2021/09/02/lightning-cable-with-hidden-chip/

Wireless key-logger hidden inside USB-C to Lightning cable
https://9to5mac.com/2021/09/02/wireless-key-logger-cable/

This USB-C Lightning cable should terrify you
https://www.pcworld.com/article/3632111/this-usb-c-lightning-cable-should-terrify-you.html

Jolly Roger

unread,
Sep 2, 2021, 9:25:24 PMSep 2
to
On 2021-09-02, NewsKrawler <news...@krawl.org> wrote:
> New malicious Lightning cable can steal user data from a mile away

"The "OMG Cable" works exactly like a normal Lightning to USB cable and
can log keystrokes from connected Mac keyboards, iPads, and iPhones, and
then send this data to a bad actor who could be over a mile away."

So it requires you to connect the Lightning cable to a keyboard in order to
capture passwords you type.

Must be a slow news day. This is nothing new. This kind of hardware has
been out in the wild for over a decade:

<https://upload.wikimedia.org/wikipedia/commons/8/85/NSA_COTTONMOUTH-I.jpg>

--
E-mail sent to this address may be devoured by my ravenous SPAM filter.
I often ignore posts from Google. Use a real news client instead.

JR

John Doe

unread,
Sep 2, 2021, 10:37:25 PMSep 2
to
Off-topic cross posted troll...

--
NewsKrawler <news...@krawl.org> wrote:

> Path: eternal-september.org!reader02.eternal-september.org!paganini.bofh.team!not-for-mail
> From: NewsKrawler <news...@krawl.org>
> Newsgroups: misc.phone.mobile.iphone,comp.sys.mac.system,alt.comp.os.windows-10
> Subject: New Lightning cable can steal user password data from a mile away
> Date: Thu, 2 Sep 2021 23:52:39 -0000 (UTC)
> Organization: To protect and to server
> Message-ID: <sgro46$2pmcc$1...@paganini.bofh.team>
> Injection-Date: Thu, 2 Sep 2021 23:52:39 -0000 (UTC)
> Injection-Info: paganini.bofh.team; logging-data="2939276"; posting-host="DiwJGjUnaTf1UlF8c1sA7g.user.paganini.bofh.team"; mail-complaints-to="use...@bofh.team";
> X-Notice: Filtered by postfilter v. 0.9.1
> Xref: reader02.eternal-september.org misc.phone.mobile.iphone:150991 comp.sys.mac.system:189575 alt.comp.os.windows-10:152617

Lewis

unread,
Sep 2, 2021, 10:53:08 PMSep 2
to
In message <sgro46$2pmcc$1...@paganini.bofh.team> NewsKrawler <news...@krawl.org> wrote:
> New malicious Lightning cable can steal user data from a mile away

This is 1) not news and 2) has nothing to do with lightning. Fake USB
cables of many types have been created over the last several years. iOS
asks you before you use any USB device if you trust the device, a detail
left out of these stories, of course. I get the alert, for example,
every time I connect my keyboard to my iPad.

--
I noticed that but was still trying to work out a way of drawing it
to everyone's attention that would be sufficiently satisfying,
combining maximum entertainment value for readers with maximum
humiliation for you. -- Laura

Nomen Nescio

unread,
Sep 2, 2021, 10:53:57 PMSep 2
to
In article <ipdbs1...@mid.individual.net>
Jolly Roger <jolly...@pobox.com> wrote:
>
> On 2021-09-02, NewsKrawler <news...@krawl.org> wrote:

OT CRAP OUT
>
> Must be a slow news day. This is nothing new. This kind of hardware has
> been out in the wild for over a decade:
>

Yet, you found it necessary to x-post OT out of date crap into
Windows 10?

You're really hard up for attention.

Joerg Lorenz

unread,
Sep 3, 2021, 3:01:27 AMSep 3
to
Am 03.09.21 um 04:53 schrieb Nomen Nescio:
What are you doing here? Exactely the same.

For years you are an eternal and anonymous Troll in the Usenet. You
escaped my filters only because I had to adjust them for technical
reasons. But now you are back in the killfile. An answer is futile.


--
De gustibus non est disputandum

gtr

unread,
Sep 3, 2021, 2:16:23 PMSep 3
to
On 2021-09-03 02:53:05 +0000, Lewis said:

> In message <sgro46$2pmcc$1...@paganini.bofh.team> NewsKrawler
> <news...@krawl.org> wrote:
>> New malicious Lightning cable can steal user data from a mile away
>
> This is 1) not news and 2) has nothing to do with lightning. Fake USB
> cables of many types have been created over the last several years. iOS
> asks you before you use any USB device if you trust the device, a detail
> left out of these stories, of course. I get the alert, for example,
> every time I connect my keyboard to my iPad.

But when the system asks you if you trust the device, having
encountered it, as you say every time you connect your keyboard, you
always automatically assent. So in the end that's no safeguard at all.
Logically, one wouldn't do testing to find out if the cable has an
eavesdrop mechanism clandestinely hidden. So it's an ingenous though
nefarious device.

We are all more tentative about jamming an unknown thumbdrive into a
port without validting it. But if someone were to swap out or leave a
spy-wire on your desk you'd likely use it without consideration.

Lewis

unread,
Sep 3, 2021, 2:30:34 PMSep 3
to
In message <sgtopj$8s9$1...@dont-email.me> gtr <x...@yyy.zzz> wrote:
> On 2021-09-03 02:53:05 +0000, Lewis said:

>> In message <sgro46$2pmcc$1...@paganini.bofh.team> NewsKrawler
>> <news...@krawl.org> wrote:
>>> New malicious Lightning cable can steal user data from a mile away
>>
>> This is 1) not news and 2) has nothing to do with lightning. Fake USB
>> cables of many types have been created over the last several years. iOS
>> asks you before you use any USB device if you trust the device, a detail
>> left out of these stories, of course. I get the alert, for example,
>> every time I connect my keyboard to my iPad.

> But when the system asks you if you trust the device, having
> encountered it, as you say every time you connect your keyboard, you
> always automatically assent.

With my keyboard? Yes. I know it's ,y keyboard.

> So in the end that's no safeguard at all.

Bullshit.

> Logically, one wouldn't do testing to find out if the cable has an
> eavesdrop mechanism clandestinely hidden. So it's an ingenous though
> nefarious device.

If I connected a cable and it asked me to authorize the USB device I
would, of course, say no.

> We are all more tentative about jamming an unknown thumbdrive into a
> port without validting it. But if someone were to swap out or leave a
> spy-wire on your desk you'd likely use it without consideration.

YOU might, but no, I would not.

--
NO ONE WANTS TO HEAR ABOUT MY SCIATICA Bart chalkboard Ep. AABF09

Wolffan

unread,
Sep 3, 2021, 7:39:07 PMSep 3
to
On 2021 Sep 03, gtr wrote
(in article <sgtopj$8s9$1...@dont-email.me>):
Errmm... how are they _getting_ to my desk? Does the spy cable look like my
regular cable? What if I don’t use a cable to connect much of anything
except my headphones... and the cable for the headphones is attached to the
headphones, and the adaptor for that cable travels with the headphones.A new,
unrecognized, unrequested USB cable suddenly appearing on my desk at the
office would be regarded with extreme suspicion. At home, well at home only
two people buy computer equipment, and neither of us leaves random cables
around.

No, I wouldn’t use it at all.

Your Name

unread,
Sep 3, 2021, 8:59:53 PMSep 3
to
On 2021-09-03 23:38:58 +0000, Wolffan said:
> On 2021 Sep 03, gtr wrote
> (in article <sgtopj$8s9$1...@dont-email.me>):
>> On 2021-09-03 02:53:05 +0000, Lewis said:
>>> In message<sgro46$2pmcc$1...@paganini.bofh.team> NewsKrawler
>>> <news...@krawl.org> wrote:
>>>> New malicious Lightning cable can steal user data from a mile away
>>>
>>> This is 1) not news and 2) has nothing to do with lightning. Fake USB
>>> cables of many types have been created over the last several years. iOS
>>> asks you before you use any USB device if you trust the device, a detail
>>> left out of these stories, of course. I get the alert, for example,
>>> every time I connect my keyboard to my iPad.
>>
>> But when the system asks you if you trust the device, having
>> encountered it, as you say every time you connect your keyboard, you
>> always automatically assent. So in the end that's no safeguard at all.
>> Logically, one wouldn't do testing to find out if the cable has an
>> eavesdrop mechanism clandestinely hidden. So it's an ingenous though
>> nefarious device.
>>
>> We are all more tentative about jamming an unknown thumbdrive into a
>> port without validting it. But if someone were to swap out or leave a
>> spy-wire on your desk you'd likely use it without consideration.
>
> Errmm... how are they _getting_ to my desk?

*Your* desk, maybe not, but it is easy for someone to get to many desks
- for example, a night time office cleaner or security guard.

Even for home users, they could be a housekeeper who comes to clean
your house when you're out, or if you take you device to a repair shop
or a repair tech comes to you, a nasty person could easily swap the
cable without you knowing.

One potential solution would be to use a permanent marker to put a line
around the cable somewhere, but you would have to constantly check for
it still being there before using your device.



> Does the spy cable look like my regular cable?

Yes. It can be made to look like any ordinary cable, including those
from specific manufacturers such as Apple, IBM, etc.



> What if I don't use a cable to connect much of anything except my
> headphones... and the cable for the headphones is attached to the
> headphones, and the adaptor for that cable travels with the headphones.

It probably wouldn't take much for some nasty person working at these
manufacturing companies to slip a similar device into cables shipping
with products.

The reality is that this particular one and the ones before it are
keystroke recorders, so only really an issue if using it with a
keyboard (including wireless ones if you stick an wireless adapter in
the end of the cable or a hub connected via the cable) or potentially
when diasy-chaning devices ... you can't record keystrokes from a
product like headphones that don't send keystorkes.



> A new, unrecognized, unrequested USB cable suddenly appearing on my
> desk at the office would be regarded with extreme suspicion. At home,
> well at home only two people buy computer equipment, and neither of us
> leaves random cables
> around.
>
> No, I wouldn't use it at all.

As above, someone like a nasty repair technician or housekeeper could
easily swap the cables without you ever knowing.

Chris

unread,
Sep 4, 2021, 11:24:32 AMSep 4
to
Yup. Which is how the americans hacked the iranian nuclear facilities.
People are far easier to fool that computer systems.

Wolffan

unread,
Sep 5, 2021, 10:23:19 AMSep 5
to
On 2021 Sep 03, Your Name wrote
(in article <sguge4$1evq$1...@gioia.aioe.org>):
As the vast majority of keyboards (Mac and Windows) are either wireless
(usually Bluetooth for Mac, usually IR for Windows) or have the USB cable
permanently attached, you _can’t_ just slip a cable in for a keyboard. This
_especially_ applies to iPad keyboards; the only iPad keyboard that I’ve
ever seen which isn’t Bluetooth has the Lightening cable hardwired in. Same
for mice, trackpads, trackballs, etc.Devices like graphics tablets often have
detachable cables... but they’re usually microUSB to USB A cables. Almost
all Lightening cables ain’t gonna cut it. (It’s non-trivial to find a
cable which will work with, say, a Wacom One and an iPad. Better to use an
Apple Pencil directly on the iPad, even if Pencils are bloody expensive. The
few cables which will do the job are closely monitored.)

No, detachable cables usually go with storage devices... and there are damn
few cables for attaching external storage to iPads.

You _can’t_ just slip a spy cable in... it won’t bloody work. Except,
perhaps, as a power cable or to connect a device to a computer.
>
>
> > Does the spy cable look like my regular cable?
>
> Yes. It can be made to look like any ordinary cable, including those
> from specific manufacturers such as Apple, IBM, etc.

Power cables, and cables to connect iPads etc to computers are kept locked
away so they won’t get lost, in the same filing cabinet containing the
power bricks. At the office the cables and bricks are labeled, you’re
supposed to take cable C1 and power brick P1 at the same time. At home
they’re in a drawer, also to keep them from walkies. At the office the
cleaning and security staff have no access to the filing cabinets; they
_can’t_ play with cables. At home, _I’m_ the cleaning and the security
staff.

>
>
> > What if I don't use a cable to connect much of anything except my
> > headphones... and the cable for the headphones is attached to the
> > headphones, and the adaptor for that cable travels with the headphones.
>
> It probably wouldn't take much for some nasty person working at these
> manufacturing companies to slip a similar device into cables shipping
> with products.

So now they’re shipping froim the factory... which means that they have NO
FUCKING CLUE WHERE THE THINGS GO, WHEN THE THINGS ARRIVE, WHAT THE THINGS ARE
ATTACHED TO... You’re gonna spray and pray, eh? Good luck with that.
>
>
> The reality is that this particular one and the ones before it are
> keystroke recorders, so only really an issue if using it with a
> keyboard (including wireless ones if you stick an wireless adapter in
> the end of the cable or a hub connected via the cable) or potentially
> when diasy-chaning devices ... you can't record keystrokes from a
> product like headphones that don't send keystorkes.
>
> > A new, unrecognized, unrequested USB cable suddenly appearing on my
> > desk at the office would be regarded with extreme suspicion. At home,
> > well at home only two people buy computer equipment, and neither of us
> > leaves random cables
> > around.
> >
> > No, I wouldn't use it at all.
>
> As above, someone like a nasty repair technician or housekeeper could
> easily swap the cables without you ever knowing.

Nope. Not if there’s anythiung vaguely approaching proper physical
security.

Reply all
Reply to author
Forward
0 new messages