> One idea is to take this malicious tool, dubbed O.MG Cable, and swap it for a target's legitimate one. MG suggested you may even give the malicious version as a gift to the target
Even more frightening, people selling them as seemingly legitimate cables on Amazon? People will pay you and you get a new botnet.
How many could you sell before it's discovered?
How can I, as a consumer, even tell? Amazon will even allow you to sell your malcable under the Apple brand.
Your attack would need to be targeted since you can’t connect to your cable over-the-internet, only over the wifi interface, limiting you to that range.
If you were mailing the cables to random people, you wouldn't use wifi, it's true. You'd just want the fake keyboard to just use a terminal to download and install a trojan.
If you can fire off a successful "curl | bash" on an internet-connected machine, wireless isn't needed.
Of course, without wifi you've only got a USB Rubber Ducky clone [1] whereas with wifi, you've got an NSA COTTONMOUTH clone [2] which I imagine is much more likely to get your talk accepted at DEFCON :)
Opening up a terminal while the user is actively using their computer is going to be a huge red flag and give the whole game away. Presumably with a local attack, the attacker will wait until the user is distracted or away from their computer before taking control.
Given that it can do things like open a terminal, I'd think it could automatically be set to install botnet malware. Sell a few hundred thousand on Amazon and you're in good shape.
> "But the cable can be configured to act as a client to a nearby wireless network. And if that wireless network has an internet connection, the distance basically becomes unlimited."
I suppose it could do some keyboard and mouse actions to extract your current wifi network’s password, copy to a file and spin up a tiny flash drive emulator to copy it onto.
I don't know about other Canadian cities, but in Vancouver, there are both Telus and Shaw hotspots randomly strewn throughout the city. The Telus ones exist in public/government buildings as a co-sponsorship with the municipal government; the Shaw ones exist at the numerous charging stations for bike-share bikes, as a different co-sponsorship. Admittedly, you aren't really likely to run into either if you're not downtown.
Then there's the Shaw hotspots which they expose on a dedicated side-channel of the routers of people who pay for their business Internet plans, which allow arbitrary other Shaw customers with authenticated MAC addresses to connect to them. Those are all over the place, and it'd be pretty easy to steal a list of a few hundred registered MACs and rely on that network to connect.
I do not buy electronics on amazon for this very reason.
Ditto. Further, I do not buy lightning cables or iPhone chargers from anywhere but an Apple Store.
This has been a good idea for years, even before this, when HN was all aflutter about fake chargers frying phones, or with embedded computers that tried to hack your phone.
I'd venture to say those aren't real Ankers. The ones I have are built like tanks. I personally abuse some of my lightning cables, pulling on them, stuffing in bags in a rush, etc. They've lasted years and look new.
Note: I do buy the ones that come with nylon, not sure if that makes a difference.
They are overpriced, but Apple cables have never failed me where others have, so for the peace of mind it is really worth it to me. A couple of anecdotes below.
A few months ago, I had a stock Lenovo laptop charger failing. I thought something was up with the physical port on the laptop, because the power button was blinking when I was plugging it in, but even after an hour of being plugged in, it still refused to turn on. As a last ditch attempt I tried my work-provided MBP cable, and it turned on after a minute. However, since it was a work laptop and not a personal one, it could've been that whoever used the laptop before abused the cable endlessly, so I attributed it to that.
Most recently, it happened with a personal device of mine, Oculus Quest. After a month of use, it refused to charge at all using the provided cable. I tried plugging it in a bajillion different ways, nothing worked. I thought it was a headset issue, because I used the cable very gently and only at home, and people reported that problem occurring and that resetting the headset might help. Obviously, it didn't resolve the issue in my scenario. Plugged it into my personal MBP cable, it started charging immediately.
Bought some a few months ago and my issue is the price premium. $20 for a 1 meter long lightning cable feels like highway robbery but I've never had an issue with them failing so it's worth it.
My opinion is that the Amazon threat vector is overblown. This cable is better suited for inside attackers (friends & family) or for highly targeted attacks.
Amazon reviewers would quickly notice terminal windows pop up on their screens or keystrokes happening at inopportune times, assuming a more advanced exploit isn’t used. (many of these attacks simply try to spawn a terminal window and type commands, a very noisy approach) Scary device regardless, I just think the Amazon vector is overhyped.
If you are a high value target, pay close attention to your supply chain and how you receive packages.
>Amazon reviewers would quickly notice terminal windows pop up on their screens or keystrokes happening at inopportune times
Back in the day sure, but with the way amazon works now I don't think this would be the case. I stopped purchasing items from amazon because one of the things they do is lump "like" or "same" items and reviews together, the only problem is sometimes the items are actually completely different. I've bough electronics, components, cables, and other items from amazon before and then received a similar item but from a completely different brand, manufacturer, seller, etc. When I went back to look at reviews they are all lumped under one page of amazon so you can't get details about a particular product. You can order a cable on a page that's called "apple lightning cable" with reviews for legitimate products but then receive a cheap lightning cable from china with no way to leave a review for that particular product. One way I've found of identifying pages like this is by examining pictures that people upload in reviews, and many times you'll find a variety of products being reviewed/received.
Even more frightening, people selling them as seemingly legitimate cables on Amazon? People will pay you and you get a new botnet.
How many could you sell before it's discovered?
How can I, as a consumer, even tell? Amazon will even allow you to sell your malcable under the Apple brand.