Given that the device is plugged in, trusted, shows up as a computer, and requires external power, it has all the connections it needs spy on the screen (at minimum) and remote control the victim iPhone without permission in the worst case. (it has video feed, and can emulate USB keyboard and mouse) Yikes!
Agreed. If you want to prove to yourself that this vulnerability is real, consider that you can replicate the hypothesized malicious device you describe by taking a WiFi Duck https://wifiduck.com/ and combining it with a regular lightning-to-HDMI adapter by plugging the WiFi Duck into the extra lightning port on the HDMI adapter. All that would be needed to use this attack on an unsuspecting victim would be to combine the WiFi Duck and the HDMI adapter functionality into a small enough circuit board to fit into the Apple-style white enclosure.
It's not THAT weird. Lightning can't carry HDMI at all so even Apple's official adaptor is essentially setting up an Airplay connection over USB and has an ARM SoC to handle it. I'm guessing 3rd parties can't do the same trick without Apple's blessing which results in scary seeming workarounds.
> I'm guessing 3rd parties can't do the same trick
There are lots of third-party Lightning to HDMI adapters for cheap on Amazon that work as a clone of Apple's with no need for any software. Whatever this cable is doing is out of the ordinary even for knockoffs.
Do you have a source on that? I ask because it’s genuinely such a cool thing but I can’t find anything about it online even though I have seen this mentioned before.
Oh yeah, I remember reading about the AlphaSmart somewhere! Though it is quite different from an ordinary-keyboard-looking spying device that I tried to describe in my original comment. The AlphaSmart feels like more of a digital typewriter that just had a really primitive data transfer method
They have, but all of them are "personalized" attacks - as in, a malicious person needs to install these on specifically your computer, without your knowledge. What I was talking about is some kind of device from some noname Chinese manufacturer that presents as harmless, but actually sends off some additional data back home
I say the big 404 and instinctively bounced. I can’t be the only one. I went back to find their 404 page and am quite satisfied with what I found: https://www.404media.co/i-te/
So from my reading, the shitty behaviour is from the app, not the cable. Have I misread it?
What happens if you try to use the cable without downloading the app? I for one would assume that my cable was defective, if it needed an app to work. I realize that HDMI cables are weird, and that like quite a lot of modern interconnect are not a monolithic standard, but come with multiple support levels; I wish that would stop.
A standard is a standard, and market partitioning is no part of the job of a standard.
Requiring the use of an app, in order to use some kind of adapter cable? I must be getting old, feel like I've just crawled from under a rock... :-)
That would also mean this cable becomes useless the moment URL encoded in the QR disappears?
As for the app: even if it's total crap, if only 50% of cable-buyers proceed to install the app, that 50% is still gained as potentially spied-upon subjects. There's a new please-spy-on-me sucker born every day, so to speak.
Does it really matter? This isn’t a real product. It’s a scam product to trick people trying to buy a real Apple part and con them into the app’s clutches.
Part of me is looking forward to the time when a government activates a significant part of all the spyware/adware/backdoors/etc in the world as part of a cyberwar. COVID would be a child's game compared to that, but that disaster would at last make people understand how bad tech has become at this point.
Double points if the operation is started by another state/group that stole those backdoors.
The worst part of adult life is realizing you already live in a world where this happens. Regularly. And no-one bats an eye. And you try to maintain sanity by adding hypothesis (“But I mean, with the government giving the keys to…”) and all of the evil you can think of, also exists.
The official Apple HDMI adapter does the same thing with an SoC in there. The difference is native iOS support instead of a 3rd party app needed to support it.
I still find it hilarious that that’s how the old cable worked, the iPhone encoded an H.264 video stream and sent it to the dongle, which decoded it and sent it down HDMI.
Now that iPhones have USB-C they no longer need a custom adapter. A standard USB-C to HDMI cable is supposed to work. I believe.
Probably to work around a usb(lightning is usb2 based right?) link not fast enough to keep up with the phone graphics. However, I note that there are usb graphics card descriptors[1] and I assume usb graphics cards, that is, graphics over the normal usb data pins, not a display port pass through. These descriptors are what I would naively assume a usb to hdmi "adaptor" to be, a usb graphics card.
I am finding it hard to hunt down low level information on how these "adaptors" work. Does anyone know what type descriptors they use? and what a iphone does if you plug one in(I am assuming the lightning to usb physical connector is trivial)
update: I found these reverse engineering documents on synaptics displaylink chips. They appear to be a popular manufacturer of such dongles. And it looks like compression is needed there as well.
You’re right, Apple never moved lightning past USB-2 speeds. Still seems weird to do things the way they did, unless it was just to reuse some part they already had in another device, thus saving costs.
The need for compression is a good point. I hadn’t thought of that. But you’re right other existing parts should have worked if chosen, right?
Weird. Just such a fun day on Twitter when it was discovered that what we had all assumed was just a relatively simple adapter was a whole SoC running its own firmware doing this job.
Nope. I don’t know if it put itself in some kind of analog mode for composite. I can’t remember if that was a thing around the switch to lightning. But the cool hack has always been how the HDMI adapter worked.
I think I've come across this specific screen. In my case, this was its equivalent of "No Signal" screen, and the app was only needed to update the firmware if needed, not to connect. It seemed to exploit AirPlay somehow and therefore finicky unlike official dongles.
The saluspa from "bestway" demands your location before allowing you to setup wifi remote control of the portable hot tub on the android app. I wonder how on android I can spoof the location used by an app, or if anyone figured out if you can control it without the app.
I set it up away from my house and use a separate wifi network but it pissed me off.
Because your location can be inferred by finding which Bluetooth devices are around you, as that article says...
> See, back in Android 6 Marshmallow, Google changed things so that apps needed location permissions to scan for Bluetooth devices. At the time, the rationale was that Bluetooth was going to be used for things like interior navigation or location tracking in a more abstract sense, and your location could indirectly be inferred via Bluetooth scanning alone if a given hardware identifier was tied to a specific location.
Before Android required that permission, there were marketing companies selling malls the ability to see who was around by the ID of their Bluetooth beacon.
But pairing work well without the app involved, we could just give a permission to a specific already-paired devices and keep location for apps that actually need to scan.
Again - That still sends out a beacon. Searching for already-paired bluetooth devices still sends a bluetooth frame with your bluetooth MAC address, (which has to be consistent, because that's how bluetooth devices identify each other).
> Searching for already-paired bluetooth devices still sends a bluetooth frame with your bluetooth MAC address, (which has to be consistent, because that's how bluetooth devices identify each other).
It doesn't have to be readable by third parties. Given that the devices are already paired, it's perfectly feasible for that frame to be encrypted gibberish that only the other device can understand.
I think that the math of battery life if you had to decrypt anything that looked like a handshake packet to see if it's for you is the opposite of feasible.
The other poster already explained the old permission. There's also a new permission specifically for Bluetooth LE now as well for newer devices so location shouldn't be needed.
Depends on the specific use case but you ideally shouldn't need those calls. Our app request both the old location permission and the new nearby permission just because not all of our vendors keep their libraries up to date and its not unreasonable for the app to know where you are when using those features.
I tried to use Fanduel last night to place some bets for my friend in prison. It requires your location. You have to install some horrible app that installs a Windows Service and has no UI. It still won't work.
After a lot of digging around, I discovered you cannot use Fanduel if you have a wired device. The app _requires_ you to connect to your router by Wifi or it will not work. WTF.
Maybe it's for compliance reasons? in other words they really want to know you're in a jurisdiction that allows gambling, and not using a VPN or whatever.
That's exactly what it's for, but historically these sites would just do an IP check at the server, not install some horrible malware on your PC and then tell you an ethernet connection is evil.
The 4 outlet water timer I bought came with bluetooth remote functionality. It needs GPS location data for it to work. Nope. Should have known some shit like that would be part of the deal, and could have saved a few bucks by getting the version without remote.
People need to just stop with this tracking bullshit.
anyone making a "smart" water timer using today's weather forecasting would be something that could be called "The Plant Killer". my area can say that there's 80% chance of rain, yet not one drop can fall where I am while other areas can say they received .25" of rain. sounds like watering isn't necessary. oops. dead plants. There's other times where no weather is forecast, yet I've received .25" of rain. oops. wasted water. also, your "smart" decision to not water because of rain means all of the plants on my patio didn't get watered while I was on vacation/work trip/etc, which is the primary reason I bought the timer in the first place.
Your smart is dumb. Just turn the water on at the time I said. That's plenty smart for me. If I can update the schedule from my couch, great! But...not at the expense of all of this tracking bullshit
This could be a overly cautious legal requirement. I know heaters(dyson) won't allow you to control heat remotely in some locations, so instead of yanking out hot water from the app, they decide to ask your location to verify you're home.
We need to think about the role of government in regulating consumer electronics. Should the government require companies to disclose more information about the security and privacy risks of their products? Should the government ban the sale of products that pose a significant security risk?
The lack of transparency on the security details will take a toll on the consumers in the coming future.
This kind of shady devices should be banned in Western Countries, not only for trying to get their users' information, but also for being a device that can go directly to the e-Waste bin without a minimal usage
There's a lot of ccTLDs that are considered to be "generic": .ai, .as, .fm, .io, .me, .tv, .ws...
For example Google search will treat them the same as .com, while others like .de or .fr are gonna be interpreted as if your website is targetting a specific market.
So, a trojan device that makes the user give it basically full control over their phone, allowing a third party to do whatever the hell they want with the user's data and accounts - and what does it actually do? Show targeted ads.
This is not the gotcha you think it is. Imagine how awful the apps we would be forced to sideload would be, if companies like the one that made this dongle were allowed to make them.
You are correct in lampooning the word "force" but don't throw out the baby with the bathwater. The point is still valid. Also, it seems obvious that the danger is in long-term ecosystem implications. "I haven't had to so far" is irrelevant.
Android users had/have(?) to side-load Fortnite. Depending on who you are that might feel like being "forced." Is your argument "If you feel like you are forced to use some app you are wrong and should just stop" or is it "If an app gets big enough that a lot of people feel forced to side-load it, then it earned the right not to abide by any platform holder policies."
> You are correct in lampooning the word "force" but don't throw out the baby with the bathwater. The point is still valid.
I have yet to see one, client, customer, friend, acquaintance, relative (or rando who happened to know I'm an IT guy) sideload an app without knowing what they were doing & having a good reason to do so.
The list of those who sideloaded is small. However, my list of technically hapless folks is much, much larger - and zero of them seem to have sideloaded anything ever. There's a fair chance I'd wind up knowing if they did.
Even my often homeless ex who's down with plugging any connector into any port at any time of day (shapes need not match) doesn't seem to have sideloaded. Certainly her devices are always in a Sideloading=Off state when I check (she is not now a developer!).
From an IT view, unintended sideloading looks like a low priority concern.
The reason for making Fornite sideloaded is informative. It's not because they wanted to get around any of the supposed user protections of App Stores; it's because the App Store was leaching too much money.
If you own a mainstream android device, you're probably not going to ever have to.
If you have something a little weirder, the app store often will not let you install an app which doesn't state compatibility. Sideloading the APK more often than not works fine.
Also, there's alternative sources like F-Droid which have stuff you can't get in the Google app store - ad-free Youtube apps - that will never be allowed on the Google app store.
I wouldn’t expect better of Google. An app like Google Photos on iOS should (in my opinion) be banned because it requires access to all locally saved photos, breaking if either no access or selective/additive photo access is used.
I don't know. This app from the app store is already near 80% of the worst I could imagine. Only formatting the storage might be worse... and then they wouldn't get any more juicy location data.
I have an impression that covid enabled widespread acceptation of QR codes, and now every app is excused to request camera and photo access because "we need to scan a QR code".
It would be nice to have a special way to scan a qr code in which the system reads the QR code for the app without the app being able to see raw camera data.
If I remember right, there’s a way to get a “take picture” option in the chooser. I’m not sure how the qr code would then be recognized, though I’m not sure why you wouldn’t have them get the qr code via the system camera app.
That’s intended for selecting a pre-taken photo without giving an app library access. You’d have to get the user to take the picture then come back to your app.
What you really need is a system dialogue that pops up the camera and only returns the QR code to the app, the way the photo picker can see the whole library but only gives the app the one selected photo.
Pretty sure Android has this. You can make an app without camera permissions, send an intent that opens the built-in camera to take a picture and you are given access to only that picture. It means you cannot record things in the background all the time, and users don't need to make a decision about a sensitive permission.
iOS may have that as well. I think it’s part of that same photo picker interface.
But that’s not what I was imagining. I was thinking of something in the system that did the QR code scanning for you so that you could just point the camera and as soon as it recognized one the app would get the data. That way the user doesn’t have to frame it and take the picture and select that it’s OK to use in the app.
That’s how adding HomeKit devices work. You hit the add device button in the Home app and a view of the camera comes up. The instant it sees one of the HomeKit QR codes it goes away and starts doing its thing. It’s a great user experience.
But third parties can’t do that without requesting camera access first to get access to the live camera view. A system library could provide it.
I always wondered how Amazon gets away with listing "Apple lightning cables" (and all the other scam/junkware they list) that are not made or sold by Apple.
Its like they abandoned any respect for trademarks and parents and got away with it.
Not related to this story specifically, but I've been very impressed with 404 media's stories thusfar. They haven't been around long, but they've already done a lot of impressive journalism. I'm glad we've finally got a tech media outlet with teeth.
