15 comments

  • jimrandomh 115 days ago

    Reposting from 4 months ago (https://news.ycombinator.com/item?id=19609745):

    It's a severe discredit to the major operating system vendors that plugging in a USB stick can still compromise a system.

    If a USB device identifies itself as a keyboard, the system shouldn't accept its keystrokes until either that keyboard has typed the user's login password, or the user uses a different input device to authorize it. If it identifies itself as a storage device, the filesystem driver should be hardened. If it identifies itself as an obscure 90s printer with a buggy driver written in C, it should prompt the user to confirm the device type before it loads the driver.

    It's 2019. Why the f* haven't Windows, MacOS and Linux all implemented these basic precautions?

    • gitgud 115 days ago

      >If a USB device identifies itself as a keyboard, the system shouldn't accept its keystrokes until either that keyboard has typed the user's login password, or the user uses a different input device to authorize it.

      An interesting solution, it would definitely prompt the user to understand what the device is trying to do.

      But I'm sure that it's extremely hard to prevent something malicious, once it has physical access to a port on your computer...

      • josephg 115 days ago

        Except for running wacky voltages through your computer, there's no fundamental reason why USB devices should be harder to protect against than malicious network traffic. The model is very similar - in both cases they're serial data transports. USB just uses devices instead of services, and drivers instead of programs.

        • squarefoot 115 days ago

          "An interesting solution, it would definitely prompt the user to understand what the device is trying to do."

          But then it could simply wait for the user to enter the password (1), then read it by sniffing the traffic from the keyboard and store it internally for later use, since it's all in clear ad it cannot be encrypted before entering the machine unless most (all) USB consumer hardware get some heavy modifications.

          1- very simple algorithm: store in the internal flash memory whatever the user enters between connecting the keyboard and hitting the 2nd enter key; if it's mostly the same words, then it's very likely an user/password pair.

          "But I'm sure that it's extremely hard to prevent something malicious, once it has physical access to a port on your computer... "

          Very true. Malicious plug in hardware was just a matter of time; we badly need some active protection for these things, or it would be a mess. This is the perfect weapon in the hands of people with a thing for vandalism, I hope mainstream media won't cover that story.

          • jimrandomh 115 days ago

            You're assuming the malicious device is a keyboard, or is on the signal path between the motherboard and a keyboard. That's not the common case, nor is it the case here. No one types their password into an iPhone cable, because the cable has no keys to type with.

        • thunderbong 115 days ago

          Probably because the keyboard can be plugged in and has to be recognized even before the operating system boots?

        • MichaelApproved 115 days ago

          > One idea is to take this malicious tool, dubbed O.MG Cable, and swap it for a target's legitimate one. MG suggested you may even give the malicious version as a gift to the target

          Even more frightening, people selling them as seemingly legitimate cables on Amazon? People will pay you and you get a new botnet.

          How many could you sell before it's discovered?

          How can I, as a consumer, even tell? Amazon will even allow you to sell your malcable under the Apple brand.

          • Scoundreller 115 days ago

            Your attack would need to be targeted since you can’t connect to your cable over-the-internet, only over the wifi interface, limiting you to that range.

            • michaelt 115 days ago

              If you were mailing the cables to random people, you wouldn't use wifi, it's true. You'd just want the fake keyboard to just use a terminal to download and install a trojan.

              If you can fire off a successful "curl | bash" on an internet-connected machine, wireless isn't needed.

              Of course, without wifi you've only got a USB Rubber Ducky clone [1] whereas with wifi, you've got an NSA COTTONMOUTH clone [2] which I imagine is much more likely to get your talk accepted at DEFCON :)

              [1] https://shop.hak5.org/collections/physical-access/products/u... [2] https://en.wikipedia.org/wiki/NSA_ANT_catalog

              • Scoundreller 115 days ago

                At that point, just pre-load the cable with a flash drive and copy the malware onboard.

                • nixpulvis 115 days ago

                  Seeing now why counterfeits are a serious problem for resellers!

                • eridius 115 days ago

                  Opening up a terminal while the user is actively using their computer is going to be a huge red flag and give the whole game away. Presumably with a local attack, the attacker will wait until the user is distracted or away from their computer before taking control.

                  • michaelt 115 days ago

                    Yes, if you did a scattershot attack some users would notice for sure.

                    But if the terminal only flashes up for 100ms, plenty won't notice or will think it was just a glitch.

                • ceejayoz 115 days ago

                  Given that it can do things like open a terminal, I'd think it could automatically be set to install botnet malware. Sell a few hundred thousand on Amazon and you're in good shape.

                  The wifi's just so you can control it remotely.

                  • roywiggins 115 days ago

                    The thing can scan for open wifi and phone home, so anyone within range of a Starbucks would be vulnerable.

                  • ebg13 115 days ago

                    The article says

                    > "But the cable can be configured to act as a client to a nearby wireless network. And if that wireless network has an internet connection, the distance basically becomes unlimited."

                    • Scoundreller 115 days ago

                      I suppose it could do some keyboard and mouse actions to extract your current wifi network’s password, copy to a file and spin up a tiny flash drive emulator to copy it onto.

                      • wlesieutre 115 days ago

                        Sure but it needs a password to the network. I don’t have any random public hotspots available near my computer.

                        • DenisM 115 days ago

                          Are you sure you don't have XFinityWIFI next to you? Most people live near one.

                          • Scoundreller 115 days ago

                            I’m in Canada. Our ISPs would never provide such a service in a million years.

                            • derefr 115 days ago

                              I don't know about other Canadian cities, but in Vancouver, there are both Telus and Shaw hotspots randomly strewn throughout the city. The Telus ones exist in public/government buildings as a co-sponsorship with the municipal government; the Shaw ones exist at the numerous charging stations for bike-share bikes, as a different co-sponsorship. Admittedly, you aren't really likely to run into either if you're not downtown.

                              Then there's the Shaw hotspots which they expose on a dedicated side-channel of the routers of people who pay for their business Internet plans, which allow arbitrary other Shaw customers with authenticated MAC addresses to connect to them. Those are all over the place, and it'd be pretty easy to steal a list of a few hundred registered MACs and rely on that network to connect.

                          • wlesieutre 114 days ago

                            Checked last night and yes I do. Guess I'll be keeping a closer eye on my USB cables.

                            I rarely plug my phone into a computer, but I suppose this works just as well for any other USB device with a removable cord.

                            USB-C is probably safe for now on account of the smaller connectors.

                    • misiti3780 115 days ago

                      I do not buy electronics on amazon for this very reason.

                      • reaperducer 115 days ago

                        I do not buy electronics on amazon for this very reason.

                        Ditto. Further, I do not buy lightning cables or iPhone chargers from anywhere but an Apple Store.

                        This has been a good idea for years, even before this, when HN was all aflutter about fake chargers frying phones, or with embedded computers that tried to hack your phone.

                        • 4ntonius8lock 115 days ago

                          I've always used premium power cables just because of the possibility of shorts from cheap cables.

                          I wonder what HN thinks of Anker cables? I've always loved them because they are rugged and well made. Though I know they are a Chinese company...

                          • hiharryhere 115 days ago

                            I bought a pack of three Anker lightning cables because of the praise they got here on HN.

                            Unfortunately all three weakened near the connector within a few months to the point where they only intermittently charge. Really disappointing.

                            • 4ntonius8lock 114 days ago

                              Did... you buy on amazon? (shudders)

                              I'd venture to say those aren't real Ankers. The ones I have are built like tanks. I personally abuse some of my lightning cables, pulling on them, stuffing in bags in a rush, etc. They've lasted years and look new.

                              Note: I do buy the ones that come with nylon, not sure if that makes a difference.

                          • filoleg 115 days ago

                            They are overpriced, but Apple cables have never failed me where others have, so for the peace of mind it is really worth it to me. A couple of anecdotes below.

                            A few months ago, I had a stock Lenovo laptop charger failing. I thought something was up with the physical port on the laptop, because the power button was blinking when I was plugging it in, but even after an hour of being plugged in, it still refused to turn on. As a last ditch attempt I tried my work-provided MBP cable, and it turned on after a minute. However, since it was a work laptop and not a personal one, it could've been that whoever used the laptop before abused the cable endlessly, so I attributed it to that.

                            Most recently, it happened with a personal device of mine, Oculus Quest. After a month of use, it refused to charge at all using the provided cable. I tried plugging it in a bajillion different ways, nothing worked. I thought it was a headset issue, because I used the cable very gently and only at home, and people reported that problem occurring and that resetting the headset might help. Obviously, it didn't resolve the issue in my scenario. Plugged it into my personal MBP cable, it started charging immediately.

                            • judge2020 115 days ago

                              Bought some a few months ago and my issue is the price premium. $20 for a 1 meter long lightning cable feels like highway robbery but I've never had an issue with them failing so it's worth it.

                              • lisper 115 days ago

                                Think of it as $1 for the cable and $19 for the provenance guarantee.

                            • buildbuildbuild 115 days ago

                              My opinion is that the Amazon threat vector is overblown. This cable is better suited for inside attackers (friends & family) or for highly targeted attacks.

                              Amazon reviewers would quickly notice terminal windows pop up on their screens or keystrokes happening at inopportune times, assuming a more advanced exploit isn’t used. (many of these attacks simply try to spawn a terminal window and type commands, a very noisy approach) Scary device regardless, I just think the Amazon vector is overhyped.

                              If you are a high value target, pay close attention to your supply chain and how you receive packages.

                              • okmokmz 115 days ago

                                >Amazon reviewers would quickly notice terminal windows pop up on their screens or keystrokes happening at inopportune times

                                Back in the day sure, but with the way amazon works now I don't think this would be the case. I stopped purchasing items from amazon because one of the things they do is lump "like" or "same" items and reviews together, the only problem is sometimes the items are actually completely different. I've bough electronics, components, cables, and other items from amazon before and then received a similar item but from a completely different brand, manufacturer, seller, etc. When I went back to look at reviews they are all lumped under one page of amazon so you can't get details about a particular product. You can order a cable on a page that's called "apple lightning cable" with reviews for legitimate products but then receive a cheap lightning cable from china with no way to leave a review for that particular product. One way I've found of identifying pages like this is by examining pictures that people upload in reviews, and many times you'll find a variety of products being reviewed/received.

                            • ikeboy 115 days ago

                              Amazon hasn't allowed unauthorized sellers sell Apple products since January

                              • Proven 115 days ago

                                How can you tell? How can Amazon tell?

                                If you want a legit cable, you can buy it from Apple.

                                Nothing gives you the right to force others - or use the government do that on your behalf - to do something you don't want or cannot do yourself.

                              • paulsutter 115 days ago

                                Really need a setting “never trust any device ever”. I’ve never once had a use case with my phone to do anything but charge. Really hate when I plug in my phone to charge in a car and the car takes over my UI. All bad ideas. If I want to move photos I use the network.

                                • falcolas 115 days ago

                                  Personal opinion: Charging only is what a cigarette adapter is for.

                                  Allowing me to use the car's interface to control my phone is a nice tool. It probably adds to the safety of my driving, since I can skip audio tracks using physical controls on my steering wheel instead of a touch screen.

                                  • libria 115 days ago

                                    Do female->male USB-USB power-only passthrough adapters exist? If I could buy a few from a trusted source like directly from the Apple store, I could use it to firewall my cables (never thought I'd have to do that).

                                    As an added bonus, my iphone wouldn't automatically crank up itunes on my mac every single friggin time I plug it into the dock.

                                    • dredmorbius 115 days ago
                                      • NullPrefix 115 days ago

                                        You're stuck with 5V at half Amp. Fast charging allows up to several Amps, but needs data pins to negotiate.

                                        • banana_giraffe 115 days ago

                                          Higher power versions of this concept exist that do the data negotiation for your device in response to negotiation from your device. "Plugable USB Universal Fast 1A" is one example, though in my experience, really using it is hit or miss.

                                          I've had better luck using a USB battery to "filter" USB connections in random rental cars.

                                          • kalleboo 113 days ago

                                            I have a dollar store "iPad fast charging plug" which is basically a USB condom with a dumb resistor divider to tell Apple devices that they're safe to pull 2.4A.

                                            • wiseleo 115 days ago

                                              I have a device that mimics data pins while cutting them off internally. My phone charges quickly, but data lines are not connected. It's a Triplett Usb Bug, a mainstream brand product.

                                            • jeremyboom8 115 days ago

                                              Amazing!

                                            • wrboyce 115 days ago

                                              Yes, they simply(?) block the data pins and often go by the name "USB Condom".

                                            • everdrive 115 days ago

                                              If you have an old-fashioned USB 2.1 plug, you can actually remove / cover the data pins, leaving only the power pins exposed!

                                              • neuralRiot 115 days ago

                                                You need to add some resistors to the data pins to be recognized as a charger.

                                                • NullPrefix 115 days ago

                                                  Depends on the phone. Some need resistors, for some it's enough to just short both data pins, some do protocol level talking over data pins. There are several standards for that with legacy usb.

                                              • JadeNB 115 days ago

                                                > Personal opinion: Charging only is what a cigarette adapter is for.

                                                But hardly any new cars have that ….

                                                > Allowing me to use the car's interface to control my phone is a nice tool. It probably adds to the safety of my driving, since I can skip audio tracks using physical controls on my steering wheel instead of a touch screen.

                                                It seemed that paulsutter (https://news.ycombinator.com/item?id=20686844) was suggesting a setting that prevents this automatically for people who never want it, not removing the capability for people like you who do want it.

                                                • falcolas 115 days ago

                                                  > But hardly any new cars have that ….

                                                  I'm in a 2019 Subaru Outback, and I have two. One for the front seat, one for the back.

                                                  WRT a setting - CarPlay must be explicitly enabled, and has a per-vehicle pairing. I imagine Android has a similar requirement.

                                                  • moftz 115 days ago

                                                    Android Auto bugs you every time you plug the phone into the car. I had a rental that had it and I was curious to try it since it seemed like something I may want in my next car. It was slow as fuck over bluetooth (a little faster over USB) and offered pretty much nothing more than what a magnetic mount and a bluetooth audio/phone connection would offer. It was 1000x quicker to just bring Waze up on my phone as I'm walking to the car, slap it on the magnet (up high on the dash, adjacent to the screen), and let the bluetooth connect automatically. I deleted the android auto profile and just stuck with regular bluetooth audio/phone.

                                                  • pmorici 115 days ago

                                                    "But hardly any new cars have that"

                                                    Even a Tesla Model 3 still has a 12 Volt cigarette adapter port. New cars still include them because of all the accessories out there like inverters and tire inflaters people want to use.

                                                  • vel0city 115 days ago

                                                    It seems extremely rare for me to find any car in the US market that does not have at least 1 12V outlet. On a very recent model car I own it has 4 plus a 110V outlet!

                                                    • seandougall 115 days ago

                                                      Yeah, they don't seem to include the cigarette lighters themselves anymore (the plug with the nichrome coil or whatever it is that heats up when pushed in), but the outlets are still there on my most recent car, and every rental car I've driven recently.

                                                      • JadeNB 114 days ago

                                                        I think I meant to say what you said—that there's no actual cigarette lighter any more—and just confused that with the adapter outlet itself being gone. Thank you for clarifying!

                                                • gambiting 115 days ago

                                                  This device shows up as a keyboard - should keyboards never be trusted ever? How would that work?

                                                  • throwaway5d097 115 days ago

                                                    First thought was whitelisting USB vendor and device IDs, but I guess those could be spoofed. A button above every USB port?

                                                    Going back to PS/2 could be an option? Guess that wouldn't be too different from allowing all devices only on a single USB port.

                                                  • Tharkun 115 days ago

                                                    It would be nice of my OS had an option to disallow any and all USB devices. Plug something in? Ask whether I want to allow it. I guess this would get annoying after a bit. But still, I only use a couple of USB devices on a daily basis, but I click on boatloads of cookie warnings every day.

                                                    • kalleboo 115 days ago

                                                      > It would be nice of my OS had an option to disallow any and all USB devices

                                                      Any desktop computer would have to be redesigned to add a "allow new device" button since they have no other input.

                                                      Even on many laptops, the internal keyboard and mouse are USB devices, when you install a new OS, do you have to accept trust to those as well? Or how will you stop an external device from spoofing them with the same vendor/device ID?

                                                      • derefr 115 days ago

                                                        How about, trusted peripherals should speak DTLS over their USB/Thunderbolt PHY, and the OS should keep a certificate store for recognizing them?

                                                        This sounds like something that creates a chicken-and-egg problem of there not already being any such DTLS-speaking USB devices... but how about if vendors just create a little USB dongle that wraps whatever's plugged into it in "authentication" using DTLS? Ship the dongle with the laptop; tell people that if they want to install a new OS, they have to plug a USB keyboard in through the dongle.

                                                        • bsder 115 days ago

                                                          > This sounds like something that creates a chicken-and-egg problem of there not already being any such DTLS-speaking USB devices...

                                                          Or only allow completely unauthenticated devices as a fallback when there is no other available authenticated device.

                                                          A computer not having any keyboard is a rare case. Most of the time you have what is built-in (and should be authenticated) or what came with the computer (and should be authenticated).

                                                          Allowing unauthenticated keyboards only on detection of no authenticated ones probably covers 99.9% of all use cases and increases security dramatically.

                                                          • modsiw 115 days ago

                                                            Aren’t we trying to prevent an attacker with physical access? They could simply unplug everything first.

                                                          • yusyusyus 115 days ago

                                                            maybe not the exact correct solution (some of those MCUs are wayyyyy too tiny, slow, and stupid for something as complicated as DTLS), but this is not a horrid thought. The bootstrapping problem can be resolved via Microsoft's secureboot certificate and letting the firmware sort out the initial "trusted boot USB sticks" or however.

                                                            hell, simply through acquisition and acquiescence, the market already accepted locked-down platforms. at this point, we ought to have more benefits from this instead of just making these platforms hard to install Linux on.

                                                        • jdfellow 115 days ago

                                                          I use USBGuard on Linux to this effect.

                                                          • iforgotpassword 115 days ago

                                                            It looked quite promising when I took a look two years ago. There was no support for properly filtering devices that contain multiple endpoints though, like a mouse with mass storage. You could either allow both our none. It was on their roadmap but kept getting postponed iirc. Should take a look again I guess. :-)

                                                        • Faark 115 days ago

                                                          At least the user should be informed, meaning it should show the bare minimum to allow us to act upon. Something like "USB keyboard connected: [Device specified name]" for common device types. More complicated/dangerous stuff should only run after user acknowledgement. This way there is at least a significant risk to get caught / chance for the user to catch it.

                                                          Not sure if I just mis-configured my windows, but it is certainly lacking on that front. The Settings -> Devices -> USB having just a single checkbox for error popups is probably not a good sign.

                                                          • 3JPLW 115 days ago

                                                            On a Mac, wouldn't this cause a "please identify this keyboard by pressing the key next to the shift key" prompt?

                                                          • abugheratwork 115 days ago

                                                            Regarding keyboards, maybe at least don't automatically trust a SECOND keyboard? Even when user interaction isn't possible until the device is active, as someone else pointed out, you can at least send a warning to the user's display.

                                                            • optimiz3 115 days ago

                                                              My quick thought was to have the OS display a random char sequence, which must be typed on the keyboard before input is accepted.

                                                              Usability could be optimized depending on how uniquely identifiable keyboards are (to reduce when trust prompts are shown).

                                                              • paulsutter 115 days ago

                                                                I have never once wanted to attach a keyboard to my phone

                                                                • tenantless 115 days ago

                                                                  This cable targets the host computer it's plugged in to, not the phone.

                                                                  • tsukurimashou 115 days ago

                                                                    The device shows up as a keyboard on your computer, not on your iphone

                                                                • CamperBob2 115 days ago

                                                                  Really hate when I plug in my phone to charge in a car and the car takes over my UI.

                                                                  For every phone owner who thinks this way, there are probably a dozen others who hate it when they plug in their phone and the car doesn't mirror the phone's UI. I'd be in the latter group.

                                                                  • optimiz3 115 days ago

                                                                    Would be nice if they narrowed the attack surface -

                                                                    "A new (unneeded if devices sufficiently uniquely identifiable?) keyboard has been plugged in, please type <random char sequence> to confirm"

                                                                    • bashinator 115 days ago

                                                                      You're on a desktop computer, and you've just spilled water on the keyboard. How do you replace it?

                                                                      • josephg 115 days ago

                                                                        You plug in a USB keyboard. On the display it says "New USB keyboard detected! Type XYSJRF on the new keyboard to enable it". You type XYSJRF on the external keyboard and then use it like normal.

                                                                    • excalibur 115 days ago

                                                                      Moving large amounts of data over the network can be cumbersome. MicroSD cards can come in pretty handy.

                                                                      • judge2020 115 days ago

                                                                        Car takes over the phone's UI? Is that an Android thing? I've only ever heard of carplay/android auto taking over the Car's UI (and replacing it with a much better UI).

                                                                        • kemayo 115 days ago

                                                                          If we're speaking of an iPhone, if you plug one into a CarPlay receiver then it lightly interrupts the phone use. The iPhone gets a big CarPlay splash screen (which you can dismiss), and switching apps on the car display will also switch them on the phone.

                                                                          This is changing in the upcoming iOS 13, so the car display and the phone will be much more independent[1]. As someone who's often a passenger with their phone plugged in, I'm happy for this.

                                                                          [1]: https://www.macstories.net/stories/carplay-in-ios-13-a-big-l...

                                                                        • NoodleIncident 115 days ago

                                                                          It sounds like you need a "USB Condom"; It's essentially a minimum-length extension cable, with only the power lines enabled, not any of the data.

                                                                          • JustSomeNobody 115 days ago

                                                                            I use a data blocker on anything I think might be suspect.

                                                                            But, then, I am shifting trust to my data blocker...

                                                                          • 3JPLW 115 days ago

                                                                            I've not found many details about how this is actually working — there's some info on his D̴̹̭͂ë̷̗́̃̿̓̾͜ṃ̸͔͚̗̙̪̎̄̋ȏ̸̝̤̱͜n̶͇͇͙̻̩͑͑S̴̳̩̮̥͚̥̚ė̸̟̃͋͂͝e̷̪̲̪̰̣̿̀͠d̵̡̂͗ cable here [1], but apparently the O.MG cable is "a very different piece of hardware that does a whole lot more."

                                                                            Does anyone have any insight into how this attack works? My guess is that it acts like a hub that exposes both the iPhone lightning connector and a keyboard/mouse. And then the keyboard/mouse is controllable via some near-range wireless like WiFi or bluetooth? I suppose it could even scan for open networks and try to join to allow a more remote exploit. Anyone find more information anywhere?

                                                                            1. https://github.com/O-MG/DemonSeed

                                                                            • tda 115 days ago

                                                                              I'm guessing the cable has an esp8266 on board which you can get cheaply and is only a few mm2. It has WiFi and WiFi direct support and is powerful enough to run a webserver. Probably there are plenty chips that do the job, but the esp8266 (and its successor esp32) is very popular for custom hardware due to being cheap and easy to program

                                                                            • Scoundreller 115 days ago

                                                                              It says it has a wifi chip. So the attack is limited by that distance.

                                                                              It probably switches on the Keyboard/Mouse Logic as necessary.

                                                                              But from there you could play an “Open Terminal” and be quite creative. Don’t know if you could send much information back, but I don’t see why it couldn’t have a few gb of flash storage to copy from/to, e.g. occasional screenshots to see what’s there. Or files.

                                                                              • lucianfelix 115 days ago

                                                                                You could easily use the host computer's internet connection to upload data or to execute commands downloaded from a control server.

                                                                                • Scoundreller 115 days ago

                                                                                  If that was your vector, you wouldn’t bother with wifi at all.

                                                                                  I think the real value of this attack is against air-gapped computers... that people charge their wireless devices with? That would be stupid.

                                                                                  • crooked-v 115 days ago

                                                                                    > I think the real value of this attack is against air-gapped computers... that people charge their wireless devices with? That would be stupid.

                                                                                    This is how Stuxnet ruined Iran's nuclear centrifuges.

                                                                                • egdod 115 days ago

                                                                                  Maybe not distance-limited.

                                                                                  > "But the cable can be configured to act as a client to a nearby wireless network. And if that wireless network has an internet connection, the distance basically becomes unlimited." he added.

                                                                              • ege_erdogan 115 days ago

                                                                                I have this USB-C looking like this[0] (not the same one though). The thing is whenever it is plugged into my MacBook Pro, the hub starts to overheat, even when there is nothing connected to it. I once tried plugging it into the MBP adapter and charging my phone through the USB port on it, and it did not heat at all.

                                                                                I am suspecting it is running some program in the background (a miner maybe). Is there a way I can check if such a program is running?

                                                                                [0] https://www.amazon.com/Purgo-Adapter-2018-2016-Delivery-Thun...

                                                                                • Eric_WVGG 115 days ago

                                                                                  You could install Little Snitch on your Mac to see if it phones home.

                                                                                  IMO more likely that it's shoddy hardware; either way it's munching your battery, so I'd send it to the recyclers and find something more reputable.

                                                                                • jcheng 115 days ago

                                                                                  > Now MG wants to get the cables produced as a legitimate security tool

                                                                                  Can someone explain how these could be considered a "legitimate" security tool? What legitimate use would require the cable to look like a genuine Apple cable? (I'm honestly asking.)

                                                                                  • par 115 days ago

                                                                                    onsite pentesting for example. You want to train your employees to be aware of random cables and usb drives laying around, this is a good test to ensure your training worked.

                                                                                    • kccqzy 115 days ago

                                                                                      The vendor is Hak5. Among the products they currently sell is a USB drive lookalike that's actually a keyboard that can send preprogrammed keystrokes.

                                                                                    • qrbLPHiKpiux 115 days ago

                                                                                      Ask your dentist to take an x-ray of the cable you may be concerned about. We're all digital and it only takes a second. If your guy is cool, he'll do it.

                                                                                      • lorenzhs 115 days ago

                                                                                        Used dental X-Ray equipment can be surprisingly cheap (obligatory "don't try this at home if you don't know what you're doing" warning applies). I know some guys who are mad enough to buy and operate it: https://twitter.com/FauthNiklas/status/1123745053032292357 and https://twitter.com/FauthNiklas/status/1113902554931449858

                                                                                        You can find a few examples of x-ray images they took on their twitter feeds as well: https://twitter.com/FauthNiklas/status/1125606579540246528 and https://twitter.com/JanHenrikH/status/1127033349246279680 and https://twitter.com/FauthNiklas/status/1149386796352069633

                                                                                        • ceejayoz 115 days ago

                                                                                          That won't be much good against random third-party cables from Amazon, where you don't have a "it should look like this" scan to compare against.

                                                                                        • HyperTalk2 115 days ago

                                                                                          Where do you find these "cool doctors"? I once tried to bribe six different doctors in my area with $3000 in exchange for agreeing to allow me to get an exploratory MRI and they all said no.

                                                                                          • ska 115 days ago

                                                                                            I suspect many would be far more open to clearly non medical usage of machines they actually own or lease. What you were asking for isn’t any, and had perceived risk for them.

                                                                                            If I was a random clinician there is no way I would have helped you either.

                                                                                            If you do want a MRI done out of curiosity your best bet is to go through biomedical imaging research group who needs subjects, I would guess. Unless you happen to live near a manufacturer.

                                                                                            • falcolas 115 days ago

                                                                                              An exploratory MRI has inherit risk (even if minuscule) to your life, and thus their livelyhood. A very big difference from asking for an x-ray of a cable.

                                                                                              • ebg13 115 days ago

                                                                                                > An exploratory MRI has inherit risk (even if minuscule) to your life

                                                                                                As far as I've ever heard, an MRI without contrast has no risk itself, and any risk comes from acting on the data.

                                                                                                • ska 115 days ago

                                                                                                  That is not true. It doesn’t involve ionizing radiation, so not a dose risk like CT. But look up PNS and SAR (peripheral nerve stimulation and specific absorption rate), for example. This is mostly handled well for standard pulse sequences of course, but not “zero risk”.

                                                                                                  Beyond that, there is a reliance that you do not have any implants etc., even some tattoos. And you tell the truth about it. From the clinics point of view too risky.

                                                                                                  • mattkrause 115 days ago

                                                                                                    I don't think that's what they're especially worried about; those are fairly minor.

                                                                                                    Instead, think about interacting with someone who a) is so convinced that they need an exploratory MRI but b) can't convince a doctor of that need. I'd be afraid that either I'll be stuck dealing with someone perseverating over a totally normal anatomical variation (and everyone has a few). If they get sick later, I might also get dragged into a debate over whether I should have noticed something on that scan, done a different scan, or whatever, possibly with big legal implications.

                                                                                                    This is why our techs will happily scan a fruit or something, but don't run an ad-hoc clinic.

                                                                                                    • ska 115 days ago

                                                                                                      I agree that in the parent comment case, there is no reason to risk a review or lawsuit which is probably mainly why a clinician wouldn't do it; I alluded that that in another comment.

                                                                                                      This one was specifically a comment about "zero risk" on MRI, it's not true. Low risk, sure. But people have been hurt.

                                                                                                      I also suspect any clinician is going to look askance at a low risk action that isn't necessary, but the potential liability is the kicker here.

                                                                                                      • mattkrause 115 days ago

                                                                                                        It's pretty close.

                                                                                                        Nothing is totally risk free, but compared to most medical procedures--and most activities of daily living--MRIs are a walk in the park. For a subject with no implanted devices, I would bet the drive to the scan center is much more dangerous. I just flipped through MAUDE (https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfMAUDE/d...) and I couldn't find any adverse events that were more severe than a small burn or blister.

                                                                                                        • ska 115 days ago

                                                                                                          Agree it's low risk, I was being pedantic.

                                                                                                          There have been deaths of course, also, but not due to normal operation.

                                                                                                  • falcolas 115 days ago

                                                                                                    From the FDA:

                                                                                                    > The magnetic fields that change with time create loud knocking noises which may harm hearing if adequate ear protection is not used. They may also cause peripheral muscle or nerve stimulation that may feel like a twitching sensation.

                                                                                                    > The radiofrequency energy used during the MRI scan could lead to heating of the body. The potential for heating is greater during long MRI examinations.

                                                                                                    Minimal, perhaps negligible? Absolutely. Worth risking a license for a mere $3k? Probably not.

                                                                                                  • ben_w 115 days ago

                                                                                                    I get that a CAT scan would have an inherent risk, but why would an MRI?

                                                                                                  • HyperTalk2 115 days ago

                                                                                                    CT scans are far more dangerous than MRIs, and yet doctors recklessly schedule CT scans for everything, to the point where they treat you like you're crazy if you try to avoid CT scans. One could argue that every single thing a doctor does has inherent risk to the patient's life, so by your logic, doctors should simply not do anything, ever.

                                                                                                  • xnyan 115 days ago

                                                                                                    I don’t know anything, but I would not be shocked to learn that malpractice insurance does not cover "exploratory" practices paid in cash under the table.

                                                                                                    • arkades 115 days ago

                                                                                                      Because that opens them to a giant slew of malpractice claims. Your 3000$ doesn’t come close to covering the risk.

                                                                                                      • HyperTalk2 115 days ago

                                                                                                        Every single thing they do opens them to a giant slew of malpractice claims. By your logic, doctors should simply not do anything, ever.

                                                                                                        I also lied for the sake of brevity. In reality I wanted an MRI in order to look for evidence of diverticulitis. They all said I needed to either get a CT scan or get lost. CT scans are more dangerous than MRIs. Doctors can't possibly be exposed to more malpractice risk from a harmless MRI than from a dangerous CT scan.

                                                                                                      • qrbLPHiKpiux 115 days ago

                                                                                                        You gotta be one!

                                                                                                    • hansdieter1337 115 days ago
                                                                                                      • ihuman 115 days ago

                                                                                                        How do you know you can trust that? Couldn't it be doing the same thing as the fake lightning cable?

                                                                                                        • digsy 115 days ago

                                                                                                          They block (or just dont have) the USB data pins - so all it can do is draw power.

                                                                                                      • tunesmith 115 days ago

                                                                                                        Is there a piece of cheap validation hardware where you can plug in both ends of your cable and a little display will tell you what kind of cable it is and if it is legitimate?

                                                                                                        • avian 115 days ago

                                                                                                          Maybe just have something like the USB killer [1] to "sterilize" cables. Zap the cable with a high voltage/high energy pulse, beyond what normal on-die ESD protection could handle. A bunch of copper and plastic won't get damaged (unless you really get crazy and it arcs over and carbonizes or something), but it will probably burn out any covert semiconductors in the cable. It's hard to absorb high energy pulses in small packages.

                                                                                                          [1] https://usbkill.com/

                                                                                                          • chendragon 115 days ago

                                                                                                            Type-C cables have an E-Marker IC inside them by design, so this would probably render the cable non-functional or worse-functional unfortunately.

                                                                                                            • eridius 115 days ago

                                                                                                              Lightning cables have a computer inside them, that would destroy the cable.

                                                                                                            • dredmorbius 115 days ago

                                                                                                              Proving a negative is hard.

                                                                                                              Though checking to see what USB / PCI devices are advertised could be useful.

                                                                                                              Device / USB whitelisting looks like it will need to be a default thing Real Soon Now.

                                                                                                              • caf 115 days ago

                                                                                                                Even just a device with a USB port that reports No Device / Hub / Keyboard / Storage / Other through a set of LEDs would be reasonably useful.

                                                                                                                • dredmorbius 114 days ago

                                                                                                                  That's an interesting idea. Multiple LEDs, colour-coded, or ...?

                                                                                                                  • caf 113 days ago

                                                                                                                    I was thinking multiple indicator LEDs, so for example the lightning cable in the original article would light up the 'Hub' and 'Keyboard' lights.

                                                                                                            • jiveturkey 115 days ago

                                                                                                              > up to 300 feet

                                                                                                              which means 50 feet, which is still impressive in that it's a useful distance. I remember the earlier version being more like 5 feet, which sounds pitiful but is still enough. In fact no wifi at all (0 ft) is enough to plant software (CMD-space Terminal RET curl | bash && exit) if you take your chances that the target is inattentive.

                                                                                                              I learned of the earlier version here on HN but I can't find the link now. It was maybe 4 months ago?

                                                                                                              Given that the attack is that it's a USB keyboard, nothing to do with the lightning aspect, except that the victim is likely to need a lightning cable at some point, any USB dongle will do.

                                                                                                              Given the attack methodology for this specific device, of being in visual distance of the victim, just use an unpaired apple keyboard. Macs will automatically pair to them, so you just need to turn it on when the victim looks away (a brief 2-second overlay appears on the screen upon connecting). You could force this by creating a distraction: drop a glass. No dependence then on the victim using the cable.

                                                                                                              • perfectphase 115 days ago

                                                                                                                There's an interview with MG talking about these cables on the Amp Hour podcast this week https://theamphour.com/the-amp-hour-454-mike-grover/

                                                                                                                • digsy 115 days ago

                                                                                                                  I saw Kevin Mitnik (FBIs most wanted hacker in the 1990s) at a conference plug one of these into laptop with a fully patched version of Windows 10 and one of the very common security suite of apps.

                                                                                                                  The laptop was completely compromised in seconds.

                                                                                                                  From a remote laptop, he had complete access to the target machines full filesystem, started the webcam and turned on the microphone without any notifications to the target user and connected a bluetooth hard drive remotely.

                                                                                                                  And this was using a rogue cable that he just bought off ebay.

                                                                                                                  I was honestly shocked at how easy it would be to compromise someones machine. I'll never look at a USB cable the same way.

                                                                                                                  • lostgame 115 days ago

                                                                                                                    I still don't get why iPhones don't use USB-C. OOTB, there's issues between a brand new iPhone and a brand new MacBook Pro.

                                                                                                                    • jmull 115 days ago

                                                                                                                      I think it's just an accident of timing and history.

                                                                                                                      The old 30-pin connector (inherited from the iPod) had various issues so I think Apple was eager to replace it. The lightning connector was their solution. It predates USB-C by a few years, so that wasn't an option at the time (I guess it might have been on Apple's radar by the time the lightning cable was introduced, but if so, they must have made the call not to wait.)

                                                                                                                      Since USB-C has made its way to some iPads, my guess is Apple is in the process of phasing out lightning connectors entirely.

                                                                                                                      • ReverseCold 115 days ago

                                                                                                                        > Since USB-C has made its way to some iPads, my guess is Apple is in the process of phasing out lightning connectors entirely.

                                                                                                                        It could also be more that Apple is trying to position the iPad Pro as a "laptop replacement" - and their laptop has type-C ports - so having the same port makes it feel and work more like a laptop.

                                                                                                                        • eridius 115 days ago

                                                                                                                          If Apple were going to ditch the lightning connector on the iPhone I would have expected them to do it last year.

                                                                                                                          More generally, the lightning port is actually slightly slimmer than a USB-C port, which is important. While the iPad isn't any thicker than an iPhone, it has squared-off edges, versus the iPhone's rounded edges, so switching the iPhone to USB-C would likely require either making it thicker or making the area around the charge port flat.

                                                                                                                          • kccqzy 115 days ago

                                                                                                                            Instead I've heard that Apple essentially designed the USB-C standard after the successful design of Lightning, and gave the standard to USB-IF. (Apple is a member of the USB-IF.)

                                                                                                                            • macintux 115 days ago

                                                                                                                              I’ve heard here from someone who claimed to have been involved that Apple’s contributions were relatively late and minor, but I don’t have any idea how to judge the accuracy of either assertion.

                                                                                                                              And it’s possible both viewpoints have merit depending on what aspects of the standard are considered significant.

                                                                                                                        • BluSyn 115 days ago

                                                                                                                          Any thoughts on how someone could validate a set of cables to ensure no trojans exist?

                                                                                                                          • scohesc 115 days ago

                                                                                                                            I don't see how Hak5 can create exact replicas of Apple Lightning cables with hacking tools embedded in them and NOT have Apples dream litigation team blasting down their doors

                                                                                                                            It's pretty amazing how technology has gotten so small we can hide a wifi chip and keyboard emulator into the end of a USB port plug.

                                                                                                                            • jagger27 115 days ago

                                                                                                                              No, they are modified genuine cables.

                                                                                                                              • orpheline 115 days ago

                                                                                                                                The demo was a modified cable, but the article said Hak5 was interested in manufacturing them.