Researchers Infect iOS Devices With Malware Via Malicious Charger

Sparrowvsrevolution writes "At the upcoming Black Hat security conference in late July, three researchers at the Georgia Institute of Technology plan to show off a proof-of-concept charger that they say can be used to invisibly install malware on a device running the latest version of Apple's iOS. A description of their talk posted to the conference website describes how they were able to install whatever malware they wished on an Apple device within a minute of the user plugging it into their malicious charger, which they're calling 'Mactans' after the scientific name of a Black Widow spider. The malware-loaded USB plug is built around an open-source single-board computer known as a BeagleBoard, sold by Texas Instruments for a retail price of around $45. The researchers have contacted Apple about their exploit but haven't heard back from the company and aren't sharing more details of their hack until they do."

Physical Access

Physical access to a device allows for far too many attack vectors to protect against. News at 11

Re:Physical Access

This is not an "open the device and latch on to some henceforth unprotected internal signal" attack vector. Attaching the phone to someone else's charger is not unusual behavior.

It's based on a BeagleBoard, which is larger than a business card. It's going to be tough to fool people into using a charger that looks like it swallowed half your iPhone.

Re:Physical Access

[slim]

GP has already provided you with a potential scenario - presumably the chargers Vodafone fitted in London taxis were a USB socket and/or an iPod dock mounted in the passenger section of the taxi. The BeagleBoard could be anywhere in the taxi.

Plus, it's a proof of concept. It could certainly be miniaturised.

I doubt that any other smartphone OS is immune to this kind of attack, however.

Re:Physical Access

[fredprado]

The prototype being based in a big developer board means nothing. The exploit could be easily replicated in smaller boards that would fit just fine in regular chargers.

Re:Physical Access

The Beagleboard is just one of many development boards around ARM chips which are typically smaller than a fingernail, because they're the main components in mobile phones. There are much smaller alternatives than the Beagleboard, even without making a custom board. For example, the Gumstix Overo single board computer is based on the same chip as the Beagleboard and is about the size of a stick of chewing gum. The attack could be built into anything from docking stations to the smallest chargers.

Re:Physical Access

[gmack]

This is not an "open the device and latch on to some henceforth unprotected internal signal" attack vector. Attaching the phone to someone else's charger is not unusual behavior.

It's based on a BeagleBoard, which is larger than a business card. It's going to be tough to fool people into using a charger that looks like it swallowed half your iPhone.

Sure they will. In Spain there are charging kiosks with coin slots and cables going somewhere you can't see them and people use those all of the time. You forget that in most public charging situations you don't want just anyone to be able to unplug the thing and walk away with it.

Re:Physical Access

[slim]

Well, there's a continuum.

Sneaking into someone's office and putting a keylogger inline with their keyboard cable is an example of physical access making black-hat hacking easy.

Sneaking into the same office and plugging a PwnPlug or similar into the physical network is another example.

Those two are increasingly far from actually directly looking at filesystem blocks, but put you at an advantage compared to someone trying to get to a system from the other side of a firewall.

Re:Physical Access

Why would you think that? Have you never attached a smartphone to a USB host? Of course the USB data lines are connected, and of course any smartphone will respond to communication attempts from a USB host, so there is absolutely no reason why other phones should not be vulnerable to some form of attack via USB.

Re:Physical Access

[Bacon+Bits]

I don't know about you, but I can only use the USB port to charge my Android phone. Also, when I connect my Android phone to my computer I generally get access to the data contents of the phone (documents, music, pictures, etc.). It seems pretty trivial to devise a "charger" that steals or destroys data on any phone that connects to it.

Data is the real treasure and thus is also the real threat of damage, but AFAIK you can also use the Android Debug Bridge to install programs to connected phones.

Re:Physical Access

[BasilBrush]

How the hell did that get modded insightful? Android of course does data via the USB. It mounts as a drive on a PC. And you can reflash the
rom via USB, just as you can on an iPhone.

Re:Physical Access

[amicusNYCL]

Mines from a $5 (shipped) job from Hong Kong, charges quite fast. I assure you it's not licensed, knock off lightning cable and all.

I'm not sure what point you're trying to argue, but it sounds like you're a perfect candidate for a charger that distributes malware. How would you know if your current charger is not sending your data back to China?

Re:Physical Access

[AmiMoJo]

Yes, but not for charging. If you are paranoid you can buy or make a USB cable that is only for charging (data lines disconnected) and your charger will still operate normally and at full speed. If you make such a cable for your iOS device it will only charge at low speed.

This is also notable as an example of DRM gone bad and leading to a severe security problem.

Re:Physical Access

[scot4875]

And in what way was it not obvious for the entire history of the iPhone that it could be reflashed through the USB?

There's a huge difference between reflashing something and gaining root to infect an existing install.

One is very obvious to the user because their phone is suddenly reflashed to some configuration that isn't the user's any more. The other could be incredibly subtle because there's no visible change to the user.

It's entirely possible that a similar attack could happen to Android devices as well (for example, run an ADB instance and have it auto-install and execute something whenever it detects a device with debugging enabled. My phone would be vulnerable to this kind of attack, because for convenience, I've got it set up to auto-enter debugging mode whenever it plugs into a device. I'm willing to accept that risk, but I'm not an idiot that insists that the risk isn't there.)

Thing is, it's just another example of how that device that you insist is so damn impregnable because it's from mother Apple can, in fact, be easily exploited. All it takes is for someone to do it. Just because it hasn't happened in the wild *yet* (that you know of) doesn't make you any safer than anyone else.

--Jeremy

Re:Inductive charging

[DNS-and-BIND]

Inductive charging is highly wasteful. Imagine if millions of people switched. Good thing we're not all as selfish as you.