Researchers Infect iOS Devices With Malware Via Malicious Charger

Sparrowvsrevolution writes "At the upcoming Black Hat security conference in late July, three researchers at the Georgia Institute of Technology plan to show off a proof-of-concept charger that they say can be used to invisibly install malware on a device running the latest version of Apple's iOS. A description of their talk posted to the conference website describes how they were able to install whatever malware they wished on an Apple device within a minute of the user plugging it into their malicious charger, which they're calling 'Mactans' after the scientific name of a Black Widow spider. The malware-loaded USB plug is built around an open-source single-board computer known as a BeagleBoard, sold by Texas Instruments for a retail price of around $45. The researchers have contacted Apple about their exploit but haven't heard back from the company and aren't sharing more details of their hack until they do."

Possible Solution

[muphin]

would PairLock be a possible solution, would that work?

Re:Possible Solution

[Joce640k]

I dunno...but how is this new exploit "news" if there's utility utilities like PairLock to prevent it?

Re:Possible Solution

[jeffmeden]

I dunno...but how is this new exploit "news" if there's utility utilities like PairLock to prevent it?

Because you have to jailbreak in order to use PairLock? And um, jailbreaking is bad, mmkay?

Physical Access

Physical access to a device allows for far too many attack vectors to protect against. News at 11

Re:Physical Access

This is not an "open the device and latch on to some henceforth unprotected internal signal" attack vector. Attaching the phone to someone else's charger is not unusual behavior. For the Olympic Games in London, Vodafone fitted 1000 taxis with mobile phone chargers.

Re:Physical Access

[fuzzyfuzzyfungus]

Physical access to a device allows for far too many attack vectors to protect against. News at 11

I think the issue here is that 'plausible, easy-to-engineer, physical access allows a demonstrated attack against a device'.

Also, at an architectural level, having an idevice plugged in is much closer to having a network connection to a computer than it is to having 'physical access'. It's a bit weirder than a pure USB network adapter; but it's essentially a chat, over TCP, with a remote computer, not total control over a USB MSC device or something of that flavor.

Re:Physical Access

[lseltzer]

Not that I'm all that worried about this attack, but the confirmation dialog would have to present some identifying information about the device, so the approval could probably be social-engineered.

Re:Physical Access

[AmiMoJo]

And remember, all this is to support Apple's DRM that blocks 3rd party chargers (or at least prevents them using the fast charge rate).

Providing phone chargers is a common courtesy in some countries, e.g. Japan. Most hotels and bars will have a load of chargers behind the front desk to lend out, for example.

Re:Physical Access

[slim]

GP has already provided you with a potential scenario - presumably the chargers Vodafone fitted in London taxis were a USB socket and/or an iPod dock mounted in the passenger section of the taxi. The BeagleBoard could be anywhere in the taxi.

Plus, it's a proof of concept. It could certainly be miniaturised.

I doubt that any other smartphone OS is immune to this kind of attack, however.

Re:Physical Access

[fredprado]

The prototype being based in a big developer board means nothing. The exploit could be easily replicated in smaller boards that would fit just fine in regular chargers.

Re:Physical Access

The Beagleboard is just one of many development boards around ARM chips which are typically smaller than a fingernail, because they're the main components in mobile phones. There are much smaller alternatives than the Beagleboard, even without making a custom board. For example, the Gumstix Overo single board computer is based on the same chip as the Beagleboard and is about the size of a stick of chewing gum. The attack could be built into anything from docking stations to the smallest chargers.

Re:Physical Access

[gmack]

This is not an "open the device and latch on to some henceforth unprotected internal signal" attack vector. Attaching the phone to someone else's charger is not unusual behavior.

It's based on a BeagleBoard, which is larger than a business card. It's going to be tough to fool people into using a charger that looks like it swallowed half your iPhone.

Sure they will. In Spain there are charging kiosks with coin slots and cables going somewhere you can't see them and people use those all of the time. You forget that in most public charging situations you don't want just anyone to be able to unplug the thing and walk away with it.

Re:Physical Access

[slim]

Well, there's a continuum.

Sneaking into someone's office and putting a keylogger inline with their keyboard cable is an example of physical access making black-hat hacking easy.

Sneaking into the same office and plugging a PwnPlug or similar into the physical network is another example.

Those two are increasingly far from actually directly looking at filesystem blocks, but put you at an advantage compared to someone trying to get to a system from the other side of a firewall.

Re:Physical Access

[AmiMoJo]

Unfortunately the exploit would have already executed and started running arbitrary code by the time the ID information had been downloaded. That's how it works, it's an overflow in the ID data that the iOS device reads.

Re:Physical Access

[Thomasje]

And remember, all this is to support Apple's DRM that blocks 3rd party chargers (or at least prevents them using the fast charge rate).

Huh? I use a third-party car charger, and it fast-charges my iPhone just fine.

Re:Physical Access

[jo_ham]

What are you on about?

I fast charge my iPhone with a third party charger all the time. I'd post a video of me doing it, but you'd probably dismiss it as some sort of propaganda and clearly falsified somehow.

You might want to check on reality before you start whoring for karma with outright lies on slashdot.

Also, not that you've been at all accurate in your post, but even if this were the case, there's a difference between a proprietary charging protocol/data exchange (the iOS device attempts to negotiate a link to iTunes when it is plugged in, and falls back to charge only mode if it senses a charger) and DRM.

I've never had a problem with any of the third party chargers I have used, but you're at +5 informative, so I guess I'm mistaken.

Re:Physical Access

Why would you think that? Have you never attached a smartphone to a USB host? Of course the USB data lines are connected, and of course any smartphone will respond to communication attempts from a USB host, so there is absolutely no reason why other phones should not be vulnerable to some form of attack via USB.

Re:Physical Access

[Bacon+Bits]

I don't know about you, but I can only use the USB port to charge my Android phone. Also, when I connect my Android phone to my computer I generally get access to the data contents of the phone (documents, music, pictures, etc.). It seems pretty trivial to devise a "charger" that steals or destroys data on any phone that connects to it.

Data is the real treasure and thus is also the real threat of damage, but AFAIK you can also use the Android Debug Bridge to install programs to connected phones.

Re:Physical Access

[kasperd]

can you please convince iPhone users to not plug their phone into my laptop to charge it without asking first.

Install this exploit on your laptop, and the problem will be solved. As soon as they connect the cable, it is no longer their iphone.

Re:Physical Access

[0x000000]

This is so completely wrong that I don't even know where to begin.

1. Apple hasn't put DRM in their chargers
2. Apple devices look for a certain voltage on the D+/D- traces to know whether they can charge at 100 mA, 500 mA, or more, specifically the iPad can draw more power
3. Apple devices are also USB devices, when they connect to a USB host (such as the BeagleBone) they communicate using standard USB, that is the only ID string that gets sent back, along with a request for at least 500 mA of power to be provided by the host.
4. This doesn't actually use any specific vulnerability, rather it uses the fact that when you connect an iOS device you can using a provisioning profile side-load apps onto the phone. This is generally done during development or for example in corporate settings. These same provisioning profiles can be used to disable certain features, or set up emails accounts, wifi passwords, and all that fun stuff, you know to provision a device in a corporate scenario.

It's a shame that your comment got voted up as informative when it contains so much mis-information.

Re:Physical Access

[BasilBrush]

This is just nonsense. USB spec limits the power available for charging. Lots of manufacturers have handshaking going on so that when their products are used with their own chargers, they abandon the spec limits and use this own limits. There's no other way of doing it whilst staying within the USB spec. It's got fuck all to do with drm and everything to do with making sure the charge rate is safe.

Re:Physical Access

[amicusNYCL]

Mines from a $5 (shipped) job from Hong Kong, charges quite fast. I assure you it's not licensed, knock off lightning cable and all.

I'm not sure what point you're trying to argue, but it sounds like you're a perfect candidate for a charger that distributes malware. How would you know if your current charger is not sending your data back to China?

Re:Physical Access

[smash]

On the contrary, most other phones simply present as a USB drive and are wide open for the pillaging.

Re:Physical Access

[AmiMoJo]

Yes, but not for charging. If you are paranoid you can buy or make a USB cable that is only for charging (data lines disconnected) and your charger will still operate normally and at full speed. If you make such a cable for your iOS device it will only charge at low speed.

This is also notable as an example of DRM gone bad and leading to a severe security problem.

Re:Physical Access

[AmiMoJo]

1. Apple hasn't put DRM in their chargers
2. Apple devices look for a certain voltage on the D+/D- traces to know whether they can charge at 100 mA, 500 mA, or more, specifically the iPad can draw more power

That was the old chargers. I assume you meant 1000mA, not 100. Even then it was DRM because the standard way of doing it (which is part of the USB spec) is to tie D+ and D- together. Apple required specific voltages created by a potential divider.

4. This doesn't actually use any specific vulnerability, rather it uses the fact that when you connect an iOS device you can using a provisioning profile side-load apps onto the phone.

The fact that you can do that without authentication is a vulnerability. You can install Android apps that way via ADB, but only if the user has enabled USB debugging on their device. Nobody bothers to load apps that way because you can do it either via the phone or remotely via the Play website. Google don't even make an equivalent to iTunes because one isn't needed.

Re:Physical Access

[AmiMoJo]

The resistors were the DRM on older chargers. The standard way to signal 1A being available for charging is to tie D+ and D- together. If you check a standard 1A USB charger you will find this is the case. Only Apple products need the resistors.

Re:Physical Access

[coinreturn]

It's a shame that your comment got voted up as informative when it contains so much mis-information.

It was modded informative because the Apple-Bashing Club likes to celebrate anything that makes Apple or Apple products look bad.

Re:Physical Access

[sessamoid]

Damn, and me with no mod points today.

Re:Physical Access

[scot4875]

And in what way was it not obvious for the entire history of the iPhone that it could be reflashed through the USB?

There's a huge difference between reflashing something and gaining root to infect an existing install.

One is very obvious to the user because their phone is suddenly reflashed to some configuration that isn't the user's any more. The other could be incredibly subtle because there's no visible change to the user.

It's entirely possible that a similar attack could happen to Android devices as well (for example, run an ADB instance and have it auto-install and execute something whenever it detects a device with debugging enabled. My phone would be vulnerable to this kind of attack, because for convenience, I've got it set up to auto-enter debugging mode whenever it plugs into a device. I'm willing to accept that risk, but I'm not an idiot that insists that the risk isn't there.)

Thing is, it's just another example of how that device that you insist is so damn impregnable because it's from mother Apple can, in fact, be easily exploited. All it takes is for someone to do it. Just because it hasn't happened in the wild *yet* (that you know of) doesn't make you any safer than anyone else.

--Jeremy

Re:Physical Access

[AmiMoJo]

Here is some detail on what Apple did: http://www.ladyada.net/make/mintyboost/icharge.html

The standard way of signalling that 1A is available is to tie D+ and D- together. This is part of the USB spec. Apple went their own way so that iDevices would only draw 0.5A from these chargers. Only an Apple charger will deliver 1A to them.

Later on Apple changed this so that their devices were compatible with 1A chargers, but only because they introduced a 2A charger and new DRM system that requires comms with the chargers.

Essentially the policy has always been to tolerate generic USB chargers, as mandated by EU law, but not to allow them to charge at maximum speed even if they are capable of delivering 2A. Naturally other manufacturers quickly figure out how to work around the DRM, hence you can buy unlicenced 2A chargers, but every now and then Apple rolls out a new firmware update to break them. It's a bit like the jailbreaking situation - you know your efforts will be defeated so you don't reveal all your tricks at once.

Re:Physical Access

[AmiMoJo]

Try reading the USB Battery Charging Specification. Wikipedia has a summary.

Basically a normal port can supply 500mA. Dedicated charging ports can supply up to 1.5A through a standard A/B connector or IIRC 2.2A through Micro USB. The standard defines a way to signal that the port is a high current charging port.

Re:Physical Access

[chrism238]

I'm not sure what point you're trying to argue, but it sounds like you're a perfect candidate for a charger that distributes malware. How would you know if your current charger is not sending your data back to China?

Mine certainly isn't, as I always wear my tin-foil hat while charging.

Re:Physical Access

[picosecond]

It's entirely possible that a similar attack could happen to Android devices as well (for example, run an ADB instance and have it auto-install and execute something whenever it detects a device with debugging enabled. My phone would be vulnerable to this kind of attack, because for convenience, I've got it set up to auto-enter debugging mode whenever it plugs into a device. I'm willing to accept that risk, but I'm not an idiot that insists that the risk isn't there.)

That's why ADB is only meant to be enabled when doing development and there are clear warnings when you enable it, telling you that the mode is dangerous. If you leave it enabled when connecting to untrusted devices, then the fault is entirely with you. And most people don't ever use ADB, so this would be irrelevant for them.

Re:Physical Access

[BasilBrush]

Try reading the USB Battery Charging Specification.

... of 2007. Apple's more configurable set of charging states dates back to when the iPod could be charged from USB - 2003.

There was no standard for fast charging when Apple designed it.

Connectors

[Nerdfest]

I consider any charger with one of those proprietary connectors a 'malicious' charger.

Power-only cable...

[fuzzyfuzzyfungus]

It's a pity that the 'lighting' connector's dependence on an in-cable processor likely makes it more complex to use the old power-only mod...

Not all USB devices play nicely(some phones require either a full USB host or some goofy resistor-coding nonsense on the data pins, and some USB hosts don't power USB ports, or only provide 100ma, unless the USB peripheral negotiates appropriately on the data pins); but it is generally possible(sometimes with resistor hackery, and for 'dumb' chargers and USB ports that don't need negotiation for power) to use a USB cable with the data lines cut and just power and ground attached for charging. Certainly the only thing I'd trust when plugging into some arbitrary port...

Re:Power-only cable...

[tlhIngan]

It's a pity that the 'lighting' connector's dependence on an in-cable processor likely makes it more complex to use the old power-only mod...

You still can do it - you're working with the regular USB cable (the A plug) side still.

The coding exists on the other end and does nothing.

This hack is NOT about a charger. The hack is basically saying someone could hide a regular computer inside a charger. So when you plug into the USB plug, you're actually establishing a sync connection, not just a power connection. (Lighting to USB is actually a very basic connection that many people have reversed engineered).

Instead of being a dumb charger with a few pins pulled certain ways, you're actually plugging into a PC that says "go ahead, charge at 1A/2A" while doing stuff over USB to the attached device.

So the real issues is that these guys found a way to inject software onto it - less a charger security hole and more a regular iOS USB security hole.

Public chargers

[MavEtJu]

Mental note: Don't use these public chargers anymore...
(Google for "iphone charging point airport")

Re:Public chargers

[CyberSlugGump]

Or carry a modified cable where the USB power wires are connected but the data wires are not.

If you don't want to DIY, take a look at this sync cable (iPhone 4S or earlier) which has an extra end for only charging.

Re:Public chargers

[AmiMoJo]

But then your device only charges at 500mA. An iPad is capable of charging at up to 2A, and at only 500mA it won't even be able to maintain the battery level.

Re:Years old

[fuzzyfuzzyfungus]

I've seen this going back years with USB keyboards etc from China, they install all sorts of crap on your PC without you knowing.

Wow, a sleazy USB device from China that has more flash memory than the specs indicate, rather than substantially less? Where can I find this miraculous creature?

Re:This Responsible Disclosure is very irresponsib

[stoolpigeon]

No they aren't. With charging kiosks in malls and such, like these or these I would say that they are pretty common.

So...

[bfmorgan]

Always practice "Safe Charging"

Inductive charging

[bored]

What amazes me is that inductive charging hasn't taken over. I was a skeptic, when I got my touchpad a couple years ago. The ability to just drop the pad on a dock without worrying too much about positioning/etc quickly sold me on the idea. Same thing with the veer I purchased as well. Just drop it on the dock and the magnets align it.

Now every-time I plug in the wifes ipad, or android phone I cringe. Small easily broken connectors are something that should be a last resort.

Oh, and the touchpad prompts the user before allowing communication on the USB port.

Re:Inductive charging

[bored]

Inductive charging is highly wasteful.

Dock based, inductive charging is ~85% efficient, due to being something like 5mm of separation between the coils, running at very high frequency, and being actively controlled. So, this isn't your granddaddy's wireless power fantasies.

The loses in the 50% efficient wall warts shipping on most android phones are a worse problem.

Told you that in 2009

[Animats]

I warned about that in 2009.

We warned you. You didn't listen. Now suffer.

The "charger" part of this is just decoration

[joh]

Some people seem to miss this, so: This is just an exploit over USB. The fact that the code runs on Linux that runs on a small board that you could integrate into a (somewhat bulky) "charger" has nothing to do with what is happening here.

The only REALLY interesting thing here is that they seemingly have found a new exploit for iOS. Because, believe it or not, up to now the latest iOS version is watertight, there is no way to access data on the phone via USB (or any other means) or install software on it.

At least this could mean that there will be a Jailbreak for the latest iOS sooner or later. Well, at least if someone manages to turn this exploit into some jailbreak app before Apple fixes this exploit with an update to iOS.

Dumb chargers?

[Bert64]

It seems you run a usb based exploit against the phone, in the same way that several jailbreaks have worked in the past...
The key problem here seems to be that the charger and the data port are combined, if you were to provide an ability to split the two then such attacks would be infeasible. As it stands, various public places provide phone chargers which would be risky to use, whereas if they could only provide power the risk would be significantly lower (they could still provide an extremely high current to intentionally destroy your phone).

Workaround (from PairLock page)

[rsborg]

Any time you plug your iOS device into another computer, this trusted pairing relationship gets automatically created within seconds. The only time this doesn’t occur is if the device is locked with a PIN – and I mean really locked; if you have anything other than “Require Passcode: Immediately” set, then it will remain unlocked for a while even after you shut off the screen.

So if you're in unknown territory, set a passcode and put it on immediate expiration, and you can be a bit more cavalier. It's too bad Apple doesn't allow you iOS to into "turtle mode" so that you can force this behavior at will, while keeping a more pragmatic stance (say 5m lock timeout).