Slashdot Mirror
Researchers Infect iOS Devices With Malware Via Malicious Charger
Sparrowvsrevolution writes "At the upcoming Black Hat security conference in late July, three researchers at the Georgia Institute of Technology plan to show off a proof-of-concept charger that they say can be used to invisibly install malware on a device running the latest version of Apple's iOS. A description of their talk posted to the conference website describes how they were able to install whatever malware they wished on an Apple device within a minute of the user plugging it into their malicious charger, which they're calling 'Mactans' after the scientific name of a Black Widow spider. The malware-loaded USB plug is built around an open-source single-board computer known as a BeagleBoard, sold by Texas Instruments for a retail price of around $45. The researchers have contacted Apple about their exploit but haven't heard back from the company and aren't sharing more details of their hack until they do."
I consider any charger with one of those proprietary connectors a 'malicious' charger.
This is not an "open the device and latch on to some henceforth unprotected internal signal" attack vector. Attaching the phone to someone else's charger is not unusual behavior. For the Olympic Games in London, Vodafone fitted 1000 taxis with mobile phone chargers.
Physical access to a device allows for far too many attack vectors to protect against. News at 11
I think the issue here is that 'plausible, easy-to-engineer, physical access allows a demonstrated attack against a device'.
Also, at an architectural level, having an idevice plugged in is much closer to having a network connection to a computer than it is to having 'physical access'. It's a bit weirder than a pure USB network adapter; but it's essentially a chat, over TCP, with a remote computer, not total control over a USB MSC device or something of that flavor.
I've seen this going back years with USB keyboards etc from China, they install all sorts of crap on your PC without you knowing.
Wow, a sleazy USB device from China that has more flash memory than the specs indicate, rather than substantially less? Where can I find this miraculous creature?
No they aren't. With charging kiosks in malls and such, like these or these I would say that they are pretty common.
It's hard to believe that's how Micronians are made. Why don't we see it right now by having you both kiss one another?
GP has already provided you with a potential scenario - presumably the chargers Vodafone fitted in London taxis were a USB socket and/or an iPod dock mounted in the passenger section of the taxi. The BeagleBoard could be anywhere in the taxi.
Plus, it's a proof of concept. It could certainly be miniaturised.
I doubt that any other smartphone OS is immune to this kind of attack, however.
The prototype being based in a big developer board means nothing. The exploit could be easily replicated in smaller boards that would fit just fine in regular chargers.
Or carry a modified cable where the USB power wires are connected but the data wires are not.
If you don't want to DIY, take a look at this sync cable (iPhone 4S or earlier) which has an extra end for only charging.
This is not an "open the device and latch on to some henceforth unprotected internal signal" attack vector. Attaching the phone to someone else's charger is not unusual behavior.
It's based on a BeagleBoard, which is larger than a business card. It's going to be tough to fool people into using a charger that looks like it swallowed half your iPhone.
Sure they will. In Spain there are charging kiosks with coin slots and cables going somewhere you can't see them and people use those all of the time. You forget that in most public charging situations you don't want just anyone to be able to unplug the thing and walk away with it.
Well, there's a continuum.
Sneaking into someone's office and putting a keylogger inline with their keyboard cable is an example of physical access making black-hat hacking easy.
Sneaking into the same office and plugging a PwnPlug or similar into the physical network is another example.
Those two are increasingly far from actually directly looking at filesystem blocks, but put you at an advantage compared to someone trying to get to a system from the other side of a firewall.
I dunno...but how is this new exploit "news" if there's utility utilities like PairLock to prevent it?
Because you have to jailbreak in order to use PairLock? And um, jailbreaking is bad, mmkay?
What amazes me is that inductive charging hasn't taken over. I was a skeptic, when I got my touchpad a couple years ago. The ability to just drop the pad on a dock without worrying too much about positioning/etc quickly sold me on the idea. Same thing with the veer I purchased as well. Just drop it on the dock and the magnets align it.
Now every-time I plug in the wifes ipad, or android phone I cringe. Small easily broken connectors are something that should be a last resort.
Oh, and the touchpad prompts the user before allowing communication on the USB port.
Why would you think that? Have you never attached a smartphone to a USB host? Of course the USB data lines are connected, and of course any smartphone will respond to communication attempts from a USB host, so there is absolutely no reason why other phones should not be vulnerable to some form of attack via USB.
I don't know about you, but I can only use the USB port to charge my Android phone. Also, when I connect my Android phone to my computer I generally get access to the data contents of the phone (documents, music, pictures, etc.). It seems pretty trivial to devise a "charger" that steals or destroys data on any phone that connects to it.
Data is the real treasure and thus is also the real threat of damage, but AFAIK you can also use the Android Debug Bridge to install programs to connected phones.
The road to tyranny has always been paved with claims of necessity.
This is so completely wrong that I don't even know where to begin.
1. Apple hasn't put DRM in their chargers
2. Apple devices look for a certain voltage on the D+/D- traces to know whether they can charge at 100 mA, 500 mA, or more, specifically the iPad can draw more power
3. Apple devices are also USB devices, when they connect to a USB host (such as the BeagleBone) they communicate using standard USB, that is the only ID string that gets sent back, along with a request for at least 500 mA of power to be provided by the host.
4. This doesn't actually use any specific vulnerability, rather it uses the fact that when you connect an iOS device you can using a provisioning profile side-load apps onto the phone. This is generally done during development or for example in corporate settings. These same provisioning profiles can be used to disable certain features, or set up emails accounts, wifi passwords, and all that fun stuff, you know to provision a device in a corporate scenario.
It's a shame that your comment got voted up as informative when it contains so much mis-information.
cat
This is just nonsense. USB spec limits the power available for charging. Lots of manufacturers have handshaking going on so that when their products are used with their own chargers, they abandon the spec limits and use this own limits. There's no other way of doing it whilst staying within the USB spec. It's got fuck all to do with drm and everything to do with making sure the charge rate is safe.
Mines from a $5 (shipped) job from Hong Kong, charges quite fast. I assure you it's not licensed, knock off lightning cable and all.
I'm not sure what point you're trying to argue, but it sounds like you're a perfect candidate for a charger that distributes malware. How would you know if your current charger is not sending your data back to China?
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
Yes, but not for charging. If you are paranoid you can buy or make a USB cable that is only for charging (data lines disconnected) and your charger will still operate normally and at full speed. If you make such a cable for your iOS device it will only charge at low speed.
This is also notable as an example of DRM gone bad and leading to a severe security problem.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
And in what way was it not obvious for the entire history of the iPhone that it could be reflashed through the USB?
There's a huge difference between reflashing something and gaining root to infect an existing install.
One is very obvious to the user because their phone is suddenly reflashed to some configuration that isn't the user's any more. The other could be incredibly subtle because there's no visible change to the user.
It's entirely possible that a similar attack could happen to Android devices as well (for example, run an ADB instance and have it auto-install and execute something whenever it detects a device with debugging enabled. My phone would be vulnerable to this kind of attack, because for convenience, I've got it set up to auto-enter debugging mode whenever it plugs into a device. I'm willing to accept that risk, but I'm not an idiot that insists that the risk isn't there.)
Thing is, it's just another example of how that device that you insist is so damn impregnable because it's from mother Apple can, in fact, be easily exploited. All it takes is for someone to do it. Just because it hasn't happened in the wild *yet* (that you know of) doesn't make you any safer than anyone else.
--Jeremy
Jesus was a liberal