Slashdot Mirror

← Back to Stories (view on slashdot.org)

iPhone Hacked In Under 60 Seconds Using Malicious Charger

Posted by timothy on from the with-lucy-liu-I-hope dept.

DavidGilbert99 writes "Apple's iOs has been known as a bastion of security for many years, but three researchers have now shown iPhones and iPads can be hacked in just under 60 seconds using nothing more than a charger. OK, so it's not just a charger — but the Mactans charger does delete an official app (say Facebook) replacing it with an official-looking one which is actually malware which could access your contacts, messages, emails, phone calls and even capture your passwords. Apple says it will fix the flaw, but not until the release of iOS 7, the date of which hasn't been confirmed yet. So watch out for chargers left lying around ..." (For less in the way of auto-playing video ads with sound, check out the Mac Observer's take, which concludes "[I]t's nifty that Apple is addressing the issue in iOS 7. We'd also like to see it fixed in iOS 6. Apple has historically seen iPhone users upgrade to the newest version iOS in staggeringly high numbers, but eliminating this problem across the board seems the wiser choice.")

35 of 170 comments (clear)

  1. Translation: by CanHasDIY · · Score: 4, Insightful

    The quickest way to get PWND is to give someone else physical access to your device.

    Always has been true, and likely always will be.

    --
    An enigma, wrapped in a riddle, shrouded in bacon and cheese
    1. Re:Translation: by Anonymous Coward · · Score: 2, Informative

      In the 2011 Pwn2Own contest, Charlie Miller and Dion Blazakis "PWND" the Iphone 4 using a mobile Safari vulnerability.

      Apple is almost always a loser at the Pwn2Own events.

  2. Re:Why can't Iphone / ipad have usb port for charg by The+MAZZTer · · Score: 5, Informative

    That wouldn't solve the problem? USB chargers on Android can install apps and transfer files either way if the device has USB debugging enabled. If iPhones used USB the data protocols wouldn't be changed and would have the same capabilities...

  3. Re:Why can't Iphone / ipad have usb port for charg by SIGBUS · · Score: 5, Insightful

    How many Android handsets come with USB debugging enabled by default?

    --
    Oh, no! You have walked into the slavering fangs of a lurking grue!
  4. Re:Jailbreak exploit opportunity by AlreadyStarted · · Score: 5, Informative

    The "modified charger" they describe is in fact a computer.

  5. The jokes just write themselves by safetyinnumbers · · Score: 5, Funny

    delete an official app (say Facebook) replacing it with an official-looking one which is actually malware which could access your contacts, messages, emails

  6. Re:user's brain gets hacked, by Anonymous Coward · · Score: 3, Funny

    If they're using an iPhone, they already succumbed to brain hacking by Apple's marketing.

  7. "Bastion of security" by Ferzerp · · Score: 5, Insightful

    Since when? iOS has had repeated and nearly constant flaws that have allowed for compromises both locally and remotely (via webpages). At this point it's such a given that this is mostly a non story.

    I thought the RDF had dissipated, but I guess not.

    1. Re:"Bastion of security" by Nemyst · · Score: 2

      Why exactly is that "right"? In what way is stopping users from using their devices in the way they desire a good thing? One of the best things about Android, especially Google's Nexus phones, is that rooting is just about always possible. For Nexus phones, it's downright trivial and supported by the OS and hardware. Sure, it might not be necessary for 99% of users. It doesn't make it any less of a legitimate action a user should be able to take.

    2. Re:"Bastion of security" by amicusNYCL · · Score: 2

      The last time we had a boot-level one was when the iPhone 4 was out.

      I don't know what you mean by a "boot-level" exploit, but evasi0n was out in February, several months after the iPhone 5 launched. That particular exploit does modify boot files and gain access to the kernel, if that's what you mean by "boot-level".

      At best there is a 1-2 week window when a JB comes out and when Apple does an update, slamming it shut.

      The patch that fixed the exploits used by evasi0n was released more than a month after evasi0n went public.

      If you're going to shill for Apple, it's probably good to at least stick to facts. But then it wouldn't really be shilling, would it?

      --
      "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
    3. Re:"Bastion of security" by blueg3 · · Score: 4, Insightful

      It's right because the jailbreaks are all serious security vulnerabilities. That's how they work, and having them around is dangerous.

      Now, it might be nice if Apple allowed people to have the capabilities provided by a jailbreak if they want them. That's not the same as having a jailbreak.

    4. Re:"Bastion of security" by tlhIngan · · Score: 3, Informative

      Since when? iOS has had repeated and nearly constant flaws that have allowed for compromises both locally and remotely (via webpages). At this point it's such a given that this is mostly a non story.

      Wow, that remote exploit was for iOS 4, an OS that shipped in 2010-2011. There's only one phone stuck on iOS 4 - the iPhone 3G - everyone else is able to run a higher version.

      Yes, I suppose if one is used to Android, they would think a ton of people still use iOS 4, but no. After all, iOS 4 came out around the time of Gingerbread, which is still used by a third of Android phones.

      Of course, iOS 6 has proven to be EXTREMELY difficult to compromise. It took 6 months before the first jailbreak came out (for 6.1.0) and a bunch of critical flaws were discovered including unlock screen flaws, resulting in 6.1.1, 6.1.2 and the current version of 6.1.3.

      Unfortunately, 6.1.3 closed the flaw the jailbreaking flaw and no new one has been found since. Old devices have tethered jailbreaks for 6.1.3 but that's it. New ones like the iPhone 5 and iPad 4 ... no jailbreak exists.

    5. Re:"Bastion of security" by tlhIngan · · Score: 2

      Now, it might be nice if Apple allowed people to have the capabilities provided by a jailbreak if they want them. That's not the same as having a jailbreak.

      How would you do that without giving people the chance to completely hose their machines like PCs?

      Jailbreaking is to get out of the "jail" that iOS puts on applications, so it's basically giving root to iOS users.

      If you give people the ability to, they will do it because someone will tell them to do it. There is no way around dancing pigs. Hell when jailbreaking was a popular activity, there was a Rickrolling worm that spread amongst jailbroken iPhones. And another one that stole banking information.

      Why? Because people jailbroke as "something neat" and then followed some instructions that said to install OpenSSH in order to do something that required jailbreaking (pirated apps? unique apps? who knows or cares).

      Point being, give people the ability to, and they'll do it without regards for security.

      It's just like the "Allow non-market apps" checkbox on Android - I'm fairly certain most people have it checked without regard for WHY it's there in the first place. Perhaps they saw some free app on Amazon? Or bought something from Humble Bundle? If you follow how to install those apps, they say to check it.

  8. Re:The Internet of Things... by Anonymous Coward · · Score: 5, Insightful

    Apple's iOs has been known as a bastion of security for many years

    Uh, what? The fuck it has. Guess it just goes to show what a massive marketing campaign will do for your public image. The platform has never been any less hackable than the competition, especially when you're talking physical access to the device.

  9. Bastion of security? by scot4875 · · Score: 4, Informative

    I'm sorry, but if every version of your OS is trivially jail-breakable (with, for example, exploits that amount to root privilege escalation by simply visiting a web page on the device's browser), you are NOT a bastion of security.

    You can argue that Apple does a better job of "securing" their app store than Google does, but that doesn't make the devices themselves any more secure. Just because something trivially exploitable hasn't been exploited (that you know of ... yet) doesn't make it secure.

    --Jeremy

    --
    Jesus was a liberal
    1. Re:Bastion of security? by thoromyr · · Score: 2

      this post is both informative and insightful. I can only hope that the moderators notice. I was worried about this until I found out that you have to unlock the device. Oh, wait, it also requires a developer account -- it cannot actually install unsigned code and have it run. It also requires an Internet connection. Oops.

      Don't get me wrong: this is bad. But for those who are security conscious (that is, actually use a passcode) it is unlikely to be developed into an effective attack before the patch is in place. And it drives home the fact that physical access can be used to bypass otherwise effective controls. For the vast majority of users (ios or otherwise) who don't even use a passcode? The evil maid doesn't even need this.

  10. Quite misleading by ernest.cunningham · · Score: 4, Informative

    The charger is a mini linux machine what needs to use an apple developer account to dynamically add the devices UDID to the developer portal.
    It then signs the malicious app and installs it.
    It takes advantage of ad-hoc distribution and would require a new Apple developer account every 100 devices.

    The only real mastery of this hack is that it can be concealed to look like a charger due to the small footprint of the linux PC. Otherwise, I could do the same thing with physical access to the phone.

    Still, a fun wee hack and novel approach.

    1. Re:Quite misleading by zarmanto · · Score: 2

      The charger is a mini linux machine what needs to use an apple developer account to dynamically add the devices UDID to the developer portal. It then signs the malicious app and installs it. It takes advantage of ad-hoc distribution and would require a new Apple developer account every 100 devices.

      Everything that Ernest said, plus one more important note: Your phone must be either unlocked or not passcode/password protected, in order for this exploit to function. (Just another good reason to use what should be common sense security precautions, really.)

  11. Re:Why can't Iphone / ipad have usb port for charg by mlts · · Score: 4, Insightful

    Even with USB debugging enabled (which some handsets constantly nag to have it turned off), Android handsets use a public/private key system. If the charger tries to get access, the phone will ask if it should have full data rights to it.

    Of course, this means that if someone clicks OK, they are hosed, but it is better than just sticking an adapter on and doing dirty work without knowing the device's PIN or password.

  12. Bogus summary by 93+Escort+Wagon · · Score: 4, Funny

    If this charger deletes the Facebook app, I don't think that qualifies as "malware".

    --
    #DeleteChrome
  13. Re:well, duh. by amicusNYCL · · Score: 2

    Apple was selling 3GSs with iOS 6 less than a year ago, and as far as I know, those little guys won't run 7.

    And you're thinking that's a reason why Apple would support the people who aren't paying them money anymore instead of trying to push them to buy the new version?

    --
    "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
  14. Only locally, not remote by SuperKendall · · Score: 2

    Since when? iOS has had repeated and nearly constant flaws that have allowed for compromises both locally and remotely (via webpages)

    There was one such remote vulnerability, via PDF, some years ago... none since then I know of.

    There have always been local flaws because Apple leaves some local exploits to keep jailbreaking viable.

    Of course, even with said flaws actual exploits exist pretty much only for Android.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
    1. Re:Only locally, not remote by amicusNYCL · · Score: 2

      I looked at the pwn2own website for results from 2012, they only listed browsers. I assumed no mobile devices were included. I looked at this:

      http://pwn2own.zerodayinitiative.com/

      and this:

      http://pwn2own.zerodayinitiative.com/status.html

      --
      "Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
  15. Re:Jailbreak exploit opportunity by Em+Adespoton · · Score: 4, Informative

    Interestingly, for the hack these guys created to work, the attacker must have a valid developer's license, and the target iOS device must already be jailbroken. The first bit allows them to query Apple's dev site for the debug key for your specific iOS device; the second is required to get the loaded software to actually run on the device.

    HOWEVER, the same technique can be used to read all data available in userspace on the phone, so improperly stored passwords, plus all other app data and configuration data could be grabbed in this manner.

    If Apple can fix this in iOS 7, I'm expecting the jailbreak community to create a fix (that will be loaded as part of the jailbreak process) in short order. Something similar to bluetooth pairing for debug and filesystem access would be an extremely good idea, plus it would close a number of outstanding attack vectors in iOS devices, not just the ones presented.

  16. Re:Move along, nothing to see here by Em+Adespoton · · Score: 2

    This is just more mindless Google fanboy anti-Apple hate.

    It's not like this a trojan you have to turn on the installation of non-market applications and go to a pirate app store to get installed. You actually have to have the device.

    And this is just like a jailbreak, so it is a good thing.

    Actually, this isn't mindless. This has been a known security issue in iOS since iOS 3 days, that Apple hasn't bothered to fix.

    See this article coming out of DEFCON 2011:
    http://nakedsecurity.sophos.com/2011/08/19/is-juicejacking-the-new-firesheep/

    So unless you carry around a charging cable with the data pins removed or never charge at a USB port you don't own yourself, this is an issue (and has been for years).

    Google (partially) fixed this on Android when noise first started being made in late 2010, but Apple didn't. Of course, due to fragmentation, that only means it's fixed if you bought your Android phone after mid-2011 or have an upgrade that implements the fix -- but Apple seems to be fragmenting within its own ecosystem, as this fix is iOS 7, and there are now a large number of iOS devices in every day use that aren't won't run iOS 7.

  17. Re:Why can't Iphone / ipad have usb port for charg by NatasRevol · · Score: 4, Informative

    A lot of iDevice users believe the fancy ports are better than standard USB ports when in fact they both do the same thing.

    Why are so many people so ignorant on this point?

    http://en.wikipedia.org/wiki/Dock_connector#30-pin

    It contains controls, audio and video, as well as data & charging like USB.

    --
    There are two types of people in the world: Those who crave closure
  18. Re:they need to backport it to ios 6 by jbolden · · Score: 2

    Apple pulled Google maps because they didn't want to agree to the privacy rules Google wanted. The cost to Apple has ben hundreds of millions if they aren't up a billion yet. You can agree with Apple's call here or not, but screwing the customers financially was not the motivation.

  19. Re:The Internet of Things... by the_other_chewey · · Score: 4, Informative

    Apple's iOs has been known as a bastion of security for many years

    Uh, what? The fuck it has.

    That had me chuckling as well.

    Remember when you could visit a website to "slide to jailbreak"
    from right inside the web browser?

  20. Re:does delete an official app (say Facebook) by noh8rz10 · · Score: 2

    Sounds like a good idea to me - ROLL IT OUT

    Sounds like a good idea - FOR ME TO POOP ON!

  21. Re:Why can't Iphone / ipad have usb port for charg by Anonymous Coward · · Score: 5, Informative

    iOS uses signing too. The hack described here reads the phone's UID, signs it with an Apple dev key, and then pushes it to the phone. It requires communication with Apple servers and can be used on at most 100 devices before it's automatically disabled.

    It's a slightly different style of attack than would be used on Android phones, but in terms of public vulnerability it's not really a different threat level.

  22. Re:Jailbreak exploit opportunity by samkass · · Score: 4, Informative

    No, it doesn't require the phone to be jailbroken. It does, however, require the attacker to have a paid Apple Developer account with a valid credit card, and it digitally signs all the malware with that developer's information, and limits the total number of devices ever attached to that account to 100 without calling Apple and requesting a reset, and requires the attacking "charger" device to be online at the time of the attack. It also requires the phone to not be in its lock screen, so for it to work you have to manually unlock it and type in your passcode while it's plugged in.

    So it's pretty much a proof-of-concept attack that's not very practical yet, but could probably have been built upon if Apple hadn't already put a fix into the version of the OS coming out soon which, if history is a guide, 90%+ of the iOS installed base will be on in a few months.

    --
    E pluribus unum
  23. The Real POwn by SuperKendall · · Score: 2, Informative

    Pwn2Own 2010: iPhone 3GS compromised via bypassing code signing; Nexus One not compromised.

    Every year Android has existed: 99% of viruses on Android.

    Reality totally contradicts the picture you are trying to point. Android far more secure: Odd then it has ALL of the viruses/trojans/malware. Apple disliking jailbreaking: odd then that jailbreaks come out with great regularity after every new OS or device release (but mostly tethered) and Apple hires jailbreak developers to work on core systems sometimes...

    Your hatred is blinding you to reality.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  24. It's a smart hack, thats all by Camael · · Score: 4, Insightful

    Anyone stupid enough to use a strangers "charger" deserves what they get, and its no ordinary charger, but a computer attached via usb cord.

    Come on, lets get a sense of perspective instead of going into fanboyism (or anti for that matter).

    Before today I had absolutely no idea a microcomputer could be made to look like a charger, or that the charging port on iPhones could be used to hack iOS. If you read TFA, the way they did it is pretty deceptive and ingenious.

    The charger could be made to look like a typical Apple charger, meaning those looking to infect iPhones and iPads could leave them lying around in public charging zones to trick unsuspecting members of the public.

    In the demonstration in Las Vegas, the researchers used the Facebook app as an example of an software that could be compromised. Once the charger is plugged in and the user inputs their PIN code, the charger silently and invisibly removes the target app, in this case the official Facebook app. It then replaces it - in exactly the same position on your iPhone/iPad homescreen - with what looks like a perfect replacement. In actual fact this is malware and once you launch it, your phone/tablet has been compromised.

    Its fair to say that most people have a blind spot insofar as power ports are concerned, we normally don't think of it as a point of entry and this is the social engineering trick this hack takes advantage of . In fact, I think that prior to iPod/iPhones, no device used their power point to double up as a data connector. Pre-iphone, I remember swapping and borrowing Nokia/Sony etc. phone chargers from friends/strangers with no repercussions whatsoever.

    It is very insulting and unfair to call people who would use a stranger's charger 'stupid' -not everyone is a techie or keeps updated with technology news. Which is probably why you posted as AC instead of under your own name =)
     

  25. "Nifty" that they're fixing it? by wonkey_monkey · · Score: 2

    [I]t's nifty that Apple is addressing the issue in iOS 7.

    How is that "nifty"? It's the least they should do. It's like Chris Rock's thing about all those parents who go round proudly proclaiming that "I take care of my kids!" You're supposed to take care of your kids!

    --
    systemd is Roko's Basilisk.
  26. Re:Why can't Iphone / ipad have usb port for charg by thoromyr · · Score: 2

    it also requires the user to unlock the device.