Tuesday, June 04, 2013

Researchers develop method to attack iOS with a 'malicious charger'

Researchers said on Sunday that they have discovered a way to hack into an iPhone through the use of a "malicious" charger. The three researchers, from the Georgia Institute of Technology, plan on presenting their findings at this year's Black Hat security conference, which runs from July 27 - Aug. 1, in Las Vegas.

The summary of their talk reads:
In this presentation, we demonstrate how an iOS device can be compromised within one minute of being plugged into a malicious charger. We first examine Apple’s existing security mechanisms to protect against arbitrary software installation, then describe how USB capabilities can be leveraged to bypass these defense mechanisms. To ensure persistence of the resulting infection, we show how an attacker can hide their software in the same way Apple hides its own built-in applications.

To demonstrate practical application of these vulnerabilities, we built a proof of concept malicious charger, called Mactans, using a BeagleBoard. This hardware was selected to demonstrate the ease with which innocent-looking, malicious USB chargers can be constructed. While Mactans was built with limited amount of time and a small budget, we also briefly consider what more motivated, well-funded adversaries could accomplish. Finally, we recommend ways in which users can protect themselves and suggest security features Apple could implement to make the attacks we describe substantially more difficult to pull off.
This isn't the first time iOS has been attacked via charging. In 2011, at the rival Defcon security conference, Aires Security built a smartphone charging station that could download data from a device without the owner's knowledge.

In this case, though, the malicious charger could deliver a viral payload to the device.

The researchers’ charger is dubbed “Mactans,” seemingly referring to the scientific name of the Black Widow spider, and built around a low-power open-source single-board computer sold by Texas Instruments and known as a BeagleBoard.

The BeagleBoard is too small to fit into a standard Apple charger, but there are some chargers that are larger, with multiple outputs. In addition, a hacker might be able to fit it into a standard-sized charger, as the researcher were obviously not interested in minimizing the size of their creation.

Although the Aires Security hack is perhaps the most similar example of hacking iOS through its USB port, that point of entry has been used multiple times. The “evasi0n” jailbreak released in February used a flaw in iOS’ mobile backup system in addition to four other bugs in order to bypass Apple's security.

No comments: