iOS Weaknesses Allow Attacks Via Trojan Chargers
Using weaknesses in Apple's flagship operating system, a simple computer disguised as a charging station can pair with, and then install malware on, any iPhone or iPad that connects to it
August 1, 2013
LAS VEGAS -- BLACK HAT USA -- Apple's flagship mobile operating system has a number of security weaknesses that allow iPhones and iPads to be stealthily compromised via USB devices disguised as charging stations, three researchers from the Georgia Institute of Technology said during a briefing on Wednesday.
The researchers -- Billy Lau, Yeongjin Jang, and Chengyu Song -- created a white Apple-like power brick, dubbed Mactans, that will compromise any iPhone plugged into the device without any visible sign of the attack. The attack does not use any specific software vulnerability, but abuses a number of design decisions made by Apple, including allowing a computer to pair with an iOS device without acknowledgement if the mobile device does not have a passcode set.
"Our attack does not involved jailbreaking, so the attack does not need to have root privileges in order to work, and our injected app remains within the protected sandbox," said Lau, a research scientist with the Georgia Tech Information Security Center (GTISC).
Attackers are increasingly focusing their efforts on mobile devices. While the number of malware variants developed for Android has skyrocketed, Apple's iOS has largely been ignored by attackers because of Apple's more stringent App Store requirements that has successfully weeded out most, but not all, malicious apps to date. The current physical attack, shown both during a press conference at Black Hat and at a session late Wednesday, uses a number of weaknesses in the security checks within Apple's gated software community to gain access to a connected device.
The attack abuses a service that Apple provides to developers known as a provisioning profiles, which allows custom software -- or malware -- to be installed on a device reserved for development.
"Because of the less stringent process on reviewing applications for developers, anyone can become a developer and get a provisioning profile," said Song, a Ph.D. candidate in computer engineering at Georgia Tech.
[Ever wonder which smartphone has the most apps with the least respect for your privacy? The answer may surprise you. See Google Android Vs. Apple iOS: The Mobile App Privacy War.]
The prototype of the malicious charger, known as Mactans, looks similar to the laptop power cable that accompanies many MacBooks. When a victim plugs his iPhone or iPad into a Mactans charger, the mobile device will automatically begin the pairing process with the embedded computer within the charger. The Mactans systems gets an identifier for the device, known as a universal device ID (UDID), then creates an appropriate provisioning profile for the iPhone or iPad, and installs it on the mobile device. Finally, the Mactans device uses its developer permissions to install malicious software and make other changes to the device to hide the functionality, the researchers said during their presentation.
"It takes less than five seconds to install our payload, but installing the actual Trojan can take up to a minute depending on its size," Lau said.
Once the attacker gains access to a mobile device, the sandbox does not limit their actions as much as one would think, the researchers said. By taking successive screen shots, the attackers could record a password, since Apple shows the last character typed. In addition, the attackers have been able to generate a touch on the screen, allowing an attacker to dial numbers or do anything else that a user could do. Finally, the researchers were able to hide signs of their malicious payload in much the same way Apple hides its own system software.
As a payload, the researchers created a Trojanized Facebook application that would run in parallel with the real application. The application could be remotely controlled, allowing the researcher to dial a number, grab passwords, and send texts.
While the researchers hardware prototype looked significantly different from Apple's polished hardware designs, with a bit more money a device could have exactly matched an Apple charger, they said.
"There is no question that someone could have the ability to create a charger that looks like the real charger," Lau said.
Such attacks will become more difficult with Apple's coming update, iOS 7, the researchers said. Development versions of the operating system have asked the user for permission before syncing to another computer over USB, they said.
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.
Read more about:
Black Hat NewsAbout the Author
You May Also Like