Plus iOS 6 devices will remain fully vulnerable for another month

If you're an Apple, Inc. (AAPL) iPhone user it might be a good time to be careful when buying third-party chargers from smaller lesser-known brands or using chargers at public locations.

I. Malicious Chargers Used to Install Malicious Background Apps, Trojans

A trio of security researchers at the Georgia Institute of Technology -- post-doctoral researcher Billy Lau, Ph.D candidate YeongJin Jang, and Ph.D candidate Chengyu Song -- at a Black Hat USA 2013 talk held at 5 pm on July 31 revealed details of a serious vulnerability in iOS.  The hack involved installing unauthorized attack apps on an iPhone via a malicious charger.

The researchers say it only took them $45 to buy the Linux-powered Texas Instruments, Inc. (TXN) BeagleBoard used in the hack, which they say could be ported to a smaller controller hidden inside an innocent-looking third-party charger.  They said it only took them a week of effort to figure out how to use signals from the malicious charger to crack the iPhone's defenses.

Beagle Board
The attack uses a TI Beagle Board. [Image Source: Julien Ponge]

The first step of the attack involves a query the device via the charger line, which doubles as a data transfer device.  In turns out the device will willingly offer up its Unique Device Identifier (UDID) -- a serious security flaw that acts as a gateway to subsequently step in the attack chain.  Simply plugging in the attacking charger is not currently enough to fully compromise the device.

The attacker module then communicates via a 3G or 4G connection with to get a provisioning profile for the device.  This is akin to the process that Apple's iTunes and XCode developer software use to legitimately allow developers to load unpublished code onto their devices for testing.

II. Attack Requires Phone to be Unlocked While Connected

The catch is that the user must then unlock their device in order for the malicious charger to be able to use its provisioning profile to install a malicious app.  Once they unlock their phone (by entering the passcode), the charger can install an unauthorized app of its choosing without the device being jailbroken.

One series of subsequent attacks involves the use of an app that is non-visible to the "Springboard" (the home screen in iOS with app icons), running in the background.  Such an app could take a screenshot allowing password (as letters are briefly shown in plaintext), usernames, addresses, and credit cards (via shopping apps/websites) to be screengrabbed and stolen.  Alternatively the attacker app could generate touch and click events to perform related attacks or annoyance.
This does require a developer account, however that can be created with fake user information and/or a stolen credit card; the provisioning requires manual clicking in the developer website, however this can be automated with browser automation tools as there is no CAPTCHA involved.
Georgia Tech team
The Georgia Tech team demos their malicious charger attack at a Black Hat keynote.
[Image Source: ZDNet]

A second major attack route is to delete a user's app and install a trojan replacement.  In a proof-of-concept demo the researchers showed a trojan imitation of, Inc.'s (FB) widely used iOS app.  Once installed the trojan had an identical icon and put up an identical looking login screen.  But the app was fake; once you put in your username and password it transmitted those to the attacker's servers and the app crashed.  Many users might simply assume it was a bug in the real app and never suspect their account had been compromised.

iPhone charger user iPhone Facebook
An iPhone users who plugged into a malicious charger planted at a public location (left) and unlocks their device can have their phone loaded up with malware including a trojan app that looks identical to your Facebook app, collecting your email and password (right).
[Image Source: BlackHat (left); Best iPhone App (right)]

A whitepaper with full details on the attack is available here [PDF] and the associated slide deck can be found here [PDF].

III. Apple Leaves Users Vulnerable for at Least a Month

The researchers named their malicious charger prototype "mactans" after the scientific name for the iconic Southern Black Widow spider, L. mactans.

They gave Apple details of the attack back in June, giving the company time to develop a fix, which has been baked into the iOS 7 beta 4 release.  The Cupertino gadget-maker -- who at times has been allegedly hostile to security researchers -- seemed appreciative enough for the discreet disclosure, commenting to Reuters, "We would like to thank the researchers for their valuable input."

However, Apple has decided not to patch the security hole immediately, instead waiting on the full iOS 7 release, which is expected for September.  

It should be noted that the "fix" in iOS 7 does not automatically block the attack route.  The iOS 7 fix involves popping up a user dialogue when a connected "computer" requests a UDID.  This allows a user to refuse the request (if, say they realize it comes from a malicious charger) or accept it (if the request comes from their development machine).  If a user foolishly approves the request from a malicious charger, not understanding what it means, iOS 7 remains every bit as vulnerable as past versions.

iOS 7 fix
The iOS 7 patch does not automatically prevent the breach, instead requiring the user to make the right decision ("don't trust") if the connected device is unexpected.
[Image Source: Black Hat]

As a result non-developers (those still using iOS 6.x) will likely remain vulnerable to malicious chargers for a month or more.  It should be interesting if this leads to any attacks in the wild.

IOS developers, hackers, and jailbreakers alike will note that this clever exploit is the first major vulnerability found in the USB data transfer layer since the data backup-related flaw used in February's "evasi0n" jailbreak.  Apple patched that flaw -- which could also be exploited for malicious purposes -- immediately with the iOS 6.1.3 update that aired a month later in March.  

This flaw is slightly different in that it exploits the expected developer tool set in a clever way to attack non-developers, however it does not jailbreak the device.  A cynic might say Apple's slow patching response and the subsequent halfway fix support the long-standing belief that Apple's battle with jailbreakers has less to do with "protecting users" and more to do with profit (as the mactans exploit does not free users of Apple's DRM, hence not necessarily damaging Apple's profit).

For those affected, prevention is quite simple -- don't buy third party chargers from firms you're not familiar/comfortable with or use chargers in public locations.

Sources: Billy Lau, et al. via BlackHat [white paper; PDF], [slides; PDF], Reuters

"We are going to continue to work with them to make sure they understand the reality of the Internet.  A lot of these people don't have Ph.Ds, and they don't have a degree in computer science." -- RIM co-CEO Michael Lazaridis

Latest Blog Posts
Amazon Fire HD 8
Nenfort Golit - Jun 19, 2017, 6:00 AM

Copyright 2017 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki