backtop


Print 25 comment(s) - last by xti.. on Aug 7 at 3:41 PM

Plus iOS 6 devices will remain fully vulnerable for another month

If you're an Apple, Inc. (AAPL) iPhone user it might be a good time to be careful when buying third-party chargers from smaller lesser-known brands or using chargers at public locations.

I. Malicious Chargers Used to Install Malicious Background Apps, Trojans

A trio of security researchers at the Georgia Institute of Technology -- post-doctoral researcher Billy Lau, Ph.D candidate YeongJin Jang, and Ph.D candidate Chengyu Song -- at a Black Hat USA 2013 talk held at 5 pm on July 31 revealed details of a serious vulnerability in iOS.  The hack involved installing unauthorized attack apps on an iPhone via a malicious charger.

The researchers say it only took them $45 to buy the Linux-powered Texas Instruments, Inc. (TXN) BeagleBoard used in the hack, which they say could be ported to a smaller controller hidden inside an innocent-looking third-party charger.  They said it only took them a week of effort to figure out how to use signals from the malicious charger to crack the iPhone's defenses.

Beagle Board
The attack uses a TI Beagle Board. [Image Source: Julien Ponge]

The first step of the attack involves a query the device via the charger line, which doubles as a data transfer device.  In turns out the device will willingly offer up its Unique Device Identifier (UDID) -- a serious security flaw that acts as a gateway to subsequently step in the attack chain.  Simply plugging in the attacking charger is not currently enough to fully compromise the device.

The attacker module then communicates via a 3G or 4G connection with developer.apple.com to get a provisioning profile for the device.  This is akin to the process that Apple's iTunes and XCode developer software use to legitimately allow developers to load unpublished code onto their devices for testing.

II. Attack Requires Phone to be Unlocked While Connected

The catch is that the user must then unlock their device in order for the malicious charger to be able to use its provisioning profile to install a malicious app.  Once they unlock their phone (by entering the passcode), the charger can install an unauthorized app of its choosing without the device being jailbroken.

One series of subsequent attacks involves the use of an app that is non-visible to the "Springboard" (the home screen in iOS with app icons), running in the background.  Such an app could take a screenshot allowing password (as letters are briefly shown in plaintext), usernames, addresses, and credit cards (via shopping apps/websites) to be screengrabbed and stolen.  Alternatively the attacker app could generate touch and click events to perform related attacks or annoyance.
 
This does require a developer account, however that can be created with fake user information and/or a stolen credit card; the provisioning requires manual clicking in the developer website, however this can be automated with browser automation tools as there is no CAPTCHA involved.
 
Georgia Tech team
The Georgia Tech team demos their malicious charger attack at a Black Hat keynote.
[Image Source: ZDNet]

A second major attack route is to delete a user's app and install a trojan replacement.  In a proof-of-concept demo the researchers showed a trojan imitation of Facebook.com, Inc.'s (FB) widely used iOS app.  Once installed the trojan had an identical icon and put up an identical looking login screen.  But the app was fake; once you put in your username and password it transmitted those to the attacker's servers and the app crashed.  Many users might simply assume it was a bug in the real app and never suspect their account had been compromised.

iPhone charger user iPhone Facebook
An iPhone users who plugged into a malicious charger planted at a public location (left) and unlocks their device can have their phone loaded up with malware including a trojan app that looks identical to your Facebook app, collecting your email and password (right).
[Image Source: BlackHat (left); Best iPhone App (right)]

A whitepaper with full details on the attack is available here [PDF] and the associated slide deck can be found here [PDF].

III. Apple Leaves Users Vulnerable for at Least a Month

The researchers named their malicious charger prototype "mactans" after the scientific name for the iconic Southern Black Widow spider, L. mactans.

They gave Apple details of the attack back in June, giving the company time to develop a fix, which has been baked into the iOS 7 beta 4 release.  The Cupertino gadget-maker -- who at times has been allegedly hostile to security researchers -- seemed appreciative enough for the discreet disclosure, commenting to Reuters, "We would like to thank the researchers for their valuable input."

However, Apple has decided not to patch the security hole immediately, instead waiting on the full iOS 7 release, which is expected for September.  

It should be noted that the "fix" in iOS 7 does not automatically block the attack route.  The iOS 7 fix involves popping up a user dialogue when a connected "computer" requests a UDID.  This allows a user to refuse the request (if, say they realize it comes from a malicious charger) or accept it (if the request comes from their development machine).  If a user foolishly approves the request from a malicious charger, not understanding what it means, iOS 7 remains every bit as vulnerable as past versions.

iOS 7 fix
The iOS 7 patch does not automatically prevent the breach, instead requiring the user to make the right decision ("don't trust") if the connected device is unexpected.
[Image Source: Black Hat]

As a result non-developers (those still using iOS 6.x) will likely remain vulnerable to malicious chargers for a month or more.  It should be interesting if this leads to any attacks in the wild.

IOS developers, hackers, and jailbreakers alike will note that this clever exploit is the first major vulnerability found in the USB data transfer layer since the data backup-related flaw used in February's "evasi0n" jailbreak.  Apple patched that flaw -- which could also be exploited for malicious purposes -- immediately with the iOS 6.1.3 update that aired a month later in March.  

This flaw is slightly different in that it exploits the expected developer tool set in a clever way to attack non-developers, however it does not jailbreak the device.  A cynic might say Apple's slow patching response and the subsequent halfway fix support the long-standing belief that Apple's battle with jailbreakers has less to do with "protecting users" and more to do with profit (as the mactans exploit does not free users of Apple's DRM, hence not necessarily damaging Apple's profit).

For those affected, prevention is quite simple -- don't buy third party chargers from firms you're not familiar/comfortable with or use chargers in public locations.

Sources: Billy Lau, et al. via BlackHat [white paper; PDF], [slides; PDF], Reuters



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Bias is obvious
By ptmmac on 8/2/13, Rating: 0
RE: Bias is obvious
By Acupuncture on 8/2/2013 1:00:25 PM , Rating: 2
Because Jason Mick is a biased charlatan. The sterling Anandtech needs to distance itself from this place as quickly as possible.


RE: Bias is obvious
By xti on 8/2/2013 6:51:18 PM , Rating: 2
I really hope AT doesnt get dinged for stuff like this. oh well...


RE: Bias is obvious
By Acupuncture on 8/2/2013 7:26:51 PM , Rating: 2
His lack of defense only makes it more obvious. Prediction: Jason Mick is fired within the next 2 years.


RE: Bias is obvious
By Cheesew1z69 on 8/2/2013 8:03:08 PM , Rating: 2
And why exactly would he need to defend himself to you or anyone else?


RE: Bias is obvious
By Acupuncture on 8/2/2013 8:28:24 PM , Rating: 2
He doesn't, just as long as the owners of the company do not mind that the site is extremely biased and do not feel it will hurt their ad revenue.


RE: Bias is obvious
By Cheesew1z69 on 8/2/2013 8:04:36 PM , Rating: 2
Oh, and another new account that has posted in nothing but Apple articles...how ironic.


RE: Bias is obvious
By ptmmac on 8/3/2013 9:33:46 PM , Rating: 2
Not sure why you think I have a new account. I have been posting here for years. I want a contrast to appleinsider. I rarely get much edification, but occasionally there is a nugget or two.


RE: Bias is obvious
By xti on 8/7/2013 3:41:21 PM , Rating: 2
im sorry that people like that ruin your DT experience...lots of us wish they would just go away and we can go back to enjoying the articles.


Why did Jason leave out....
By Phynaz on 8/2/2013 10:02:17 AM , Rating: 3
That a developer has a hard limit of 100 devices?

Doesn't meet his agenda??




RE: Why did Jason leave out....
By Mint on 8/4/2013 1:24:18 AM , Rating: 2
quote:
This does require a developer account, however that can be created with fake user information and/or a stolen credit card; the provisioning requires manual clicking in the developer website, however this can be automated with browser automation tools as there is no CAPTCHA involved.
That's not much of a limit if you can create a bunch of developer accounts rather easily.


RE: Why did Jason leave out....
By MichalT on 8/4/2013 4:44:02 PM , Rating: 2
1) Developer accounts cost $100 a year.
2) Its actually a bit of work to get one. I had two phone interviews with Apple before they granted me one.
3) You only get to install stuff on 100 devices a year.

Basically, for this hack to be useful in the wild, the hacker needs to have a plan where he's willing to spend about $1 a user, be able to create a large number of Apple developer accounts without Apple noticing, and it requires someone to build custom hardware and distribute it. Its a serious breach, and I wish that Apple would take it more seriously, but its not going to effect millions of people, and likely not even thousands of people ever.


"Special Locations"
By SAN-Man on 8/1/2013 6:45:55 PM , Rating: 2
I instantly recognized the Atlanta Airport (Hartsfield–Jackson Atlanta International Airport) as I make connections there quite a bit.

Makes sense since these guys are at GIT. I am assuming they did this without permission.




RE: "Special Locations"
By ritualm on 8/1/2013 7:23:52 PM , Rating: 2
Airport security is spotty and haphazard at best, unfortunately, the weak spot being airport employees, not the customs and immigration side. If you can hack your way to employee access, it's pretty much game over.


USB Data and Power
By eBob on 8/2/2013 10:15:42 AM , Rating: 2
Would it not be possible to defeat this hack by taking a USB extension cable and modifying it so that the data lines are cut?




RE: USB Data and Power
By aliasfox on 8/2/2013 11:08:17 AM , Rating: 2
Definitely possible, at least on the hardwired 30-pin models. I've had iPods where I've used Firewire charging-only cables.

Not sure about Lightning (where the pins are assigned in software), but I imagine the power pins are still separate from the data pins.


Jailbreak?
By kmmatney on 8/2/2013 2:41:37 PM , Rating: 2
It would be far more interesting if this exploit could be used to Jailbreak. They just finally came out with an untethered Jailbreak for 6.1.3 (I'm still on 6.1.0, but haven't had any problems..). Jailbreaking is useful to get free tethering (which works great btw).




working in home
By davidecreagh on 8/3/2013 2:35:00 PM , Rating: 1
just as Debbie said I didn't know that a person can earn $5217 in 1 month on the internet. have you seen this web site www.work25.Com




Jason Mick Fail
By Acupuncture on 8/2/13, Rating: -1
RE: Jason Mick Fail
By SamMaster on 8/2/2013 7:31:36 AM , Rating: 4
While you bring a valid point, you also do not address the main concern about the article, stating that it will take Apple three months at least to create a warning message when someone tries to hack your phone via charger, and if you allow it, you're on your own.

I agree that both companies are despicable, but in this case, you are complaining about a major security flaw versus benchmark throttling (something video card manufacturers have been doing for years in a similar fashion more or less).


RE: Jason Mick Fail
By Tony Swash on 8/2/13, Rating: 0
RE: Jason Mick Fail
By retrospooty on 8/2/2013 4:41:25 PM , Rating: 2
Yet strangely enough... No-one cares.

http://vr-zone.com/articles/android-smartphone-shi...

I guess it really doesn't have the effect you think it does.

80% and climbing. It's starting to look like Win v MAc all over again. That is what you are worried about right? It must be, you keep trying to deflect it. :P


RE: Jason Mick Fail
By A11 on 8/3/2013 5:39:04 AM , Rating: 2
quote:
80% and climbing. It's starting to look like Win v MAc all over again. That is what you are worried about right? It must be, you keep trying to deflect it. :P


You can't really compare those two scenarios.

Losing the Win vs. Mac war almost bankrupted Apple but despite losing market share Apple is still selling more and more phones each quarter and making a ton of cash on it.
Losing sales and losing market share in a developing market are two entirely different things.

Also lets not forget that the iOS app market is thriving and not showing any signs of the weakness that really made the Mac lose out IMO, lack of apps compared to the PC.


RE: Jason Mick Fail
By retrospooty on 8/3/2013 9:27:10 AM , Rating: 2
I know... That is just me, jabbing at Toni trying to uncover the reason why he so vehemently defends Apple at all turns, and why he deflects any good news for its competitors to try and change the conversation... He is worried about something.


RE: Jason Mick Fail
By ProZach on 8/5/2013 8:43:58 PM , Rating: 2
Of course he is worried about the financial outlook of the company (his favorite redirect is to bring up something financial of little relevance to the topic). But I also think he has very, very small peni...<<<< penchant to try other brands' devices which won't allow him to witness their advantages. I tend to ignore persons claiming "[device] wins in every category!" due to those persons being full of hype and bias.


"When an individual makes a copy of a song for himself, I suppose we can say he stole a song." -- Sony BMG attorney Jennifer Pariser














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki