Apple takes great pains to protect its air-tight iOS app store from the malware that plagues PCs. But get physical access to the device’s data port–with, for instance, a carefully spoofed charger–and those app store protections can be bypassed in seconds.
At the Black Hat security conference in Las Vegas Wednesday, three Georgia Tech security researchers carried out a demonstration for reporters showing just how easily they could compromise an iPhone 5 using a malicious charger built with a three-inch square, $45 computer known as a BeagleBoard. Their malicious charger, which they called Mactans in reference to the scientific name of the Black Widow spider, can invisibly install malware on a victim’s phone, gaining full access in less than one minute.
Though the researchers had already described Mactans in their Black Hat talk description, they hadn’t revealed how the spoofed charger managed to install malicious applications on Apple’s locked-down mobile operating system. Their trick, it turns out, takes advantage of an underlying security issue in Apple’s developer model: Anyone with a developer license can install custom software on a registered device. So Mactans reads a connected device’s Unique Device Identifier, registers it as a developer’s test device in seconds, and then uses its privileges as a developer to install its malware.
“Anyone can become an iOS developer,” says Georgia Tech reporter Billy Lau. “This is an additional channel–custom-signed codes–which Apple has allowed.”
As a proof of concept, the three researchers created a malicious version of an iOS Facebook FB +1.51% app that also includes a Trojan that runs in the background, capable of taking screenshots, simulating button touches, and sending data to a remote server. “You can do anything a user can do,” says Yeongjin Jang. The charger carefully deletes the user’s legitimate Facebook app and reinstalls the infected version, even placing it in the same location on the user’s screen.
In their demonstration, the researchers showed that they could plug a stock iPhone 5 into the malicious charger and within a minute invisibly install their infected Facebook application, though they note that the phone must be unlocked before the attack takes effect.
The malicious charger opened to show its BeagleBoard and SD card.
Though their Mactans charger could hardly fool a real-world victim–the case covering its internal Beagle was scotch-taped together–the researchers argue that a simple, somewhat more expensive attempt to spoof the charger could be far more convincing. “In an espionage standpoint, where the adversary is well funded, there’s no question that you could create one that’s exactly like a real charger,” says Lau.
Apple hasn’t responded to my requests for comment on the spoofed charger vulnerability. But the Georgia Tech team says they’ve communicated with Apple about their work. Perhaps as a result, the researchers point out that iOS 7 beta includes a new safeguard that asks users whether they’d like to connect their phone to any computer that’s plugged into its data port rather than automatically begin sharing data.
The new safeguard against malicious peripherals in iOS 7 beta. (Credit: Patrick Gray, Risky.biz)
“Trust the currently connected computer?” the new warning message asks when it’s plugged into any device that attempts to establish a data connection. “Trusting this computer will allow it full access to your device and all of its data.”
If that connected device is supposed to be an innocent charger rather than a computer–and especially if it’s held together with scotchtape and marked with a spider symbol–probably best to respond “no.”
Source Forbes Tech