Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

iOS Weaknesses Allow Attacks Via Trojan Chargers

Using weaknesses in Apple's flagship operating system, a simple computer disguised as a charging station can pair with, and then install malware on, any iPhone or iPad that connects to it

LAS VEGAS -- BLACK HAT USA -- Apple's flagship mobile operating system has a number of security weaknesses that allow iPhones and iPads to be stealthily compromised via USB devices disguised as charging stations, three researchers from the Georgia Institute of Technology said during a briefing on Wednesday.

Click here for more of Dark Reading's Black Hat articles.

The researchers -- Billy Lau, Yeongjin Jang, and Chengyu Song -- created a white Apple-like power brick, dubbed Mactans, that will compromise any iPhone plugged into the device without any visible sign of the attack. The attack does not use any specific software vulnerability, but abuses a number of design decisions made by Apple, including allowing a computer to pair with an iOS device without acknowledgement if the mobile device does not have a passcode set.

"Our attack does not involved jailbreaking, so the attack does not need to have root privileges in order to work, and our injected app remains within the protected sandbox," said Lau, a research scientist with the Georgia Tech Information Security Center (GTISC).

Attackers are increasingly focusing their efforts on mobile devices. While the number of malware variants developed for Android has skyrocketed, Apple's iOS has largely been ignored by attackers because of Apple's more stringent App Store requirements that has successfully weeded out most, but not all, malicious apps to date. The current physical attack, shown both during a press conference at Black Hat and at a session late Wednesday, uses a number of weaknesses in the security checks within Apple's gated software community to gain access to a connected device.

The attack abuses a service that Apple provides to developers known as a provisioning profiles, which allows custom software -- or malware -- to be installed on a device reserved for development.

"Because of the less stringent process on reviewing applications for developers, anyone can become a developer and get a provisioning profile," said Song, a Ph.D. candidate in computer engineering at Georgia Tech.

[Ever wonder which smartphone has the most apps with the least respect for your privacy? The answer may surprise you. See Google Android Vs. Apple iOS: The Mobile App Privacy War.]

The prototype of the malicious charger, known as Mactans, looks similar to the laptop power cable that accompanies many MacBooks. When a victim plugs his iPhone or iPad into a Mactans charger, the mobile device will automatically begin the pairing process with the embedded computer within the charger. The Mactans systems gets an identifier for the device, known as a universal device ID (UDID), then creates an appropriate provisioning profile for the iPhone or iPad, and installs it on the mobile device. Finally, the Mactans device uses its developer permissions to install malicious software and make other changes to the device to hide the functionality, the researchers said during their presentation.

"It takes less than five seconds to install our payload, but installing the actual Trojan can take up to a minute depending on its size," Lau said.

Once the attacker gains access to a mobile device, the sandbox does not limit their actions as much as one would think, the researchers said. By taking successive screen shots, the attackers could record a password, since Apple shows the last character typed. In addition, the attackers have been able to generate a touch on the screen, allowing an attacker to dial numbers or do anything else that a user could do. Finally, the researchers were able to hide signs of their malicious payload in much the same way Apple hides its own system software.

As a payload, the researchers created a Trojanized Facebook application that would run in parallel with the real application. The application could be remotely controlled, allowing the researcher to dial a number, grab passwords, and send texts.

While the researchers hardware prototype looked significantly different from Apple's polished hardware designs, with a bit more money a device could have exactly matched an Apple charger, they said.

"There is no question that someone could have the ability to create a charger that looks like the real charger," Lau said.

Such attacks will become more difficult with Apple's coming update, iOS 7, the researchers said. Development versions of the operating system have asked the user for permission before syncing to another computer over USB, they said.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
IT 2020: A Look Ahead
Are you ready for the critical changes that will occur in 2020? We've compiled editor insights from the best of our network (Dark Reading, Data Center Knowledge, InformationWeek, ITPro Today and Network Computing) to deliver to you a look at the trends, technologies, and threats that are emerging in the coming year. Download it today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-3154
PUBLISHED: 2020-01-27
CRLF injection vulnerability in Zend\Mail (Zend_Mail) in Zend Framework before 1.12.12, 2.x before 2.3.8, and 2.4.x before 2.4.1 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via CRLF sequences in the header of an email.
CVE-2019-17190
PUBLISHED: 2020-01-27
A Local Privilege Escalation issue was discovered in Avast Secure Browser 76.0.1659.101. The vulnerability is due to an insecure ACL set by the AvastBrowserUpdate.exe (which is running as NT AUTHORITY\SYSTEM) when AvastSecureBrowser.exe checks for new updates. When the update check is triggered, the...
CVE-2014-8161
PUBLISHED: 2020-01-27
PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to obtain sensitive column values by triggering constraint violation and then reading the error message.
CVE-2014-9481
PUBLISHED: 2020-01-27
The Scribunto extension for MediaWiki allows remote attackers to obtain the rollback token and possibly other sensitive information via a crafted module, related to unstripping special page HTML.
CVE-2015-0241
PUBLISHED: 2020-01-27
The to_char function in PostgreSQL before 9.0.19, 9.1.x before 9.1.15, 9.2.x before 9.2.10, 9.3.x before 9.3.6, and 9.4.x before 9.4.1 allows remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via a (1) large number of digits when processing a numeric ...