Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

iOS Weaknesses Allow Attacks Via Trojan Chargers

Using weaknesses in Apple's flagship operating system, a simple computer disguised as a charging station can pair with, and then install malware on, any iPhone or iPad that connects to it

LAS VEGAS -- BLACK HAT USA -- Apple's flagship mobile operating system has a number of security weaknesses that allow iPhones and iPads to be stealthily compromised via USB devices disguised as charging stations, three researchers from the Georgia Institute of Technology said during a briefing on Wednesday.

Click here for more of Dark Reading's Black Hat articles.

The researchers -- Billy Lau, Yeongjin Jang, and Chengyu Song -- created a white Apple-like power brick, dubbed Mactans, that will compromise any iPhone plugged into the device without any visible sign of the attack. The attack does not use any specific software vulnerability, but abuses a number of design decisions made by Apple, including allowing a computer to pair with an iOS device without acknowledgement if the mobile device does not have a passcode set.

"Our attack does not involved jailbreaking, so the attack does not need to have root privileges in order to work, and our injected app remains within the protected sandbox," said Lau, a research scientist with the Georgia Tech Information Security Center (GTISC).

Attackers are increasingly focusing their efforts on mobile devices. While the number of malware variants developed for Android has skyrocketed, Apple's iOS has largely been ignored by attackers because of Apple's more stringent App Store requirements that has successfully weeded out most, but not all, malicious apps to date. The current physical attack, shown both during a press conference at Black Hat and at a session late Wednesday, uses a number of weaknesses in the security checks within Apple's gated software community to gain access to a connected device.

The attack abuses a service that Apple provides to developers known as a provisioning profiles, which allows custom software -- or malware -- to be installed on a device reserved for development.

"Because of the less stringent process on reviewing applications for developers, anyone can become a developer and get a provisioning profile," said Song, a Ph.D. candidate in computer engineering at Georgia Tech.

[Ever wonder which smartphone has the most apps with the least respect for your privacy? The answer may surprise you. See Google Android Vs. Apple iOS: The Mobile App Privacy War.]

The prototype of the malicious charger, known as Mactans, looks similar to the laptop power cable that accompanies many MacBooks. When a victim plugs his iPhone or iPad into a Mactans charger, the mobile device will automatically begin the pairing process with the embedded computer within the charger. The Mactans systems gets an identifier for the device, known as a universal device ID (UDID), then creates an appropriate provisioning profile for the iPhone or iPad, and installs it on the mobile device. Finally, the Mactans device uses its developer permissions to install malicious software and make other changes to the device to hide the functionality, the researchers said during their presentation.

"It takes less than five seconds to install our payload, but installing the actual Trojan can take up to a minute depending on its size," Lau said.

Once the attacker gains access to a mobile device, the sandbox does not limit their actions as much as one would think, the researchers said. By taking successive screen shots, the attackers could record a password, since Apple shows the last character typed. In addition, the attackers have been able to generate a touch on the screen, allowing an attacker to dial numbers or do anything else that a user could do. Finally, the researchers were able to hide signs of their malicious payload in much the same way Apple hides its own system software.

As a payload, the researchers created a Trojanized Facebook application that would run in parallel with the real application. The application could be remotely controlled, allowing the researcher to dial a number, grab passwords, and send texts.

While the researchers hardware prototype looked significantly different from Apple's polished hardware designs, with a bit more money a device could have exactly matched an Apple charger, they said.

"There is no question that someone could have the ability to create a charger that looks like the real charger," Lau said.

Such attacks will become more difficult with Apple's coming update, iOS 7, the researchers said. Development versions of the operating system have asked the user for permission before syncing to another computer over USB, they said.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Exploiting Google Cloud Platform With Ease
Dark Reading Staff 8/6/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8720
PUBLISHED: 2020-08-13
Buffer overflow in a subsystem for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow a privileged user to potentially enable denial of service via local access.
CVE-2020-12300
PUBLISHED: 2020-08-13
Uninitialized pointer in BIOS firmware for Intel(R) Server Board Families S2600CW, S2600KP, S2600TP, and S2600WT may allow a privileged user to potentially enable escalation of privilege via local access.
CVE-2020-12301
PUBLISHED: 2020-08-13
Improper initialization in BIOS firmware for Intel(R) Server Board Families S2600ST, S2600BP and S2600WF may allow a privileged user to potentially enable escalation of privilege via local access.
CVE-2020-7307
PUBLISHED: 2020-08-13
Unprotected Storage of Credentials vulnerability in McAfee Data Loss Prevention (DLP) for Mac prior to 11.5.2 allows local users to gain access to the RiskDB username and password via unprotected log files containing plain text credentials.
CVE-2020-8679
PUBLISHED: 2020-08-13
Out-of-bounds write in Kernel Mode Driver for some Intel(R) Graphics Drivers before version 26.20.100.7755 may allow an authenticated user to potentially enable denial of service via local access.