Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

iOS Weaknesses Allow Attacks Via Trojan Chargers

Using weaknesses in Apple's flagship operating system, a simple computer disguised as a charging station can pair with, and then install malware on, any iPhone or iPad that connects to it

LAS VEGAS -- BLACK HAT USA -- Apple's flagship mobile operating system has a number of security weaknesses that allow iPhones and iPads to be stealthily compromised via USB devices disguised as charging stations, three researchers from the Georgia Institute of Technology said during a briefing on Wednesday.

Click here for more of Dark Reading's Black Hat articles.

The researchers -- Billy Lau, Yeongjin Jang, and Chengyu Song -- created a white Apple-like power brick, dubbed Mactans, that will compromise any iPhone plugged into the device without any visible sign of the attack. The attack does not use any specific software vulnerability, but abuses a number of design decisions made by Apple, including allowing a computer to pair with an iOS device without acknowledgement if the mobile device does not have a passcode set.

"Our attack does not involved jailbreaking, so the attack does not need to have root privileges in order to work, and our injected app remains within the protected sandbox," said Lau, a research scientist with the Georgia Tech Information Security Center (GTISC).

Attackers are increasingly focusing their efforts on mobile devices. While the number of malware variants developed for Android has skyrocketed, Apple's iOS has largely been ignored by attackers because of Apple's more stringent App Store requirements that has successfully weeded out most, but not all, malicious apps to date. The current physical attack, shown both during a press conference at Black Hat and at a session late Wednesday, uses a number of weaknesses in the security checks within Apple's gated software community to gain access to a connected device.

The attack abuses a service that Apple provides to developers known as a provisioning profiles, which allows custom software -- or malware -- to be installed on a device reserved for development.

"Because of the less stringent process on reviewing applications for developers, anyone can become a developer and get a provisioning profile," said Song, a Ph.D. candidate in computer engineering at Georgia Tech.

[Ever wonder which smartphone has the most apps with the least respect for your privacy? The answer may surprise you. See Google Android Vs. Apple iOS: The Mobile App Privacy War.]

The prototype of the malicious charger, known as Mactans, looks similar to the laptop power cable that accompanies many MacBooks. When a victim plugs his iPhone or iPad into a Mactans charger, the mobile device will automatically begin the pairing process with the embedded computer within the charger. The Mactans systems gets an identifier for the device, known as a universal device ID (UDID), then creates an appropriate provisioning profile for the iPhone or iPad, and installs it on the mobile device. Finally, the Mactans device uses its developer permissions to install malicious software and make other changes to the device to hide the functionality, the researchers said during their presentation.

"It takes less than five seconds to install our payload, but installing the actual Trojan can take up to a minute depending on its size," Lau said.

Once the attacker gains access to a mobile device, the sandbox does not limit their actions as much as one would think, the researchers said. By taking successive screen shots, the attackers could record a password, since Apple shows the last character typed. In addition, the attackers have been able to generate a touch on the screen, allowing an attacker to dial numbers or do anything else that a user could do. Finally, the researchers were able to hide signs of their malicious payload in much the same way Apple hides its own system software.

As a payload, the researchers created a Trojanized Facebook application that would run in parallel with the real application. The application could be remotely controlled, allowing the researcher to dial a number, grab passwords, and send texts.

While the researchers hardware prototype looked significantly different from Apple's polished hardware designs, with a bit more money a device could have exactly matched an Apple charger, they said.

"There is no question that someone could have the ability to create a charger that looks like the real charger," Lau said.

Such attacks will become more difficult with Apple's coming update, iOS 7, the researchers said. Development versions of the operating system have asked the user for permission before syncing to another computer over USB, they said.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
IoT Vulnerability Disclosure Platform Launched
Dark Reading Staff 10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27155
PUBLISHED: 2020-10-22
An issue was discovered in Octopus Deploy through 2020.4.4. If enabled, the websocket endpoint may allow an untrusted tentacle host to present itself as a trusted one.
CVE-2020-27195
PUBLISHED: 2020-10-22
HashiCorp Nomad and Nomad Enterprise version 0.9.0 up to 0.12.5 client file sandbox feature can be subverted using either the template or artifact stanzas. Fixed in 0.12.6, 0.11.5, and 0.10.6
CVE-2020-7020
PUBLISHED: 2020-10-22
Elasticsearch versions before 6.8.13 and 7.9.2 contain a document disclosure flaw when Document or Field Level Security is used. Search queries do not properly preserve security permissions when executing certain complex queries. This could result in the search disclosing the existence of documents ...
CVE-2020-26649
PUBLISHED: 2020-10-22
AtomXCMS 2.0 is affected by Incorrect Access Control via admin/dump.php
CVE-2020-26650
PUBLISHED: 2020-10-22
AtomXCMS 2.0 is affected by Arbitrary File Read via admin/dump.php