Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

iOS Weaknesses Allow Attacks Via Trojan Chargers

Using weaknesses in Apple's flagship operating system, a simple computer disguised as a charging station can pair with, and then install malware on, any iPhone or iPad that connects to it

LAS VEGAS -- BLACK HAT USA -- Apple's flagship mobile operating system has a number of security weaknesses that allow iPhones and iPads to be stealthily compromised via USB devices disguised as charging stations, three researchers from the Georgia Institute of Technology said during a briefing on Wednesday.

Click here for more of Dark Reading's Black Hat articles.

The researchers -- Billy Lau, Yeongjin Jang, and Chengyu Song -- created a white Apple-like power brick, dubbed Mactans, that will compromise any iPhone plugged into the device without any visible sign of the attack. The attack does not use any specific software vulnerability, but abuses a number of design decisions made by Apple, including allowing a computer to pair with an iOS device without acknowledgement if the mobile device does not have a passcode set.

"Our attack does not involved jailbreaking, so the attack does not need to have root privileges in order to work, and our injected app remains within the protected sandbox," said Lau, a research scientist with the Georgia Tech Information Security Center (GTISC).

Attackers are increasingly focusing their efforts on mobile devices. While the number of malware variants developed for Android has skyrocketed, Apple's iOS has largely been ignored by attackers because of Apple's more stringent App Store requirements that has successfully weeded out most, but not all, malicious apps to date. The current physical attack, shown both during a press conference at Black Hat and at a session late Wednesday, uses a number of weaknesses in the security checks within Apple's gated software community to gain access to a connected device.

The attack abuses a service that Apple provides to developers known as a provisioning profiles, which allows custom software -- or malware -- to be installed on a device reserved for development.

"Because of the less stringent process on reviewing applications for developers, anyone can become a developer and get a provisioning profile," said Song, a Ph.D. candidate in computer engineering at Georgia Tech.

[Ever wonder which smartphone has the most apps with the least respect for your privacy? The answer may surprise you. See Google Android Vs. Apple iOS: The Mobile App Privacy War.]

The prototype of the malicious charger, known as Mactans, looks similar to the laptop power cable that accompanies many MacBooks. When a victim plugs his iPhone or iPad into a Mactans charger, the mobile device will automatically begin the pairing process with the embedded computer within the charger. The Mactans systems gets an identifier for the device, known as a universal device ID (UDID), then creates an appropriate provisioning profile for the iPhone or iPad, and installs it on the mobile device. Finally, the Mactans device uses its developer permissions to install malicious software and make other changes to the device to hide the functionality, the researchers said during their presentation.

"It takes less than five seconds to install our payload, but installing the actual Trojan can take up to a minute depending on its size," Lau said.

Once the attacker gains access to a mobile device, the sandbox does not limit their actions as much as one would think, the researchers said. By taking successive screen shots, the attackers could record a password, since Apple shows the last character typed. In addition, the attackers have been able to generate a touch on the screen, allowing an attacker to dial numbers or do anything else that a user could do. Finally, the researchers were able to hide signs of their malicious payload in much the same way Apple hides its own system software.

As a payload, the researchers created a Trojanized Facebook application that would run in parallel with the real application. The application could be remotely controlled, allowing the researcher to dial a number, grab passwords, and send texts.

While the researchers hardware prototype looked significantly different from Apple's polished hardware designs, with a bit more money a device could have exactly matched an Apple charger, they said.

"There is no question that someone could have the ability to create a charger that looks like the real charger," Lau said.

Such attacks will become more difficult with Apple's coming update, iOS 7, the researchers said. Development versions of the operating system have asked the user for permission before syncing to another computer over USB, they said.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.