Researchers Infect iOS Devices With Malware Via Malicious Charger 201
Sparrowvsrevolution writes "At the upcoming Black Hat security conference in late July, three researchers at the Georgia Institute of Technology plan to show off a proof-of-concept charger that they say can be used to invisibly install malware on a device running the latest version of Apple's iOS. A description of their talk posted to the conference website describes how they were able to install whatever malware they wished on an Apple device within a minute of the user plugging it into their malicious charger, which they're calling 'Mactans' after the scientific name of a Black Widow spider. The malware-loaded USB plug is built around an open-source single-board computer known as a BeagleBoard, sold by Texas Instruments for a retail price of around $45. The researchers have contacted Apple about their exploit but haven't heard back from the company and aren't sharing more details of their hack until they do."
Possible Solution (Score:3)
Re: (Score:3)
I dunno...but how is this new exploit "news" if there's utility utilities like PairLock to prevent it?
Re:Possible Solution (Score:5, Informative)
I dunno...but how is this new exploit "news" if there's utility utilities like PairLock to prevent it?
Because you have to jailbreak in order to use PairLock? And um, jailbreaking is bad, mmkay?
Workaround (from PairLock page) (Score:3)
Any time you plug your iOS device into another computer, this trusted pairing relationship gets automatically created within seconds. The only time this doesn’t occur is if the device is locked with a PIN – and I mean really locked; if you have anything other than “Require Passcode: Immediately” set, then it will remain unlocked for a while even after you shut off the screen.
So if you're in unknown territory, set a passcode and put it on immediate expiration, and you can be a bit more cavalier. It's too bad Apple doesn't allow you iOS to into "turtle mode" so that you can force this behavior at will, while keeping a more pragmatic stance (say 5m lock timeout).
Physical Access (Score:2, Insightful)
Physical access to a device allows for far too many attack vectors to protect against. News at 11
Re:Physical Access (Score:5, Informative)
This is not an "open the device and latch on to some henceforth unprotected internal signal" attack vector. Attaching the phone to someone else's charger is not unusual behavior. For the Olympic Games in London, Vodafone fitted 1000 taxis with mobile phone chargers.
Re:Physical Access (Score:5, Insightful)
GP has already provided you with a potential scenario - presumably the chargers Vodafone fitted in London taxis were a USB socket and/or an iPod dock mounted in the passenger section of the taxi. The BeagleBoard could be anywhere in the taxi.
Plus, it's a proof of concept. It could certainly be miniaturised.
I doubt that any other smartphone OS is immune to this kind of attack, however.
Re:Physical Access (Score:4, Insightful)
I don't know about you, but I can only use the USB port to charge my Android phone. Also, when I connect my Android phone to my computer I generally get access to the data contents of the phone (documents, music, pictures, etc.). It seems pretty trivial to devise a "charger" that steals or destroys data on any phone that connects to it.
Data is the real treasure and thus is also the real threat of damage, but AFAIK you can also use the Android Debug Bridge [android.com] to install programs to connected phones.
Re: (Score:2)
I don't know about you, but any time I connect my Android phone to a device that tries to use the data lines in the charging cable I have to choose how my phone uses the cable.
Re: (Score:2)
Re: (Score:2)
That sounds like incredibly poor design. Why wouldn't it just reject all attempts to send or recieve data until approval is given?
Re: (Score:2, Insightful)
How the hell did that get modded insightful? Android of course does data via the USB. It mounts as a drive on a PC. And you can reflash the
rom via USB, just as you can on an iPhone.
Re: (Score:2)
Charge Only. Was that so hard?
Re:Physical Access (Score:4, Insightful)
Yes, but not for charging. If you are paranoid you can buy or make a USB cable that is only for charging (data lines disconnected) and your charger will still operate normally and at full speed. If you make such a cable for your iOS device it will only charge at low speed.
This is also notable as an example of DRM gone bad and leading to a severe security problem.
Re: (Score:3)
The resistors were the DRM on older chargers. The standard way to signal 1A being available for charging is to tie D+ and D- together. If you check a standard 1A USB charger you will find this is the case. Only Apple products need the resistors.
Re: (Score:2)
Only Apple had implemented USB fast charging 4 years before the standard you are referring to came out.
Re: (Score:2)
Re: (Score:2)
There are more sophisticated implementations of the charging protocol that involve signaling on the data lines which is needed to get the full 2.1A or other steps in between. That being said it doesn't matter because a rogue "charging" device can have a fully functional host interface without any visual difference.
Re:Physical Access (Score:5, Informative)
This is so completely wrong that I don't even know where to begin.
1. Apple hasn't put DRM in their chargers
2. Apple devices look for a certain voltage on the D+/D- traces to know whether they can charge at 100 mA, 500 mA, or more, specifically the iPad can draw more power
3. Apple devices are also USB devices, when they connect to a USB host (such as the BeagleBone) they communicate using standard USB, that is the only ID string that gets sent back, along with a request for at least 500 mA of power to be provided by the host.
4. This doesn't actually use any specific vulnerability, rather it uses the fact that when you connect an iOS device you can using a provisioning profile side-load apps onto the phone. This is generally done during development or for example in corporate settings. These same provisioning profiles can be used to disable certain features, or set up emails accounts, wifi passwords, and all that fun stuff, you know to provision a device in a corporate scenario.
It's a shame that your comment got voted up as informative when it contains so much mis-information.
Re: (Score:3)
1. Apple hasn't put DRM in their chargers
2. Apple devices look for a certain voltage on the D+/D- traces to know whether they can charge at 100 mA, 500 mA, or more, specifically the iPad can draw more power
That was the old chargers. I assume you meant 1000mA, not 100. Even then it was DRM because the standard way of doing it (which is part of the USB spec) is to tie D+ and D- together. Apple required specific voltages created by a potential divider.
4. This doesn't actually use any specific vulnerability, rather it uses the fact that when you connect an iOS device you can using a provisioning profile side-load apps onto the phone.
The fact that you can do that without authentication is a vulnerability. You can install Android apps that way via ADB, but only if the user has enabled USB debugging on their device. Nobody bothers to load apps that way because you can do it either via the phone o
Re: (Score:2)
You seem to have lost the ability to read. No, I was specifically stating 100 mA, that is the max any USB device is allowed to pull from any charger or device it is plugged into, UNLESS it asks the host for more OR the D+/D- lines have specific voltages/are shorted.
Apple requires specific voltages precisely because the standard of just shorting the D+/D- lines don't provide enough information. Just how much current should an iPad attempt to pull from a charger that has the D+/D- lines tied together? It can
Re: (Score:3)
It's a shame that your comment got voted up as informative when it contains so much mis-information.
It was modded informative because the Apple-Bashing Club likes to celebrate anything that makes Apple or Apple products look bad.
Re: (Score:3)
Re: (Score:2)
The only reason this works is because Apple put DRM in their chargers to prevent people creating cheaper clones.
Two resistors is hardly concidered "communications" by anyone else in any industry.
Two resistors are also not considered "DRM" by pretty much anyone else either.
Please try to be right when correcting someone.
Re: (Score:2)
The resistors are the old charger DRM, the new ones need comms to charge at the highest speed.
Re: (Score:3, Insightful)
Why would you think that? Have you never attached a smartphone to a USB host? Of course the USB data lines are connected, and of course any smartphone will respond to communication attempts from a USB host, so there is absolutely no reason why other phones should not be vulnerable to some form of attack via USB.
Re: (Score:2)
Re: (Score:2)
At least on my HTC phone you can either permanently set how you want it to appear to a USB host device or you can have it ask every time.
Even if you set it to "charge only" it still has to negotiate to comply with the USB spec. A bug in the USB negotiation code could leave things wide open.
And of course there is no gaurantee that people won't set their phones to default to something other than charge only. A malicious charger isn't an attack vector that most people will be thinking about.
Re: (Score:3, Interesting)
Re: (Score:2)
Re:Physical Access (Score:5, Insightful)
Re: (Score:3, Insightful)
And in what way was it not obvious for the entire history of the iPhone that it could be reflashed through the USB?
There's a huge difference between reflashing something and gaining root to infect an existing install.
One is very obvious to the user because their phone is suddenly reflashed to some configuration that isn't the user's any more. The other could be incredibly subtle because there's no visible change to the user.
It's entirely possible that a similar attack could happen to Android devices as well (for example, run an ADB instance and have it auto-install and execute something whenever it detects a device wit
Re: (Score:2)
It's entirely possible that a similar attack could happen to Android devices as well (for example, run an ADB instance and have it auto-install and execute something whenever it detects a device with debugging enabled. My phone would be vulnerable to this kind of attack, because for convenience, I've got it set up to auto-enter debugging mode whenever it plugs into a device. I'm willing to accept that risk, but I'm not an idiot that insists that the risk isn't there.)
That's why ADB is only meant to be enabled when doing development and there are clear warnings when you enable it, telling you that the mode is dangerous. If you leave it enabled when connecting to untrusted devices, then the fault is entirely with you. And most people don't ever use ADB, so this would be irrelevant for them.
Re: (Score:2, Insightful)
The Beagleboard is just one of many development boards around ARM chips which are typically smaller than a fingernail, because they're the main components in mobile phones. There are much smaller alternatives than the Beagleboard, even without making a custom board. For example, the Gumstix Overo single board computer is based on the same chip as the Beagleboard and is about the size of a stick of chewing gum. The attack could be built into anything from docking stations to the smallest chargers.
Re:Physical Access (Score:5, Insightful)
This is not an "open the device and latch on to some henceforth unprotected internal signal" attack vector. Attaching the phone to someone else's charger is not unusual behavior.
It's based on a BeagleBoard, which is larger than a business card. It's going to be tough to fool people into using a charger that looks like it swallowed half your iPhone.
Sure they will. In Spain there are charging kiosks with coin slots and cables going somewhere you can't see them and people use those all of the time. You forget that in most public charging situations you don't want just anyone to be able to unplug the thing and walk away with it.
Re: (Score:2)
Deep thinking AC.
Re: (Score:3)
Install this exploit on your laptop, and the problem will be solved. As soon as they connect the cable, it is no longer their iphone.
Re: (Score:2)
Except physical access doesn't refer to peripherals.
Re:Physical Access (Score:4, Insightful)
Well, there's a continuum.
Sneaking into someone's office and putting a keylogger inline with their keyboard cable is an example of physical access making black-hat hacking easy.
Sneaking into the same office and plugging a PwnPlug or similar into the physical network is another example.
Those two are increasingly far from actually directly looking at filesystem blocks, but put you at an advantage compared to someone trying to get to a system from the other side of a firewall.
Re:Physical Access (Score:4, Interesting)
Physical access to a device allows for far too many attack vectors to protect against. News at 11
I think the issue here is that 'plausible, easy-to-engineer, physical access allows a demonstrated attack against a device'.
Also, at an architectural level, having an idevice plugged in is much closer to having a network connection [theiphonewiki.com] to a computer than it is to having 'physical access'. It's a bit weirder than a pure USB network adapter; but it's essentially a chat, over TCP, with a remote computer, not total control over a USB MSC device or something of that flavor.
Re: (Score:2, Informative)
And remember, all this is to support Apple's DRM that blocks 3rd party chargers (or at least prevents them using the fast charge rate).
Providing phone chargers is a common courtesy in some countries, e.g. Japan. Most hotels and bars will have a load of chargers behind the front desk to lend out, for example.
Re: (Score:2)
I assume that the lighting auth chip makes the behavior even more complex, under the surface; but I think that the network-like behavior happens on all iOS devices, regardless of connnector type. The ipods(aside from the Touch, which is more or less a cost-reduced iphone without the cell modem) were slightly eccentric mass storage class devices, or the firewire equivalent; but none of the iOS devices ever exposed their storage directly, you have to go through their OS for access.
Re: (Score:2)
If Apple guarantees that they will pay for any damage incurred using an Apple product then Apple would lead the market anywhere! Wake me up when this is the case.
Re: (Score:3)
And remember, all this is to support Apple's DRM that blocks 3rd party chargers (or at least prevents them using the fast charge rate).
Huh? I use a third-party car charger, and it fast-charges my iPhone just fine.
Re: (Score:2)
You probably use a licensed third-party car charger.
Re:Physical Access (Score:4, Insightful)
Mines from a $5 (shipped) job from Hong Kong, charges quite fast. I assure you it's not licensed, knock off lightning cable and all.
I'm not sure what point you're trying to argue, but it sounds like you're a perfect candidate for a charger that distributes malware. How would you know if your current charger is not sending your data back to China?
Re: (Score:3)
I'm not sure what point you're trying to argue, but it sounds like you're a perfect candidate for a charger that distributes malware. How would you know if your current charger is not sending your data back to China?
Mine certainly isn't, as I always wear my tin-foil hat while charging.
Re: (Score:3)
What are you on about?
I fast charge my iPhone with a third party charger all the time. I'd post a video of me doing it, but you'd probably dismiss it as some sort of propaganda and clearly falsified somehow.
You might want to check on reality before you start whoring for karma with outright lies on slashdot.
Also, not that you've been at all accurate in your post, but even if this were the case, there's a difference between a proprietary charging protocol/data exchange (the iOS device attempts to negotiate a
Re: (Score:3)
Here is some detail on what Apple did: http://www.ladyada.net/make/mintyboost/icharge.html [ladyada.net]
The standard way of signalling that 1A is available is to tie D+ and D- together. This is part of the USB spec. Apple went their own way so that iDevices would only draw 0.5A from these chargers. Only an Apple charger will deliver 1A to them.
Later on Apple changed this so that their devices were compatible with 1A chargers, but only because they introduced a 2A charger and new DRM system that requires comms with the ch
Re: (Score:2)
There is nothing in your linked article to suggest that Apple are using DRM in any form in any of their chargers.
Re: (Score:2)
Why does this guy keep getting modded up to informative? There is no Apple DRM, there is no blocking of 3rd party chargers. Apple devices while charging look for certain voltages on the D+/D- lines, there is absolutely no communication between the device and the charger. The only reason there is a requirement for certain voltages on the D+/D- lines is so that the Apple device knows it is safe to pull a certain amount of amperage from the charger...
Re:Physical Access (Score:4, Informative)
This is just nonsense. USB spec limits the power available for charging. Lots of manufacturers have handshaking going on so that when their products are used with their own chargers, they abandon the spec limits and use this own limits. There's no other way of doing it whilst staying within the USB spec. It's got fuck all to do with drm and everything to do with making sure the charge rate is safe.
Re: (Score:3)
Try reading the USB Battery Charging Specification. Wikipedia [wikipedia.org] has a summary.
Basically a normal port can supply 500mA. Dedicated charging ports can supply up to 1.5A through a standard A/B connector or IIRC 2.2A through Micro USB. The standard defines a way to signal that the port is a high current charging port.
Re: (Score:3)
Try reading the USB Battery Charging Specification.
... of 2007. Apple's more configurable set of charging states dates back to when the iPod could be charged from USB - 2003.
There was no standard for fast charging when Apple designed it.
Re: (Score:2)
This is the 3rd time you have been corrected and yet keep repeating these lies.
Apple did NOT invent the USB 2.0 spec. They had nothing to do with it beyond using it.
Stop lying about apple inventing things they did not invent
Stop lying about Android, with your claims that not a single android device can talk to a computer over USB.
Stop lying about resistors being secret government microprocessors capable of complex digital communications.
Just stop lying.
Re: (Score:3)
Re: (Score:3)
Unfortunately the exploit would have already executed and started running arbitrary code by the time the ID information had been downloaded. That's how it works, it's an overflow in the ID data that the iOS device reads.
Re: (Score:2)
the confirmation dialog would have to present some identifying information about the device
It's not really possible with USB out of the box. In this case the charger is the host, and is at the origin of all transactions. You need to add another layer over the existing protocols to require the host to give some credentials, before changing the device profile and exporting the interesting interfaces. This means a new WHQL certification / kernel update for your drivers, and ensures that it will not happen immediately.
Re: (Score:2)
Android used to have that.
Now it doesn't.
Progress, eh?
Connectors (Score:5, Funny)
I consider any charger with one of those proprietary connectors a 'malicious' charger.
Power-only cable... (Score:3)
It's a pity that the 'lighting' connector's dependence on an in-cable processor likely makes it more complex to use the old power-only mod...
Not all USB devices play nicely(some phones require either a full USB host or some goofy resistor-coding nonsense on the data pins, and some USB hosts don't power USB ports, or only provide 100ma, unless the USB peripheral negotiates appropriately on the data pins); but it is generally possible(sometimes with resistor hackery, and for 'dumb' chargers and USB ports that don't need negotiation for power) to use a USB cable with the data lines cut and just power and ground attached for charging. Certainly the only thing I'd trust when plugging into some arbitrary port...
Re: (Score:3)
You still can do it - you're working with the regular USB cable (the A plug) side still.
The coding exists on the other end and does nothing.
This hack is NOT about a charger. The hack is basically saying someone could hide a regular computer inside a charger. So when you plug into the USB plug, you're actually establishing a sync connection, not just a power connection.
Re: (Score:2)
So the real issues is that these guys found a way to inject software onto it - less a charger security hole and more a regular iOS USB security hole.
So wonder if this could be a new jailbreaking vector?
Public chargers (Score:3)
Mental note: Don't use these public chargers anymore...
(Google for "iphone charging point airport")
Re:Public chargers (Score:4, Informative)
If you don't want to DIY, take a look at this sync cable (iPhone 4S or earlier) [amazon.com] which has an extra end for only charging.
Re: (Score:3)
But then your device only charges at 500mA. An iPad is capable of charging at up to 2A, and at only 500mA it won't even be able to maintain the battery level.
Re: (Score:2)
My experience has been that the low current power adapters will charge the iPad with the screen locked. It's glacially slow, but it will charge.
I don't know about in use.
This Responsible Disclosure is very irresponsible (Score:2)
They should have saved this exploit for jailbreaking than to report it, comsidering the chances of an in-the-wild infection are low. Public charge stations are quite uncommon.
Re:This Responsible Disclosure is very irresponsib (Score:4, Informative)
No they aren't. With charging kiosks in malls and such, like these [richarge.co.za] or these [made-in-china.com] I would say that they are pretty common.
Legal team (Score:2, Flamebait)
Re: (Score:2)
Can you show a single previous instance of Apple suing a security researcher? I certainly can't find anything.
Re: (Score:2)
He doesn't need to. He's decided that Apple is evil, and he's thought of something that an evil company could do. Therefore, apple does it. No evidence required.
Re: (Score:2)
You're going to need to provide some proof of that.
Also, you'll have to explain the many hundreds of entries in Apple's own kb entries going back many years for security updates where they specifically mention third parties who have identified security holes that are fixed in that particular update. I assume they thanked them for finding the hole and *then* sued them out of existence? Or do they sue first, then personally thank them? Not sure how it works, but since you seem to be an expert on this, I'll bo
Re: (Score:2)
The researchers have contacted Apple about their exploit but haven't heard back from the company and aren't sharing more details of their hack until they do.
Well, that seems to be simple ... Apple will just never contact them.
Been done before (Score:2)
Didn't they do this last year? Provide a charging kiosk which was able to (as a proof of concept) infiltrate the devices plugged into it?
Can this be used to unlock locked devices? (Score:2)
Inquiring minds want to know.
So... (Score:3)
are we surprised? (Score:2)
Inductive charging (Score:5, Interesting)
What amazes me is that inductive charging hasn't taken over. I was a skeptic, when I got my touchpad a couple years ago. The ability to just drop the pad on a dock without worrying too much about positioning/etc quickly sold me on the idea. Same thing with the veer I purchased as well. Just drop it on the dock and the magnets align it.
Now every-time I plug in the wifes ipad, or android phone I cringe. Small easily broken connectors are something that should be a last resort.
Oh, and the touchpad prompts the user before allowing communication on the USB port.
Re: (Score:2)
The biggest problem I have with my Touchpad (I own one too) is that when inductively charging it won't charge nearly as fast, and I've had plenty of times where it has been sitting on the inductive charger for a day or so, and I pick it up and 20 minutes later the battery is dead. Whereas charging it over USB seems to always charge it fully and properly.
Re: (Score:2)
Are you using a 3rd party case? I have the HP case and it works fine, although I've heard of people having issues with other cases. I also think there was a bad firmware version in there that screwed up the inductive charging, I would make sure your not running that version.
With mine, I put it on the base and make sure I hear it go boing and then forget about it. If it doesn't go boing (or sometimes goes boing more than once) I do a better job positioning it on the charger. That is what is nice about the ve
Re:Inductive charging (Score:5, Interesting)
Inductive charging is highly wasteful.
Dock based, inductive charging is ~85% efficient, due to being something like 5mm of separation between the coils, running at very high frequency, and being actively controlled. So, this isn't your granddaddy's wireless power fantasies.
The loses in the 50% efficient wall warts shipping on most android phones are a worse problem.
Re: (Score:2)
What about this new microwave oven technique I've heard of for recharging iPhones?
sharing more details? (Score:2)
The researchers have contacted Apple about their exploit but haven't heard back from the company and aren't sharing more details of their hack until they do.
With this attitude, don't expect Apple to ever contact them.
Re: (Score:2)
I think the "aren't sharing the details" refers to sharing details with the public till Apple rolls out a fix, not Apple.
Told you that in 2009 (Score:3)
I warned about that in 2009. [slashdot.org]
We warned you. You didn't listen. Now suffer.
The "charger" part of this is just decoration (Score:3)
Some people seem to miss this, so: This is just an exploit over USB. The fact that the code runs on Linux that runs on a small board that you could integrate into a (somewhat bulky) "charger" has nothing to do with what is happening here.
The only REALLY interesting thing here is that they seemingly have found a new exploit for iOS. Because, believe it or not, up to now the latest iOS version is watertight, there is no way to access data on the phone via USB (or any other means) or install software on it.
At least this could mean that there will be a Jailbreak for the latest iOS sooner or later. Well, at least if someone manages to turn this exploit into some jailbreak app before Apple fixes this exploit with an update to iOS.
Dumb chargers? (Score:3)
It seems you run a usb based exploit against the phone, in the same way that several jailbreaks have worked in the past...
The key problem here seems to be that the charger and the data port are combined, if you were to provide an ability to split the two then such attacks would be infeasible. As it stands, various public places provide phone chargers which would be risky to use, whereas if they could only provide power the risk would be significantly lower (they could still provide an extremely high current to intentionally destroy your phone).
Re: (Score:2)
If this threat becomes real (that is if Apple doesn't fix the bug that enables the exploit very soon) you could build an smart adapter that makes sure that only power gets through and no data. If you think that enough people care about that go to Kickstarter and get rich.
Re:Years old (Score:5, Funny)
I've seen this going back years with USB keyboards etc from China, they install all sorts of crap on your PC without you knowing.
Wow, a sleazy USB device from China that has more flash memory than the specs indicate, rather than substantially less? Where can I find this miraculous creature?
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Yea but USB devices can still provide keyboard functionality ... autorun not working is moot
So how does it install malware, send a bunch of keystrokes to open Notepad and type up a malicious BAT script?
Start key > cmd (return) > [flashdrive]:\malware.exe (return)... (yes to dialog box)... (yes to "are you SURE SURE" dialog box)...
Re: (Score:2)
Re: (Score:2)
So how does it install malware, send a bunch of keystrokes to open Notepad and type up a malicious BAT script?
I suspect that someone feeling clever could probably encode some malware such that it could be transferred and executed entirely with default system utilities and keystrokes, or they could use emulated keystrokes to execute a binary located on a USB MSC filesystem(they still automount by default, and guessing the drive letter prepend should only take a few seconds). Grabbing a payload from a malicious URL is also an option, if you are willing to risk the target not having internet access.
For promotional pur
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Yes, but without the data pins the iPhone is going to follow the USB spec, which will limit it to 500 mA (or even less - I forget what the protocol specifies if the data pins are absent. There's a bunch of things you can do to show it's a charger, like shorting the pins at a particular resistance). If you want the full charging spectrum, the two devices need to communicate, but clearly this introduces a security issue.
Re: (Score:2)
The data pins are needed, but they don't need to be connected to the iPhone end. They just need certain resistors attaching from those pins to +5 and gnd.
Animojo is spreading fud to the contrary elsewhere in comments to this story, but it's not true.
Re: (Score:2)
Actually, its a dumb charger. This exploit just uses the fact that a USB 'charging' port also accepts USB data. And one can't easily tell whether or not a charger will be delivering 5 volts (as intended) or conceals USB memory or even an active host.