How To Hack an iPhone in 60 seconds: Why Youll Never Use Someone’s Charger Again
Three Georgia Tech hackers have revealed how to hack iPhones and iPads with malware imitating ordinary apps in under sixty seconds using a “malicious charger.”
Today at a Black Hat USA 2013 press conference, the researchers revealed for the first time exactly how the USB charger they built can compromise iOS devices in less than a minute.
Billy Lau, Yeongjin Jang and Chengyu Song showed how they made an ordinary looking charger into a malicious vector for transmitting malware using an open source BeagleBoard, available for $125 (similar to a Raspberry Pi).
For the demonstration, the researchers used an iPhone. They plugged in the phone, and when the passcode was entered, the sign-code attack began.
For the demo, the Facebook app was used as an example.
Within seconds of plugging in the charger, the Facebook app was invisibly removed from the device and seamlessly replaced with a Facebook app imitation with a malicious payload.
The app’s icon was in the exact same spot as it was before the attack – there is no way of knowing the application is not malware.
The researchers said that all the user needs to do to start the attack is enter their passcode – they pointed out that this is a pattern of ordinary use, such as to check a message while the phone is charging.
Once the app was launched, the malware was launched and the phone was compromised – and could do things such as take screenshots when other passwords are entered, send a spoofed screen, and more.
In this manner, depending on what payload the attacker has put on the fake app, sensitive data could be accessed and compromised in a variety of ways.
The researchers found malicious ways to call and use the private API; the attack works on physical weaknesses, and operates on all versions of iOS, stock (up to the beta developer version of 7, which is the only version that Apple has patched).
The operating system used for the attack is Linux, and the researchers acknowledged that someone could easily use a Raspberry Pi instead of a BeagleBoard.
No root permission is accessed for the attack.
The targeted iOS device does not need to be jailbroken in order for the attack to be successful. It only needs to be plugged in to the innocuous seeming, but poisoned, iOS charger.
The Mactans charger is no longer a charger, but its own little computer – running custom software that immediately cracks and infects any attached Apple gadget; Mactans can install software unknown to the user.
Details of the vulnerability, something the researchers held back on disclosing until now, will be described in more deatil in researchers’ Black Hat talk today, “Mactans: Injecting Malware Into iOS Devices Via Malicious Chargers.”
The researchers disclosed the attack and vulnerability to Apple, but it appears that Apple hasn’t addressed or fixed the issue for versions prior to 7 (beta, developer release) – the hackers had previously stated they refused to reveal details until their Black Hat presentation.
The venomous iOS charger is called “Mactans” – Latin name for the virulent and pernicious Black Widow spider.
The researchers explained,
Mactans was built with [a] limited amount of time and a small budget, we also briefly consider what more motivated, well-funded adversaries could accomplish.
The researchers contacted Apple – and Apple has patched iOS 7 to prevent the attack. Currently, all other versions are vulnerable.
Needless to say, iPhone, iPad and other iOS device users will want to be sure not to leave their chargers laying around – or use any “community” chargers from here on out.
Mactans: Injecting Malware into iOS Devices via Malicious Chargers will be presented today, July 30, in room Augustus 3/4 at 5:00 pm.
UPDATE Wednesday July 1, 8:50 pm: In a late evening announcement Apple stated it will be fixing the vulnerability in the Fall release of its iOS 7 update. Apple has not specified a date for the fix. This means devices are vulnerable to the attack until the release, as are all previous versions of the OS. The issue has only been fixed in the beta version of 7, released to developers.