Blackhat: iOS device charger exploit installs and activates malware

ios-charger-malware

A team of researchers from Georgia Tech unveiled their findings yesterday at the Blackhat conference. Their topic is a power charger exploit that installs malware on iOS devices. Who would have thought that there’d be a security hole associated with the charging port on a device? Oh wait, after seeing hotel room locks exploited through their power jack this is an avenue that should be examined with all device security.

The demonstration used a charger and an BeagleBoard. Plugging in the charger is not enough to trigger the exploit, the user must unlock the screen while charging for it to go into action. But once that’s done the game is over. Their demo removes the Facebook app and replaces it with an infected impostor while leaving the icon in the same place on your home screen. They notified Apple of their findings and a patch will roll out with iOS7. So when would you plug your device into an untrusted charger? Their research includes a photo from an airport where an iPad is connected to the USB port of a public charging station.

The summary on the Blackhat site has download icons for the white paper and presentation slides. At the time of writing we had a hard time getting them to download but succeeded after several tries.

Comments

  1. DD says:

    Actually, this was fixed BEFORE in iOS 7 Beta 2. It already wouldn’t work. And because iOS isn’t like Android, 95% of people will be running iOS 7 shortly after launch anyways.

    • Kiel says:

      Wow, only 3 minutes elapsed since this post went up. Certainly doesn’t take the Apple Defense League long to assemble at all.

      As for the factual aspects of your post. A search seems to indicate only about 83% adoption for iOS6. Well below 95% as you suggested. Plus iOS7 supports even less devices than 6 does.

      It’s still a vulnerability in every single current iOS device so is big news for hackers. Don’t get so defensive.

      • DD says:

        The thing that you also miss is that those “old” devices are most likely handed down to children who use them to play Angry Birds. They don’t have passwords or even WiFi connections even. The oldest device you can buy will run iOS 7, and that’s also the oldest device that one could have if they went for a 3 year contract (when iPhone 4 was new).

        The major percentile do upgrade to the newest OS when available, and if someone is jailbreaking.. they should be aware of the potential consequences which are a lot more dangerous than this. A lot people who jailbreak install OpenSSH and then never change the root password from alpine. That’s a larger vulnerability as all that requires to be exploited is connection to a WiFi (and sometimes cellular, depending on carrier) network. This “exploit” requires physical access and it to be unlocked, which basically every device known to man is vulnerable to physical attacks.

        Regardless, the scope to this attack is very small, and will be plugged for the majority of people soon enough.

        • DainBramage1991 says:

          And I thought iOS was bulletproof… :P

          • DD says:

            Considering it’s nearly 5 years in and there’s basically no malware (even this is simply a PoC and not in the wild) for iOS.. I’d say that’s fairly bulletproof considering the alternative.

          • HackTheGibson says:

            There is no malware on iOS? I would take that bet.

          • m1ndtr1p says:

            @DD

            iOS is bulletproof and has no malware? Wow, are you really THAT clueless or just ignorant? There has been malware on iOS for years, even directly in the app store, which all you Apple fanboys claim is bulletproof as well. Maybe you should do a little research before making such claims.

            Also, this is FAR from the only exploit on iOS…

          • marcello says:

            @m1ndtr1p and @HackTheGibson care to share pointers to actual malware on iOS? (not proof of concepts vulnerabilities nor apps reported as malware by antivirus without further research).
            i’m sincerely curious, not trying to be a troll :)

            this is the only one i found doing a quick search:
            http://www.forbes.com/sites/adriankingsleyhughes/2012/07/06/first-ios-malware-hits-app-store/

          • HackTheGibson says:

            I will try to find some links, but not sure. The reason i know about the viruses is I have had to clean up phones for people at work. I have removed a few a year for the last 3-4 years.
            No systems are full proof. Use caution always. If these guys found the flaw, there are people throughout the world that found the flaw. Most people who do this stuff are the ones with good intentions and don’t publish papers, they use it.

        • six677 says:

          Actually I know several iPhone owners who have not updated their devices. Take my mum, she has a 4S running iOS5 still. She knows how to update, but hasn’t.
          Her iPad is updated though.

        • no says:

          “The thing that you also miss is that those “old” devices are most likely handed down to children who use them to play Angry Birds.”

          do you have any proof at all of that statement, or are you talking out your ass?

    • HackTheGibson says:

      Still works. That said, the charger isn’t the part I would worry about. The Jekyll approach is what I’d worry about more.

    • m1ndtr1p says:

      Wow, seriously? 3 minutes after it was posted you’re here telling people it’s already fixed, and even threw in a jab towards Android in the process… The Apple fanboyism is strong in this one…

      Considering iOS 7 isn’t released yet, no, it’s not fixed, ALL iPhones are currently vulnerable to this (and many other) exploit(s)… And no, you don’t need to have physical access to the device, there are charging stations everywhere now, all one needs to do is replace the charger with one that is modified and all the phones that plug into it are infected… One could place dozens of them in many places and he’d never have to even see the phones he’s hacking into, let alone have physical access to them.

  2. Fritoeata says:

    Do these “starving” kids get paid by Apple to troubleshoot their product?

  3. six677 says:

    This was in the news months ago.

    They fully documented it at blackhat but the demonstrated the hack itself ages ago now, I remember seeing it on BBC news who are always slow to respond to this sort of thing anyway.

  4. KillerBug says:

    It says that the exploit works on all iOS devices…not just the newer models that are getting iOS7.

  5. Ren says:

    Nitpick: The Onity break, while I suppose that barrel connector could power up the lock if the internal battery fails, it is also a comm port.

  6. ejonesss says:

    most chargers are just a switching power supply with a couple extra resistors to tell the device that it is a charger and to set the charge current and voltage and usb cable.

    i dont know about the lightning port based chargers if they have any memory storage outside of if it is lithium battery based they may have a bms like chip that cuts off the charger kind of like the chip in ink cartridges so then you recycle the cartridge and the maker probably resets the chip or replaces it and resells the cartridges as compatibles.

  7. francoborgo says:

    Does that mean that hackers have to send me a special iOS charger. You are right, this is the biggest threat so far ;-) Free Charger.

  8. HackTheGibson says:

    This covers the charger, but what about the other attack. Having code that changes once installed?
    http://www.gatech.edu/newsroom/release.html?nid=225501

  9. Reg says:

    If the charging cable only has the power wires, it seems a stretch to claim this would work. So pretty easy to block. It would require carrying a charge only cable, but that doesn’t seem a big problem.

  10. Is it just me, or am I the only person alive who’s afraid of malware-NFC-equipped batteries?

  11. xorpunk says:

    IOS is “bulletproof” that’s why all devices that run it are jail-broken through software vulnerabilities, except the newsest, and only because the devs are saving exploits..

  12. This will work again on iOS7, even if the current exploit is patched. As soon as an automatic untethered jailbreak is available for a device, it is technically vulnerable to exploits like this. The only bulletproof protection against threats like this and against unauthorized data access or modification in general (“USB-condoms” are NOT secure, since anybody can remove them in a few seconds) would be disconnecting the data lines on the device itself on HARDWARE LEVEL (using a solid state relay), requiring the user to unlock them using a password. I can’t believe this isn’t already a thing, given the risks of these vulnerabilities and the minimal effort needed to fix them FOR GOOD.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 91,397 other followers