Blackhat: IOS Device Charger Exploit Installs And Activates Malware

ios-charger-malware

A team of researchers from Georgia Tech unveiled their findings yesterday at the Blackhat conference. Their topic is a power charger exploit that installs malware on iOS devices. Who would have thought that there’d be a security hole associated with the charging port on a device? Oh wait, after seeing hotel room locks exploited through their power jack this is an avenue that should be examined with all device security.

The demonstration used a charger and an BeagleBoard. Plugging in the charger is not enough to trigger the exploit, the user must unlock the screen while charging for it to go into action. But once that’s done the game is over. Their demo removes the Facebook app and replaces it with an infected impostor while leaving the icon in the same place on your home screen. They notified Apple of their findings and a patch will roll out with iOS7. So when would you plug your device into an untrusted charger? Their research includes a photo from an airport where an iPad is connected to the USB port of a public charging station.

The summary on the Blackhat site has download icons for the white paper and presentation slides. At the time of writing we had a hard time getting them to download but succeeded after several tries.

31 thoughts on “Blackhat: IOS Device Charger Exploit Installs And Activates Malware

  1. Actually, this was fixed BEFORE in iOS 7 Beta 2. It already wouldn’t work. And because iOS isn’t like Android, 95% of people will be running iOS 7 shortly after launch anyways.

    1. Wow, only 3 minutes elapsed since this post went up. Certainly doesn’t take the Apple Defense League long to assemble at all.

      As for the factual aspects of your post. A search seems to indicate only about 83% adoption for iOS6. Well below 95% as you suggested. Plus iOS7 supports even less devices than 6 does.

      It’s still a vulnerability in every single current iOS device so is big news for hackers. Don’t get so defensive.

      1. The thing that you also miss is that those “old” devices are most likely handed down to children who use them to play Angry Birds. They don’t have passwords or even WiFi connections even. The oldest device you can buy will run iOS 7, and that’s also the oldest device that one could have if they went for a 3 year contract (when iPhone 4 was new).

        The major percentile do upgrade to the newest OS when available, and if someone is jailbreaking.. they should be aware of the potential consequences which are a lot more dangerous than this. A lot people who jailbreak install OpenSSH and then never change the root password from alpine. That’s a larger vulnerability as all that requires to be exploited is connection to a WiFi (and sometimes cellular, depending on carrier) network. This “exploit” requires physical access and it to be unlocked, which basically every device known to man is vulnerable to physical attacks.

        Regardless, the scope to this attack is very small, and will be plugged for the majority of people soon enough.

          1. Considering it’s nearly 5 years in and there’s basically no malware (even this is simply a PoC and not in the wild) for iOS.. I’d say that’s fairly bulletproof considering the alternative.

          2. @DD

            iOS is bulletproof and has no malware? Wow, are you really THAT clueless or just ignorant? There has been malware on iOS for years, even directly in the app store, which all you Apple fanboys claim is bulletproof as well. Maybe you should do a little research before making such claims.

            Also, this is FAR from the only exploit on iOS…

          3. I will try to find some links, but not sure. The reason i know about the viruses is I have had to clean up phones for people at work. I have removed a few a year for the last 3-4 years.
            No systems are full proof. Use caution always. If these guys found the flaw, there are people throughout the world that found the flaw. Most people who do this stuff are the ones with good intentions and don’t publish papers, they use it.

        1. “The thing that you also miss is that those “old” devices are most likely handed down to children who use them to play Angry Birds.”

          do you have any proof at all of that statement, or are you talking out your ass?

    2. Wow, seriously? 3 minutes after it was posted you’re here telling people it’s already fixed, and even threw in a jab towards Android in the process… The Apple fanboyism is strong in this one…

      Considering iOS 7 isn’t released yet, no, it’s not fixed, ALL iPhones are currently vulnerable to this (and many other) exploit(s)… And no, you don’t need to have physical access to the device, there are charging stations everywhere now, all one needs to do is replace the charger with one that is modified and all the phones that plug into it are infected… One could place dozens of them in many places and he’d never have to even see the phones he’s hacking into, let alone have physical access to them.

  2. This was in the news months ago.

    They fully documented it at blackhat but the demonstrated the hack itself ages ago now, I remember seeing it on BBC news who are always slow to respond to this sort of thing anyway.

  3. most chargers are just a switching power supply with a couple extra resistors to tell the device that it is a charger and to set the charge current and voltage and usb cable.

    i dont know about the lightning port based chargers if they have any memory storage outside of if it is lithium battery based they may have a bms like chip that cuts off the charger kind of like the chip in ink cartridges so then you recycle the cartridge and the maker probably resets the chip or replaces it and resells the cartridges as compatibles.

  4. If the charging cable only has the power wires, it seems a stretch to claim this would work. So pretty easy to block. It would require carrying a charge only cable, but that doesn’t seem a big problem.

  5. IOS is “bulletproof” that’s why all devices that run it are jail-broken through software vulnerabilities, except the newsest, and only because the devs are saving exploits..

  6. This will work again on iOS7, even if the current exploit is patched. As soon as an automatic untethered jailbreak is available for a device, it is technically vulnerable to exploits like this. The only bulletproof protection against threats like this and against unauthorized data access or modification in general (“USB-condoms” are NOT secure, since anybody can remove them in a few seconds) would be disconnecting the data lines on the device itself on HARDWARE LEVEL (using a solid state relay), requiring the user to unlock them using a password. I can’t believe this isn’t already a thing, given the risks of these vulnerabilities and the minimal effort needed to fix them FOR GOOD.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.