Apple closing security vulnerability that let fake chargers attack iOS devices
In June we heard about Mactans, a malicious iPhone charger created by three security researchers from the Georgia Institute of Technology. This week the researchers presented their findings at Black Hat, an annual hacker convention in Las Vegas, and Apple officially responded to them. Here's the deal...
Mactans exploits the fact that if you physically plug an unlocked iOS device into a computer, iOS 6 and earlier assumes that you want to trust that computer. The researchers used a small embedded computer in their fake charger to infect any iPhone that was plugged into it with a malicious app. The embedded computer is small enough that it could be disguised as a docking station or comically large charger. Once an iOS device has been plugged into a computer, the computer has full access to the device and all of its data, meaning an attacker could essentially add or remove any data to or from the device that they wish, without the victim ever being aware.
An attacker could use this access to simply read the contents of the device, including but not limited to contacts, text messages, photos, and application data. A more sophisticated attack, like the one demonstrated at Black Hat, could actually provision the device as a developer device in order to install custom apps. Since such apps would not need to go through Apple's normal App Store approval process, they could perform nefarious activities that would normally be flagged by Apple, even disguising themselves as legitimate apps while they do it.
Ars Technica notes that developer accounts are limited to only 100 devices, restricting this type of attack, which is partially true. Normal developer accounts are limited to 100 devices, and as such, could only deploy malicious apps to 100 different devices before needing to use a new developer account. However, enterprise accounts have no such restriction. An attacker in possession of an enterprise developer account would be able to skip the steps of adding the device to a developer account, and could immediately install a pre-built, enterprise-signed IPA directly onto any device as soon as it's plugged in to their fake charger. Apple has the abillity to revoke these accounts which would stop the apps from running on any devices they had already been installed on, but Apple would have to be aware of the problem first.
Reuters published the following from Apple:
Apple said the issue had been fixed in the latest beta of iOS 7, which has already been released to software developers.
"We would like to thank the researchers for their valuable input," Apple spokesman Tom Neumayr said.
iOS 7 will be made available to the public in the fall. Since it's currently under NDA (non-disclosure) we can't discuss how Apple is handling the issue, but we have looked at the process and it seems effective.
In the meantime, people probably don't need to worry too much. There is no evidence of malicious chargers like Mactans being exploited in the wild. With that said, the best practice is simply to not plug your devices into chargers you don't trust. Don't use docking stations in hotels. Don't use USB wall outlets at airports. Pack your own chargers to use.
If you absolutely must use a charger you may not trust, keep your device locked with a passcode the entire time it's plugged in, or better yet, turn your device off completely while it charges.