Apple closing security vulnerability that let fake chargers attack iOS devices

In June we heard about Mactans, a malicious iPhone charger created by three security researchers from the Georgia Institute of Technology. This week the researchers presented their findings at Black Hat, an annual hacker convention in Las Vegas, and Apple officially responded to them. Here's the deal...

Mactans exploits the fact that if you physically plug an unlocked iOS device into a computer, iOS 6 and earlier assumes that you want to trust that computer. The researchers used a small embedded computer in their fake charger to infect any iPhone that was plugged into it with a malicious app. The embedded computer is small enough that it could be disguised as a docking station or comically large charger. Once an iOS device has been plugged into a computer, the computer has full access to the device and all of its data, meaning an attacker could essentially add or remove any data to or from the device that they wish, without the victim ever being aware.

An attacker could use this access to simply read the contents of the device, including but not limited to contacts, text messages, photos, and application data. A more sophisticated attack, like the one demonstrated at Black Hat, could actually provision the device as a developer device in order to install custom apps. Since such apps would not need to go through Apple's normal App Store approval process, they could perform nefarious activities that would normally be flagged by Apple, even disguising themselves as legitimate apps while they do it.

Ars Technica notes that developer accounts are limited to only 100 devices, restricting this type of attack, which is partially true. Normal developer accounts are limited to 100 devices, and as such, could only deploy malicious apps to 100 different devices before needing to use a new developer account. However, enterprise accounts have no such restriction. An attacker in possession of an enterprise developer account would be able to skip the steps of adding the device to a developer account, and could immediately install a pre-built, enterprise-signed IPA directly onto any device as soon as it's plugged in to their fake charger. Apple has the abillity to revoke these accounts which would stop the apps from running on any devices they had already been installed on, but Apple would have to be aware of the problem first.

Reuters published the following from Apple:

Apple said the issue had been fixed in the latest beta of iOS 7, which has already been released to software developers."We would like to thank the researchers for their valuable input," Apple spokesman Tom Neumayr said.

iOS 7 will be made available to the public in the fall. Since it's currently under NDA (non-disclosure) we can't discuss how Apple is handling the issue, but we have looked at the process and it seems effective.

In the meantime, people probably don't need to worry too much. There is no evidence of malicious chargers like Mactans being exploited in the wild. With that said, the best practice is simply to not plug your devices into chargers you don't trust. Don't use docking stations in hotels. Don't use USB wall outlets at airports. Pack your own chargers to use.

If you absolutely must use a charger you may not trust, keep your device locked with a passcode the entire time it's plugged in, or better yet, turn your device off completely while it charges.

Nick Arnott
  • To the writer: do you use an iPhone? It's impossible to keep the phone turned off while it is charging. It's almost like a fail-safe that apple engineered into the phones. Sent from the iMore App
  • I do, and it's not impossible, but you raise a good point. A device that is turned off will power itself on when plugged in to a charger (assuming it has enough of a charge to power on). However, if you have a device plugged in and you power it down, it will stay off until you turn it on, or unplug it and plug it back in.
  • It is possible to shut down the iPhone while plugged in to a simple charger. The question is, how long would it take the malicious app to install itself vs the owner wanting to power off the device?
  • If the device has a passcode enabled and the device is locked when you plug it in, the computer would be unable to install a malicious app (so long as the device had not previously been plugged in while unlocked). If you powered the device off without ever having unlocked it, a malicious app would not be able to be installed.
  • And when, exactly, can we expect to see this happen in the wild? It's kind of funny to see people get all wound up over something so incredibly unlikely to happen. Like some local teenager is going to be able to build this "malicious" charger." It looks like it wouldn't even be worth building for the real bad guys. How many people would use a charger other than their own at an airport or train station? Under what real world conditions would this happen in order to make it profitable for real crooks?
  • Won't you need to sync the device for any activity besides charging?
    If I leave the phone on, no password, and just plug the 30 pin or lightening cable into any laptop (or a computer pretending to be a charger), and the "sync automatically" option is disabled, why/how would any code get uploaded?
  • No, you do not need to sync for any activity to happen. If you have your phone on, with no passcode and plug it into a computer, with sync disabled, you could still (as examples) build an application to your phone from Xcode, or copy files from the device with an app like PhoneView. You just need something capable of communicating with iOS devices, like libimobiledevice.