Apple to fix iPhones' vulnerability to boobytrapped chargers

Filed Under: Apple, Featured, iOS, Malware, Mobile, Security threats, Vulnerability

Following a Black Hat demonstration on Wednesday in which researchers plugged an iPhone into a malicious charger programmed to attack iOS devices, an Apple spokesman told Reuters that the next software update will fix the bug that enables the hack.

Apple's iPhones and iPads will be vulnerable until they get the iOS 7 update, which is scheduled for release later this year.

A spokesman told Reuters that the issue has already been fixed in the latest beta of iOS 7, which has been released to software developers.

The attack employs a malicious USB charger dubbed "Mactans" that was first publicized in June.

Mactans is a simple device: a custom-built charger equipped with a tiny Linux computer that's programmed to compromise iOS devices.

It attacks devices within a minute of connecting, needing neither jailbreaking nor input from the phone's user to succeed.

Its creators say it cost about $45 to buy and took about a week to design.

The successful attack leads to a persistent infection of software that's invisible to a phone's user, relying as it does on the built-in concealment techniques that Apple itself has put in place to hide some of its own apps.

Mactans, which was created by researchers from the Georgia Institute of Technology, was demonstrated at Black Hat by research scientist Billy Lau, along with graduate students Yeongjin Jang and Chengyu Song.

During their presentation, the researchers succeeded in infecting an iPhone with malware designed to dial one of the researcher's phones - an assignment it carried out successfully.

The flaw that allows the hack could be exploited in the wild to enable attackers to remotely hijack a device and turn it into a spying tool, the researchers said.

With control of an iOS device, an attacker could, for example, get the phone to snap screenshots of banking logins and passwords and credit card numbers; could access email, texts and contact information; or could track a phone owner's geolocation, Lau said.

Lau said that Android devices don't suffer from the same vulnerability given that they warn users when they plug into a computer, even if it's a tiny computer pretending to be a charging station.

After Apple's iOS 7 update, a similar warning message will pop up to alert iOS users that they're connecting to a computer, as opposed to an ordinary charger, Lau said.

Until then, make sure you practice safe powering.

It's not that Mactans presents a grave risk of contracting malware, mind you.

As Peter Bright at Ars Technica describes it, this attack has some serious limitations (Mr. Bright, by the way, does a good job at describing the technical aspects of the USB idiosyncrasies that concern this attack, so do read his piece if that appeals).

A successful Mactans attack requires that the phone's screen be unlocked, for one thing.

It also requires the attacker to have a valid developer account, and each developer account is limited to generating the required provisioning profiles for 100 different phones.

That means that such an attack would have to be targeted, as opposed to being widespread and indiscriminate.

It could be done, but it sounds like it would be rather esoteric and James Bond-ish.

It's always been a good idea to avoid plugging gadgets into sketchy power-charging stations to avoid catching an electronic disease (there's even a name for it: juicejacking).

But, at least as far as an attack like Mactans goes, it's likely only going to happen in research situations or in Hollywood scripts at this point in time.

, , , , , ,

You might like

16 Responses to Apple to fix iPhones' vulnerability to boobytrapped chargers

  1. is this really a problem? what are the chances this will happen to you

    • Paul Ducklin · 454 days ago

      Lisa offers an opinion on that...see the last para:

      "But, at least as far as an attack like Mactans goes, it's likely only going to happen in research situations or in Hollywood scripts at this point in time."

      • You mean in a happy scenario. The amount of people not being up to date with everything security related is little said... huge. The major security problem remains always... the end user, the human. Ironically, Apple always 'wanted' or meant for the end user to do nothing but enjoy their products. Well, this barely happens if you add security as an ingredient.

        • Carlos · 446 days ago

          It's more than just based on people being vulnerable. The probability would be low due to technical limitations that limit the amount of devices a single developer could infect (100 from the article). Just requiring a developer license is somewhat limiting, and then said developer would have to be more discriminate that distributing to anyone.

    • For the same reason that you install antivirus and should do backups of important data.

      Sure, you hardly ever get viruses, and you hardly ever lose data, it's still worth it just for those rare occasions that you do.

  2. Kaspersky once said "Apple is still ten years behind when it comes to security". This only proves his statement.

    • Paul Ducklin · 454 days ago

      Of course, Eugene also thinks we should all have internet passports (it's never quite clear who would issue them)...and he said that "ten year" thing more than a year ago, so perhaps Apple has caught up a bit in the interim :-)

      If anything, this story is probably very slightly positive in respect of Apple's attitude to security.

      The flaw is being addressed, which is a good sign. The fact that Apple has even gone on the record at all to talk about it (the company's ueberofficial line is still that it "says nothing until the fix is out") is also a good sign.

      Overall, however, I'm not sure this proves anything one way or the other about Apple and security.

      • I mean it as why "later this year" to address an important security issue, concearn, problem, when it can be done next week if not less? There was this contest a few months back when vulnerabilities found in Mozilla Firefox and Google Chrome were fixed the next day by their developers. Microsoft, Adobe, and others, mantain a regular update base which is far less than "later this year".

        • Paul Ducklin · 451 days ago

          OTOH, there are two holes - gaping holes - in Android's code signature verification process (you can create an APK containing your own dodgy code, and it will show up as digitally signed by some other, legitimate developer) and we haven't heard from Google when we can expect the fix to be supplied to Android users by handset vendors.

          Not even "later in the year": Google just patched the code in the Android source project, and that's that. not a peep about when the fix will reach users.

          (I'm not going to bat for Apple here, just questioning whether this particular issue shows that the other mobile vendors are really ten years *ahead* of Apple. Eugene didn't just say that Apple was 10 years behind where they ought to be, which would be true if everyone else were lagging behind, too. He said that Apple was 10 years behind Microsoft.)

  3. iPhone 3GS will not be supported under iOS 7. So we need to upgrade soon, and we need to avoid buying chargers that aren't apple branded cause now that this vulnerability has been discovered, cheap product makers will either exploit it or jack up the prices of chargers that don't exploit it. Or, just jack up the price and exploit it anyway.

    Signatures don't get more creative than this. :)

  4. M Shaw · 453 days ago

    Any digital device can and most likely will be targeted my malware, virus, hacks and others malicious programs eventually especially if it is capable to connecting to the internet.

    Most PC and android users know this as fact and respond by installed anti virus and security software. Apple however in has had a slightly harder OS to break into and hasn't been subject to as much to the development of malicious programs targeting it for many years. This combined with Apple's previous (and it's fans) stance that it cannot get virus and malware has bred a culture where many Apple OS users are not prepared for the eventuality that they will be targeted, putting them at risk.

  5. So I guess that those of us who have devices that will never be able to get IOS7 are just screwed?

  6. Lee · 452 days ago

    Well, as the article *says*, you can charge your phone with it locked, and then it's not a problem. That's one way to never have this particular issue arise. Now, in general, it would be nice to have fixes come out sooner/more globally. But *this* one? Put a PIN screen lock on your phone as everyone should have, in any case. :)

  7. JoonasT · 452 days ago

    Does this security hole affect also iphones with security pin on? At least when you try to use iTunes or photoimport you have to put your pin code in the phone to let access for these software.

  8. Clint · 451 days ago

    Is there a way to check a device to see it has been compromised?

  9. jd nguyen · 402 days ago

    here is another major HACK that bypasses your iphone lock-screen completely

    If you hold down your home button till you get SIRI

    Now you can ask siri

    1) to show your last called number
    2) txt someone
    3) dial any number
    4) search anything on the phone
    5) ask for your home or work address
    6) ask for directions
    7) anything is possible at this point

    Good luck to y’all!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.