Forgot your password?
typodupeerror
IOS Iphone Security Apple

iPhone Hacked In Under 60 Seconds Using Malicious Charger 170

Posted by timothy
from the with-lucy-liu-I-hope dept.
DavidGilbert99 writes "Apple's iOs has been known as a bastion of security for many years, but three researchers have now shown iPhones and iPads can be hacked in just under 60 seconds using nothing more than a charger. OK, so it's not just a charger — but the Mactans charger does delete an official app (say Facebook) replacing it with an official-looking one which is actually malware which could access your contacts, messages, emails, phone calls and even capture your passwords. Apple says it will fix the flaw, but not until the release of iOS 7, the date of which hasn't been confirmed yet. So watch out for chargers left lying around ..." (For less in the way of auto-playing video ads with sound, check out the Mac Observer's take, which concludes "[I]t's nifty that Apple is addressing the issue in iOS 7. We'd also like to see it fixed in iOS 6. Apple has historically seen iPhone users upgrade to the newest version iOS in staggeringly high numbers, but eliminating this problem across the board seems the wiser choice.")
This discussion has been archived. No new comments can be posted.

iPhone Hacked In Under 60 Seconds Using Malicious Charger

Comments Filter:
  • Translation: (Score:5, Insightful)

    by CanHasDIY (1672858) on Thursday August 01, 2013 @05:02PM (#44451127) Homepage Journal

    The quickest way to get PWND is to give someone else physical access to your device.

    Always has been true, and likely always will be.

    • Re: (Score:2, Informative)

      by Anonymous Coward

      In the 2011 Pwn2Own contest, Charlie Miller and Dion Blazakis "PWND" the Iphone 4 using a mobile Safari vulnerability.

      Apple is almost always a loser at the Pwn2Own events.

      • by Capsaicin (412918) *

        The quickest way to get PWND is to give someone else physical access to your device.

        In the 2011 Pwn2Own contest, Charlie Miller and Dion Blazakis "PWND" the Iphone 4 using a mobile Safari vulnerability.

        Relevance?

        That mobile hacks are possible hardly disproves OP's point (or addresses it any pertinent way).

      • In the 2011 Pwn2Own contest, Charlie Miller and Dion Blazakis "PWND" the Iphone 4 using a mobile Safari vulnerability.

        Apple is almost always a loser at the Pwn2Own events.

        Pwn2Own only allows 0-day hacks. If somebody else goes wild with the exploit you found on the day before the contest, you can't win. That's why everybody focused on the platform where there wasn't a new exploit in the wild every other day. Until they couldn't find exploits there anymore - no hacked Apple products in Pwn2Own since 2012.

  • So does this mean you could write a jailbreak for iOS device using a modified charger? If so, how is this any different than plugging the device into a computer?

    • by AlreadyStarted (523251) on Thursday August 01, 2013 @05:11PM (#44451215)
      The "modified charger" they describe is in fact a computer.
    • Interestingly, for the hack these guys created to work, the attacker must have a valid developer's license, and the target iOS device must already be jailbroken. The first bit allows them to query Apple's dev site for the debug key for your specific iOS device; the second is required to get the loaded software to actually run on the device.

      HOWEVER, the same technique can be used to read all data available in userspace on the phone, so improperly stored passwords, plus all other app data and configuration data could be grabbed in this manner.

      If Apple can fix this in iOS 7, I'm expecting the jailbreak community to create a fix (that will be loaded as part of the jailbreak process) in short order. Something similar to bluetooth pairing for debug and filesystem access would be an extremely good idea, plus it would close a number of outstanding attack vectors in iOS devices, not just the ones presented.

      • by samkass (174571) on Thursday August 01, 2013 @09:59PM (#44453203) Homepage Journal

        No, it doesn't require the phone to be jailbroken. It does, however, require the attacker to have a paid Apple Developer account with a valid credit card, and it digitally signs all the malware with that developer's information, and limits the total number of devices ever attached to that account to 100 without calling Apple and requesting a reset, and requires the attacking "charger" device to be online at the time of the attack. It also requires the phone to not be in its lock screen, so for it to work you have to manually unlock it and type in your passcode while it's plugged in.

        So it's pretty much a proof-of-concept attack that's not very practical yet, but could probably have been built upon if Apple hadn't already put a fix into the version of the OS coming out soon which, if history is a guide, 90%+ of the iOS installed base will be on in a few months.

  • by safetyinnumbers (1770570) on Thursday August 01, 2013 @05:15PM (#44451245)

    delete an official app (say Facebook) replacing it with an official-looking one which is actually malware which could access your contacts, messages, emails

  • by Ferzerp (83619) on Thursday August 01, 2013 @05:16PM (#44451259)

    Since when? iOS has had repeated and nearly constant flaws that have allowed for compromises both locally and remotely (via webpages). At this point it's such a given that this is mostly a non story.

    I thought the RDF had dissipated, but I guess not.

    • Since when? iOS has had repeated and nearly constant flaws that have allowed for compromises both locally and remotely (via webpages)

      There was one such remote vulnerability, via PDF, some years ago... none since then I know of.

      There have always been local flaws because Apple leaves some local exploits to keep jailbreaking viable.

      Of course, even with said flaws actual exploits exist pretty much only for Android.

      • Re: (Score:2, Troll)

        by amicusNYCL (1538833)

        There have always been local flaws because Apple leaves some local exploits to keep jailbreaking viable.

        No, they don't. They patch the exploits that jailbreaks use as soon as they can. If Apple wanted "jailbreaking" to be "viable" then it would be a built-in feature, not a root hack. Of course, a published statement from Apple stating the contrary would go far to further your claim.

        Of course, even with said flaws actual exploits exist pretty much only for Android.

        Even though I realize that "SuperKendall" is synonymous with "unapologetic Apple fanboy", for some reason I still feel compelled to respond. I guess I'm bored.

        Pwn2Own 2010: iPhone 3GS compromised via bypassing code signing; Nex

        • The Real POwn (Score:3, Informative)

          by SuperKendall (25149)

          Pwn2Own 2010: iPhone 3GS compromised via bypassing code signing; Nexus One not compromised.

          Every year Android has existed: 99% of viruses on Android [kaspersky.com].

          Reality totally contradicts the picture you are trying to point. Android far more secure: Odd then it has ALL of the viruses/trojans/malware. Apple disliking jailbreaking: odd then that jailbreaks come out with great regularity after every new OS or device release (but mostly tethered) and Apple hires jailbreak developers to work on core systems sometimes..

          • Please, read TFA you linked to.

            According to the recently published Kaspersky Security Bulletin 2012, 99% of newly discovered mobile malicious programs target the Android platform.

            99% of newly discovered malware is not the same as 99% of viruses. Stop spinning.

            Further, having a larger number of malware directed at a platform does not mean that particular platform is less secure. Malware makers will benefit the most by having large infection pools, and will thus often target the most popular platform, which r

          • Every year Android has existed: 99% of viruses on Android

            Don't move the goalposts, are you talking about root exploits or viruses? I'm not talking about viruses, and you weren't either. Apparently, now you are.

            Reality totally contradicts the picture you are trying to point. Android far more secure

            That's not my point. YOUR point was that "exploits exist pretty much only for Android", and I was refuting that my pointing out exploits for iOS. I said nothing about Android's security. I know about Android's security, I'm not trying to hold it up as a bastion of security like you're doing for iOS, I'm trying to contradict your demonstrably false stat

    • by tlhIngan (30335) <<ten.frow> <ta> <todhsals>> on Friday August 02, 2013 @01:18AM (#44453857)

      Since when? iOS has had repeated and nearly constant flaws that have allowed for compromises both locally and remotely (via webpages). At this point it's such a given that this is mostly a non story.

      Wow, that remote exploit was for iOS 4, an OS that shipped in 2010-2011. There's only one phone stuck on iOS 4 - the iPhone 3G - everyone else is able to run a higher version.

      Yes, I suppose if one is used to Android, they would think a ton of people still use iOS 4, but no. After all, iOS 4 came out around the time of Gingerbread, which is still used by a third of Android phones.

      Of course, iOS 6 has proven to be EXTREMELY difficult to compromise. It took 6 months before the first jailbreak came out (for 6.1.0) and a bunch of critical flaws were discovered including unlock screen flaws, resulting in 6.1.1, 6.1.2 and the current version of 6.1.3.

      Unfortunately, 6.1.3 closed the flaw the jailbreaking flaw and no new one has been found since. Old devices have tethered jailbreaks for 6.1.3 but that's it. New ones like the iPhone 5 and iPad 4 ... no jailbreak exists.

  • Sounds like a good idea to me - ROLL IT OUT
  • Apple has historically seen iPhone users upgrade to the newest version iOS in staggeringly high numbers, but eliminating this problem across the board seems the wiser choice.

    Nonsense. It's absolutely the wisest thing Apple could possibly do. Adding the spur of an outstanding unpatched "OMG I'm PWND" vulnerability to the carrot of the news "OMG SHINY" is absolutly brilliant. A wonderful way to counter sagging uptake.

    Oh, you mean "wisest in terms of supporting your customer?." How quaint.

    They're not your cust

  • Bastion of security? (Score:4, Informative)

    by scot4875 (542869) on Thursday August 01, 2013 @05:24PM (#44451343) Homepage

    I'm sorry, but if every version of your OS is trivially jail-breakable (with, for example, exploits that amount to root privilege escalation by simply visiting a web page on the device's browser), you are NOT a bastion of security.

    You can argue that Apple does a better job of "securing" their app store than Google does, but that doesn't make the devices themselves any more secure. Just because something trivially exploitable hasn't been exploited (that you know of ... yet) doesn't make it secure.

    --Jeremy

    • by Culture20 (968837)
      Submitter actually typed Bastard of Security. Damn you, autocorrect!
  • This is just more mindless Google fanboy anti-Apple hate.

    It's not like this a trojan you have to turn on the installation of non-market applications and go to a pirate app store to get installed. You actually have to have the device.

    And this is just like a jailbreak, so it is a good thing.

    • This is just more mindless Google fanboy anti-Apple hate.

      It's not like this a trojan you have to turn on the installation of non-market applications and go to a pirate app store to get installed. You actually have to have the device.

      And this is just like a jailbreak, so it is a good thing.

      Actually, this isn't mindless. This has been a known security issue in iOS since iOS 3 days, that Apple hasn't bothered to fix.

      See this article coming out of DEFCON 2011:
      http://nakedsecurity.sophos.com/2011/08/19/is-juicejacking-the-new-firesheep/ [sophos.com]

      So unless you carry around a charging cable with the data pins removed or never charge at a USB port you don't own yourself, this is an issue (and has been for years).

      Google (partially) fixed this on Android when noise first started being made in late 2010, but Ap

      • This is just more mindless Google fanboy anti-Apple hate.

        It's not like this a trojan you have to turn on the installation of non-market applications and go to a pirate app store to get installed. You actually have to have the device.

        And this is just like a jailbreak, so it is a good thing.

        Actually, this isn't mindless. This has been a known security issue in iOS since iOS 3 days, that Apple hasn't bothered to fix.

        See this article coming out of DEFCON 2011:
        http://nakedsecurity.sophos.com/2011/08/19/is-juicejacking-the-new-firesheep/ [sophos.com]

        So unless you carry around a charging cable with the data pins removed or never charge at a USB port you don't own yourself, this is an issue (and has been for years).

        Google (partially) fixed this on Android when noise first started being made in late 2010, but Apple didn't. Of course, due to fragmentation, that only means it's fixed if you bought your Android phone after mid-2011 or have an upgrade that implements the fix -- but Apple seems to be fragmenting within its own ecosystem, as this fix is iOS 7, and there are now a large number of iOS devices in every day use that aren't won't run iOS 7.

        Yes, this is mindless, because it's an issue with all mobile OSs - funny how you managed to find an article that pretends otherwise http://managedsolutions.com/tag/juice-jacking/ [managedsolutions.com] doesn't.

        BTW: there are commercial chargers that remove malware from Androids http://kapricasecurity.com/ [kapricasecurity.com] - you really believe the opposite can't be done?

  • Quite misleading (Score:5, Informative)

    by ernest.cunningham (972490) on Thursday August 01, 2013 @05:27PM (#44451369) Homepage

    The charger is a mini linux machine what needs to use an apple developer account to dynamically add the devices UDID to the developer portal.
    It then signs the malicious app and installs it.
    It takes advantage of ad-hoc distribution and would require a new Apple developer account every 100 devices.

    The only real mastery of this hack is that it can be concealed to look like a charger due to the small footprint of the linux PC. Otherwise, I could do the same thing with physical access to the phone.

    Still, a fun wee hack and novel approach.

    • by Anonymous Coward

      The charger is a mini linux machine what needs to use an apple developer account to dynamically add the devices UDID to the developer portal.
      It then signs the malicious app and installs it.
      It takes advantage of ad-hoc distribution and would require a new Apple developer account every 100 devices.

      The only real mastery of this hack is that it can be concealed to look like a charger due to the small footprint of the linux PC. Otherwise, I could do the same thing with physical access to the phone.

      Still, a fun wee hack and novel approach.

      It also requires a modified cable with at least some of the same electronics that are used for the factory burn-in through the dock connector. The hack either required some stellar reverse engineering, or it required access to an Apple engineer with clearance for the cable for developer fused devices, or it required a factory worker in China to sneak out a cable. My money would be on the China connection, since China tends to leak like a sieve, even in the factories used for Apple products.

      • by blueg3 (192743)

        What component of the hack actually required that?

        As I understand it (having been at the talk), all it does is grab the device UDID, pair with the device as if it was a copy of iTunes, sign and install a developer provisioning profile, and use that to install an application signed by the corresponding developer signing cert.

        Three of these (obtain UDID, pair with device, install application) are used all the time in the normal operation of syncing with iTunes. Installing a developer provisioning profile is u

    • by zarmanto (884704)

      The charger is a mini linux machine what needs to use an apple developer account to dynamically add the devices UDID to the developer portal. It then signs the malicious app and installs it. It takes advantage of ad-hoc distribution and would require a new Apple developer account every 100 devices.

      Everything that Ernest said, plus one more important note: Your phone must be either unlocked or not passcode/password protected, in order for this exploit to function. (Just another good reason to use what should be common sense security precautions, really.)

  • The "charger" port is, in fact, a USB port (or something similar) so yeah: if you don't have physical security, you don't have security, just like everything else.

    Also, "Apple... will fix the vulnerability in the iOS 7 release" is not the same as "Apple has said they won't fix this in iOS 6." We'll have to wait and see what they say/do before passing judgement. (Radical idea, I know.) Apple was selling 3GSs with iOS 6 less than a year ago, and as far as I know, those little guys won't run 7.

    • Apple was selling 3GSs with iOS 6 less than a year ago, and as far as I know, those little guys won't run 7.

      And you're thinking that's a reason why Apple would support the people who aren't paying them money anymore instead of trying to push them to buy the new version?

  • by 93 Escort Wagon (326346) on Thursday August 01, 2013 @05:41PM (#44451467)

    If this charger deletes the Facebook app, I don't think that qualifies as "malware".

  • Whatever flaw they are using to hack the phone is a possible jailbreak exploit that they are needlessly wasting.

    At the very least they should let the jailbreak community at this first, THEN show off the malicious charger. At this rate we'll never see a JB for iOS 7!

  • by Anonymous Coward

    You had me at "Apple's iOs has been known as a bastion of security for many years"...

  • I would imagine our government would be more interested in acquiring a secretly swapping it with one like killed that lady in China, or swapping with any political enemies that use an iPhone.
  • I'm sure this is intentional. That's why they're not fixing it until next version, when they can implement a new backdoor that isn't so easy to find before onboarding the new clients (NSA). Same type of shit from Microsoft and Oracle delaying zero-days. "oh yeah we can fix this obtuse, barely exploitable and complex exploit in an emergency out of cycle release" "oh, but, no. this obvious out of bounds issue with a trivial satiny check fix with exploits in the wild that convenient make investigators jobs

  • Do not buy anything except Steve Jobs' blessed chargers from Steve Jobs' blessed stores from Steve Jobs' bless salesgeniuses.

  • http://it.slashdot.org/story/13/06/03/0312208/researchers-infect-ios-devices-with-malware-via-malicious-charger [slashdot.org] - "At the upcoming Black Hat security conference in late July, three researchers at the Georgia Institute of Technology plan to show off a proof-of-concept charger..."

  • Back in 2009, I wrote on Slashdot [slashdot.org]

    Yes, I was in an airport recently, and there were power outlets with both AC and USB. The future is here.
    Yes, but how do you know it only provides power? It might also read or write whatever is plugged into it, install malware, steal your info, or whatever.

    We warned you. You didn't listen. Now suffer. Downside [downside.con]

  • by wonkey_monkey (2592601) on Friday August 02, 2013 @03:44AM (#44454355) Homepage

    [I]t's nifty that Apple is addressing the issue in iOS 7.

    How is that "nifty"? It's the least they should do. It's like Chris Rock's thing about all those parents who go round proudly proclaiming that "I take care of my kids!" You're supposed to take care of your kids!

  • If you cut all the wires in your charging cable except power and ground, will the device still charge?

    If so, transparent "USB extenders" that only have power and ground wires would let anyone charge anywhere without data risk (there would still be the risk of malicious over-voltage, but that's a different risk).

    If not, then future devices that charge over USB or other data+power cable should be built to charge with a "power-only, all other pins disconnected" cable.

If money can't buy happiness, I guess you'll just have to rent it.

Working...