iPhone Hacked In Under 60 Seconds Using Malicious Charger 170
DavidGilbert99 writes "Apple's iOs has been known as a bastion of security for many years, but three researchers have now shown iPhones and iPads can be hacked in just under 60 seconds using nothing more than a charger. OK, so it's not just a charger — but the Mactans charger does delete an official app (say Facebook) replacing it with an official-looking one which is actually malware which could access your contacts, messages, emails, phone calls and even capture your passwords. Apple says it will fix the flaw, but not until the release of iOS 7, the date of which hasn't been confirmed yet. So watch out for chargers left lying around ..."
(For less in the way of auto-playing video ads with sound, check out the Mac Observer's take, which concludes "[I]t's nifty that Apple is addressing the issue in iOS 7. We'd also like to see it fixed in iOS 6. Apple has historically seen iPhone users upgrade to the newest version iOS in staggeringly high numbers, but eliminating this problem across the board seems the wiser choice.")
Re:Why can't Iphone / ipad have usb port for charg (Score:5, Informative)
Re:Jailbreak exploit opportunity (Score:5, Informative)
Re:Translation: (Score:2, Informative)
In the 2011 Pwn2Own contest, Charlie Miller and Dion Blazakis "PWND" the Iphone 4 using a mobile Safari vulnerability.
Apple is almost always a loser at the Pwn2Own events.
Bastion of security? (Score:4, Informative)
I'm sorry, but if every version of your OS is trivially jail-breakable (with, for example, exploits that amount to root privilege escalation by simply visiting a web page on the device's browser), you are NOT a bastion of security.
You can argue that Apple does a better job of "securing" their app store than Google does, but that doesn't make the devices themselves any more secure. Just because something trivially exploitable hasn't been exploited (that you know of ... yet) doesn't make it secure.
--Jeremy
Quite misleading (Score:5, Informative)
The charger is a mini linux machine what needs to use an apple developer account to dynamically add the devices UDID to the developer portal.
It then signs the malicious app and installs it.
It takes advantage of ad-hoc distribution and would require a new Apple developer account every 100 devices.
The only real mastery of this hack is that it can be concealed to look like a charger due to the small footprint of the linux PC. Otherwise, I could do the same thing with physical access to the phone.
Still, a fun wee hack and novel approach.
Re:Jailbreak exploit opportunity (Score:4, Informative)
Interestingly, for the hack these guys created to work, the attacker must have a valid developer's license, and the target iOS device must already be jailbroken. The first bit allows them to query Apple's dev site for the debug key for your specific iOS device; the second is required to get the loaded software to actually run on the device.
HOWEVER, the same technique can be used to read all data available in userspace on the phone, so improperly stored passwords, plus all other app data and configuration data could be grabbed in this manner.
If Apple can fix this in iOS 7, I'm expecting the jailbreak community to create a fix (that will be loaded as part of the jailbreak process) in short order. Something similar to bluetooth pairing for debug and filesystem access would be an extremely good idea, plus it would close a number of outstanding attack vectors in iOS devices, not just the ones presented.
Re:Why can't Iphone / ipad have usb port for charg (Score:5, Informative)
A lot of iDevice users believe the fancy ports are better than standard USB ports when in fact they both do the same thing.
Why are so many people so ignorant on this point?
http://en.wikipedia.org/wiki/Dock_connector#30-pin [wikipedia.org]
It contains controls, audio and video, as well as data & charging like USB.
Re:The Internet of Things... (Score:5, Informative)
Apple's iOs has been known as a bastion of security for many years
Uh, what? The fuck it has.
That had me chuckling as well.
Remember when you could visit a website [jailbreakme.com] to "slide to jailbreak"
from right inside the web browser?
Re:Why can't Iphone / ipad have usb port for charg (Score:5, Informative)
iOS uses signing too. The hack described here reads the phone's UID, signs it with an Apple dev key, and then pushes it to the phone. It requires communication with Apple servers and can be used on at most 100 devices before it's automatically disabled.
It's a slightly different style of attack than would be used on Android phones, but in terms of public vulnerability it's not really a different threat level.
Re:Jailbreak exploit opportunity (Score:5, Informative)
No, it doesn't require the phone to be jailbroken. It does, however, require the attacker to have a paid Apple Developer account with a valid credit card, and it digitally signs all the malware with that developer's information, and limits the total number of devices ever attached to that account to 100 without calling Apple and requesting a reset, and requires the attacking "charger" device to be online at the time of the attack. It also requires the phone to not be in its lock screen, so for it to work you have to manually unlock it and type in your passcode while it's plugged in.
So it's pretty much a proof-of-concept attack that's not very practical yet, but could probably have been built upon if Apple hadn't already put a fix into the version of the OS coming out soon which, if history is a guide, 90%+ of the iOS installed base will be on in a few months.
The Real POwn (Score:3, Informative)
Pwn2Own 2010: iPhone 3GS compromised via bypassing code signing; Nexus One not compromised.
Every year Android has existed: 99% of viruses on Android [kaspersky.com].
Reality totally contradicts the picture you are trying to point. Android far more secure: Odd then it has ALL of the viruses/trojans/malware. Apple disliking jailbreaking: odd then that jailbreaks come out with great regularity after every new OS or device release (but mostly tethered) and Apple hires jailbreak developers to work on core systems sometimes...
Your hatred is blinding you to reality.
Re:"Bastion of security" (Score:4, Informative)
Wow, that remote exploit was for iOS 4, an OS that shipped in 2010-2011. There's only one phone stuck on iOS 4 - the iPhone 3G - everyone else is able to run a higher version.
Yes, I suppose if one is used to Android, they would think a ton of people still use iOS 4, but no. After all, iOS 4 came out around the time of Gingerbread, which is still used by a third of Android phones.
Of course, iOS 6 has proven to be EXTREMELY difficult to compromise. It took 6 months before the first jailbreak came out (for 6.1.0) and a bunch of critical flaws were discovered including unlock screen flaws, resulting in 6.1.1, 6.1.2 and the current version of 6.1.3.
Unfortunately, 6.1.3 closed the flaw the jailbreaking flaw and no new one has been found since. Old devices have tethered jailbreaks for 6.1.3 but that's it. New ones like the iPhone 5 and iPad 4 ... no jailbreak exists.