Georgia Tech security researchers have built a malicious charger that can inject persistent malware into current-generation iOS devices, compromising the gadgets in less than 60 seconds.
At the upcoming Black Hat 2013 conference in July, Billy Lau, Yeongjin Jang and Chengyu Song will present their creation, dubbed Mactans after the black widow spider’s Latin name.
“Apple iOS devices are considered by many to be more secure than other mobile offerings,” they said in the session write-up. “In evaluating this belief, we investigated the extent to which security threats were considered when performing everyday activities such as charging a device.”
The answer to that question appears to be “not at all.” The charger easily circumvented the Apple iOS defense mechanisms, and allows an attacker to hide its software in the same way Apple hides its own built-in applications. “All users are affected, as our approach requires neither a jailbroken device nor user interaction,” the three said.
Worse, the three researchers admit that they quickly put Mactans together using a BeagleBoard, selected to demonstrate the ease with which "innocent-looking, malicious USB chargers" can be constructed. The BeagleBoard is a credit-card sized open-source mini-computer that can be used for a range of ad-hoc computing builds.
“While Mactans was built with limited amount of time and a small budget, we also briefly consider what more motivated, well-funded adversaries could accomplish,” they said.
The security researchers have disclosed the vulnerability to Apple, but won’t release full details until the conference presentation.
The moral of the story is clearly to better protect devices against the dangers of physical access – i.e., consumers should be suspect of third-party and borrowed chargers. At the same time, phone and tablet-makers should recognize that USB ports and charging connectors are as real a vector for exploitation as spear-phishing and cross-site scripting attacks.
Cheap compromises via physical access seems to be a recurring theme at the conference: Last year, Mozilla software developer Cody Brocious demonstrated a simple hack on locks from Onity, which owns 50% of the hospitality market, supplying more than 4 million locks in the US. He showed that locks don’t encrypt their communications data, and the memory can be arbitrarily accessed, so it was a relatively easy process to tap in using a portable programmer – created with about $40 worth of commercially available hardware – to reverse-engineer the communications protocol.