Black Hat: Researchers exploit iPhone flaws with charger attack

LAS VEGAS: A trio of university researchers have developed a method for infecting iOS devices through the Apple power port.

Posing as a charger device, the Mactans proof-of-concept is able to pair with an iOS device, gain access to heightened privileges and install both hidden and visible applications onto the targeted device through a USB connection.

Researchers Billy Lau, Yeongjin Jang and Chengyu Song of the Georgia Tech Information Security Center said that their device, and the exploit it is based on, preys upon a set of basic security flaws in the way Apple handles peripheral connections, device pairing and developer access on the iOS platform.

The attack is launched when the iOS device is plugged into the Mactans and unlocked. The Mactans, which was built using a BeagleBoard microcomputer, then uses the USB link to pair with the device, install a developer-provisioning profile, and begin loading applications onto the iOS device without any user warning or notification.

According to the researchers the device is able to take advantage of a flaw in pre-iOS 7 versions, which pair the device without ever notifying the user. The Mactans then lifts the device's unique device identifier (UDID) and uses the information to authorise the installation of a “provisioning profile”, a component intended for developer use, which allows for additional privileges usually walled off from iOS apps.

With the heightened access, the Mactans is able to perform tasks such as remotely controlling the device or hiding applications. In one demonstration, the attacker was able to hide the iPhone Facebook application and install a malicious copy in its place. The malware executed its task, then launched the legitimate “hidden” copy of Facebook, leaving the user none the wiser.

The trio said that possible scenarios for infection in the wild could include disguising the Mactans as a free charger in public spaces, or porting the software and attack techniques to PC or OS X malware infections and executing attacks when the device is synched.

Apple customers will be given some reprieve as the company will address the USB airing issue in iOS 7 by asking users to verify all attempted pairings. The three researchers, however, noted that additional holes remain, including flaws in the way provisioning profiles are issued and a lack of tools to detect suspicious or potentially abuse activity on developer profiles.