Wednesday, 13 November 2013

iPhones can be hacked while charging


ATLANTA — Apple's iPhone has won praise over its resistance to hackers, but university researchers have revealed you can still be vulnerable.
The risk comes when using public USB chargers, says Billy Lau, a Georgia Tech research scientists.
Lau and his team, at Georgia Tech's Security Information Center, made a malicious app look like Facebook and hid the malware code to get an initial security certificate.
After gaining Apple's initial approval for testing, the app was downloaded to an iPhone. Like Lau, hackers could now introduce the app to an iPhone through public USB chargers, disguised as a normal iPhone or iPad charger, connected to a hidden computer.
Lau says nothing will happen, as long as you don't unlock your password protected phone, while it's charging.
"If it's unlocked even for a second or less than a second, the attack commences," Lau pointed out.
When they unlocked the phone for the demonstration, the Trojan app went to work.
A minute later, he launched what looked like the Facebook app on the phone but it was their Trojan app that took over, allowing him remote control of the phone, seeing everything the user could see, passwords and all. He was able to remotely make a call from the phone and had the ability to eavesdrop on one.
"The possibilities are really endless. It can steal your banking credentials," Lau said.
The solution - don't unlock your phone while charging at a public charging station. Apple has also updated its software to warn you about plugging into unknown USB public charging stations, asking first, if you trust it.
Okay, you've plugged into a public USB charger before and want to be sure you're not compromised. What do you do?
"You go to settings, then you need to go into general and then you need to search for the profiles," Lau demonstrated.
If you see an unknown profile running on your phone you could have been hacked. If it's a company iPhone, you should check with your IT folks to see what profiles are legitimate.
Georgia Tech reached out to Apple to get this fixed. We should also point out, the researchers say their malicious app wouldn't survive Apple's full review process, in order to be available in its app store, even though it got initial testing approval.

No comments:

Post a Comment