Black Hat conference demonstration shows a fresh route to subverting the popular iPhone
Apple, Inc.’s (AAPL) popular smartphone, the iPhone, has had its fair share of security struggles in the past. Researchers are preparing to unveil in a few months a new iOS exploit at the annual Black Hat security conference — to be held Sept. 10-12 in Las Vegas, Nev. The attack, like some past hacks, relies on flaws in transfer protocols in the joint proprietary data/charging USB connector. The researchers give things a new twist, though, demonstrating how this can be baked into a third party microcontroller, allowing for malicious peripherals.
The physical attack was developed by a trio of security researchers at the Georgia Institute of Technology — post-doctoral researcher Billy Lau, Ph.D candidate YeongJin Jang, and Ph.D candidate Chengyu Song. The “alarming” the physical-type attack is described in the abstract as:
In this presentation, we demonstrate how an iOS device can be compromised within one minute of being plugged into a malicious charger. We first examine Apple’s existing security mechanisms to protect against arbitrary software installation, then describe how USB capabilities can be leveraged to bypass these defense mechanisms. To ensure persistence of the resulting infection, we show how an attacker can hide their software in the same way Apple hides its own built-in applications.
To demonstrate practical application of these vulnerabilities, we built a proof of concept malicious charger, called Mactans, using a BeagleBoard. This hardware was selected to demonstrate the ease with which innocent-looking, malicious USB chargers can be constructed. While Mactans was built with limited amount of time and a small budget, we also briefly consider what more motivated, well-funded adversaries could accomplish. Finally, we recommend ways in which users can protect themselves and suggest security features Apple could implement to make the attacks we describe substantially more difficult to pull off.
The researchers seem to draw the name of their malicious charger from the scientific name for the iconic Southern Black Widow spider, L. mactans. The hack isn’t very price — the BeagleBoard used is a Texas Instruments, Inc. (TXN) development product which retails for around $45 USD.
The last major exploit found in the USB data transfer layer involved flaws in the backup processes. This allowed the “evasi0n” jailbreak, published in February to jailbreak iOS devices. Apple patched the flaw — which could also be exploited for malicious purposes — in the iOS 6.1.3 update that aired a month later in March.
The attack reportedly works on both the old and new style proprietary iPhone connectors, as it is firmware based. The attackers suggest that the supporting circuitry for the attack could be hidden in an external charger or battery, giving buyers of a malicious product a nasty surprise — a hacked iPhone. And a more sophisticated attacker could miniaturize them into even smaller form factors like cables.
The researchers contacted Apple about their findings but were rewarded with silence, according to a Forbes report.
Apple is notorious for a belligerent stance towards security professionals and a sluggish patching pace for security flaws, with some security firms suggesting it is ten years behind Microsoft Corp. (MSFT) in terms of security.