mobile privacy

Researcher: Fake USB chargers could hack into iPhones

You're waiting at the airport and topping up your iPhone at a public USB charging station. What if that innocent little plug was hacking into your iPhone and installing malicious software? Billy Lau, a research scientist at Georgia Institute of Technology, told attendees at the Black Hat security conference in Las Vegas that it's possible, though there's no evidence that anyone has actually tried to create an evil USB plug.

Lau told the conference that while no "arbitrary person" can install an application onto your iPhone, a "Mactans"—a tiny computer housed inside a charging station—can work around Apple's safeguards. "[This] challenges the very fundamental security assumptions that people make," Lau had told attendees. "The attack is automatic; simply connecting the device is enough. It's stealthy. Even if the user looks at the screen there's no visible sign. And it can install malicious apps on the target device."

Once you plug your iPhone, the Universal Device ID (UDID) can be extracted just as long as the device doesn't have a passcode unlock. The Mactans then claims your device as a test subject with any validated Apple developer ID and you can't reject it since it doesn't ask for their permission or offer any visual evidence that there's anything going on in the background.

This is all made possible by a particular option that enables iOS developers to keep apps hidden, which is how the team at Georgia Tech were able to discreetly take over the device. The Mactans then has full access to the operating system.

So is that USB port at the airport trying to hijack your iPhone? Almost certainly not. These security researchers set out to demonstrate the types of malware that are theoretically possible in a time when people become more careless about how and where they charge their phones. And Apple told Reuters that it's fixed this particular security flaw in iOS 7, due for release this fall, by adding a warning when you attach an iPhone to any device that's trying to do more than charge your phone. And in the meantime, maybe just limit your iPhone charging to your own power adapters?

Subscribe to the Apple @ Work Newsletter

Comments