A trio of researchers presented “Mactans: Injecting Malware into iOS Devices via Malicious Chargers” at Black Hat, demonstrating how an “iOS device can be compromised within one minute” after plugging into a maliciously crafted charger. Until Apple patches the vulnerability that allows the exploit, all iPhone or iPad users are vulnerable as the device does not need to be jailbroken for the attack to work. It takes advantage of an iOS flaw that allows pairing without any notification to the user.
Their proof-of-concept charger, dubbed Mactans, was built using a $45 BeagleBoard. As soon as an iOS device is plugged in, the fake charger instantly captures the Unique Device Identifier (UDID). Then it connects to Apple’s developer support website and submits that UDID for a “provisioning profile.” The charger installs code and the attacker now has full control of the device. GTISC associate director Paul Royal said, “Getting the UDID is trivial, and getting a provisioning profile is easy and automated.”
In one demonstration of what an attacker could do remotely, the researchers plugged an iPhone 5 into the charger, hid the iPhone Facebook app and installed a malicious copy over it that launched before the legitimate “hidden” copy. The Mactans’ malicious payload could be about anything, from allowing “a remote attacker to make an unauthorized phone call from the iOS device” to taking “a screenshot whenever the user enters a password or other sensitive information.” Basically it turns an iOS device into a spy tool.
“Despite the plethora of defense mechanisms in iOS, we successfully injected arbitrary software into current-generation Apple devices running the latest operating system (OS) software,” the researchers warned. "Our attack does not have root privileges, and our injected app stays inside of Apple's sandbox protection," stated Yeongjin Jang, a doctoral student at Georgia Institute of Technology. "You might think that nothing bad can happen when you have sandbox protection, but that's not true."
Georgia Institute of Technology researcher Billy Lau said, "We're almost certain this is going on in the wild. From an espionage standpoint, it's naïve to assume this isn't already going on.”
Apple fixed the security issue in iOS7 beta that was released to software developers, but the company has now announced that the next software update will patch the hole for iPhone and iPad users.
Innocent looking 'Wi-Fi router' is another way to get pwn’d
In much the same way that a person could fall victim to a Mactan-like device by “innocently” plugging in their device to charge at an airport, people can be pwn’d by plugging into a DARPA-funded power strip. Pwnie Express has surpassed the stationary Power Pwn power strip, and the more mobile Pwn Pad, by devising a hacking tool disguised as a Wi-Fi router.
Under its innocuous exterior is a plethora of hardware and “software with teeth,” offering one-click “evil” penetration testing. It all “adds up to a fairly nasty surprise for a network on the receiving end.” According to Ars Technica, which got a sneak peak before the new device debuted at Black Hat, the Pwn Plug R2 is “a Linux-powered NSA-in-a-box, providing white hat hackers and corporate network security professionals a ‘drop box’ system that can be remotely controlled over a covert Internet channel or a cellular data connection.”