Researcher: Fake USB chargers could hack into iPhones

Attendees at Black Hat security conference discover Trojan that enters infiltrates once you plug in.

You're waiting at the airport and topping up your iPhone at a public USB charging station. What if that innocent little plug was hacking into your iPhone and installing malicious software? Billy Lau, a research scientist at Georgia Institute of Technology, told attendees at the Black Hat security conference in Las Vegas that it's possible, though there's no evidence that anyone has actually tried to create an evil USB plug.

Lau told the conference that while no "arbitrary person" can install an application onto your iPhone, a "Mactans"--a tiny computer housed inside a charging station--can work around Apple's safeguards. "[This] challenges the very fundamental security assumptions that people make," Lau had told attendees. "The attack is automatic; simply connecting the device is enough. It's stealthy. Even if the user looks at the screen there's no visible sign. And it can install malicious apps on the target device."

Once you plug your iPhone, the Universal Device ID (UDID) can be extracted just as long as the device doesn't have a passcode unlock. The Mactans then claims your device as a test subject with any validated Apple developer ID and you can't reject it since it doesn't ask for their permission or offer any visual evidence that there's anything going on in the background.

This is all made possible by a particular option that enables iOS developers to keep apps hidden, which is how the team at Georgia Tech were able to discreetly take over the device. The Mactans then has full access to the operating system.

So is that USB port at the airport trying to hijack your iPhone? Almost certainly not. These security researchers set out to demonstrate the types of malware that are theoretically possible in a time when people become more careless about how and where they charge their phones. And Apple told Reuters that it's fixed this particular security flaw in iOS 7, due for release this fall, by adding a warning when you attach an iPhone to any device that's trying to do more than charge your phone. And in the meantime, maybe just limit your iPhone charging to your own power adapters?

Join the CSO newsletter!

Error: Please check your email address.

Tags Appleconsumer electronicsGeorgia Institute of Technologyblack hatsecuritysmartphonesiPhone

More about AppleGeorgia Institute of TechnologyReuters AustraliaTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Florence Ion

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place