A new iPhone charger hack filled the tech news front pages Monday, as a group of security researchers at Georgia Institute of Technology prepare to showcase a new proof-of-concept technology they say could have a significant impact upon iOS users and the security of their personal data.
According to an abstract from the researchers upcoming Black Hat presentation, these malicious iPhone chargers they have created and dubbed "Mactans" will have the ability to install malware on a device without user consent, and then hide the installed apps so that the user is completely unaware their security has been compromised.
The iPhone "Mactan" charger utilizes an open-source single-board computer known as BeagleBoard. "This hardware was selected to demonstrate the ease with which innocent-looking, malicious USB chargers can be constructed," the researchers noted.
"Apple iOS devices are considered by many to be more secure than other mobile offerings. In evaluating this belief, we investigated the extent to which security threats were considered when performing everyday activities such as charging a device. The results were alarming," the abstract reads.
The post goes on to explain that despite the "plethora" of security methods Apple currently utilizes this new iOS charger hack has been successful in injecting "arbitrary software into current-generation Apple devices running the latest operating system (OS) software."
Is The iPhone Charger Hack A Modified Jailbreak?
Of course in hearing this many who are familiar with the popular iOS hack known as "jailbreaking" which allows for unsigned code to be run on an iOS device, will assume this iPhone charger hack may just be another form of jailbreak.
And indeed, before long the tech world was afire with speculation about the what methods this new charger could actually be using, with some believing it's possible this new charger is nothing more than an ARM board utilizing a modified version of the recent evasi0n jailbreak.
The researchers have noted, however, that the method they use affects all users. "Our approach requires neither a jailbroken device nor user interaction." The abstract goes on to say that the iOS charger hack works on the most current version of iOS. Assuming these researchers are referring to iOS 6.1.4 then the theory that this hack is a modified version of evasi0n would mean that somehow the researchers had managed to find replacement vulnerabilities for 4 in evasi0n that were patched by 6.1.3.
Malware May Be Installed On iOS Devices, No Exploits Required
Though this is certainly a possibility, while discussing the topic with some security research acquaintances of mine, Jonathan Zdziarski and David Wang, they revealed their belief that a different process may have been used. Both Zdziarski and Wang are well acquainted with iOS security research as both have played seminal roles in iOS jailbreaks past and present.
Zdziarski is a former member of the iPhone Dev Team and was involved in the development of the very first jailbreak 1.0. He remained involved through the 3.1.3 jailbreak. He now works as a Sr. Forensic Scientist at viaForensics and goes by the Twitter handle @JZdziarski.
David Wang most known by his Twitter handle, @planetbeing, is also a member of the iPhone Dev Team and has extensive experience with hacking iOS, having been involved in nearly every jailbreak made -- the most recent and notable being the Evasi0n 6.0-6.1.2 untethered jailbreak. To date, roughly 14 million iDevices have been jailbroken by Evasi0n.
Though many around the web have speculated this new iPhone charger hack involves some sort of new exploit(s), in speaking with these men, each suggested that the process might not involve any exploits at all.
In fact, it's possible the new iOS charging hack uses nothing more than a natural process in the iOS system, and if this is the case, then the new iOS charger hack may be a bit of a throwback to something that caused a sensation a couple years ago at a 2011 DefCon conference. That process would be a little something called "juice jacking", which Zdziarski points out, makes malicious use of device pairing without the user's knowledge or consent.
What is Juice Jacking or Pairing?
Juice jacking was first featured two years ago at a DefCon conference where Brian Markus, president of Aires Security, along with fellow researchers Joseph Mlodzianowski and Robert Rowley built the charging kiosk dubbed the "Wall of Sheep," to teach attendees about potential risks in charging or "juicing up" their devices at any given power station. Once connected to the charging station, it soon began extracting users' sensitive data and information.
Just as the researchers from Georgia Institute of Technology assert, this process can take place within a matter of seconds and without consent or interaction by the user.
How is this possible without some kind of jailbreak-like exploits you might ask? David Wang was the first one to enlighten me on the process.
"I would guess that it [iPhone charger hack] has nothing to do with ... any sort of hardware-specific exploit at all. It sounds like they're using the same protocols as iTunes to install an app on the device and hide it. (Hiding it is actually pretty easy) ... [This] can be done without any sort of exploit at all if you had an enterprise deployment certificate, but I'm not sure as I've never had an enterprise development certificate and I'm not sure if a provisioning profile associated with one can be installed without user intervention on the device. However, based on my experience with ad-hoc deployment ... with a developer account, you can install a provisioning certificate, install an app, and launch an app on a device all without actually touching the device, merely through Xcode. And whatever Xcode can do, they can make something to emulate ... however [if a developer account was used] they'd have to manually register any device they're targeting with Apple as a developer device, though I suppose they could do that automatically, up to the 100 device limit."
Taking my understanding further however, Jonathan Zdziarski pointed me to a blog post he had created Monday which extensively explains and defines this process of "juice jacking" along with the potential risks for those who use one of these iPhone charger hacks. Here is an except from that piece:
"You know that saying that you've slept with every partner that your partner has ever slept with? The same is true of your iPhone ... If you're not familiar with how pairing works on your iPhone or iPad, this is the mechanism by which your desktop establishes a trusted relationship with your device so that iTunes, Xcode, or other tools can talk to it. Once a desktop machine has been paired, it can access a host of personal information on the device, including your address book, notes, photos, music collection, SMS database, typing cache, and can even initiate a full backup of the phone. Once a device is paired, all of this and more can be accessed wirelessly at any time, regardless of whether you have Wi-Fi sync turned on. A pairing lasts for the life of the file system: that is, once your iPhone or iPad is paired with another machine, that pairing relationship lasts until you restore the phone to a factory state."
How Pairing Works
The interesting thing about pairing is, that it's actually a pretty simple process. It utilizes actions iOS devices are naturally meant to perform.
We've all plugged our iPhones into our computers before and know how the device automatically begins syncing with iTunes without user consent. This process happens because upon an iOS device connecting to it, a desktop computer automatically creates a private key and certificate. The iOS device then hands its public key over to the computer to begin a secure session on the device. The computer then signs the device's public key, and hands over a signed certificate completing the setup of a secure session -- and wham, bam, thank you ma'am, the two are paired.
According to Zdziarski, "any time you plug your iOS device into another computer, this trusted pairing relationship gets automatically created within seconds".
So what are the implications of a device being paired with a computer possibly like the one that makes up the new iOS charger hack? Plenty, for those who carry any amount of sensitive data on their iOS device.
Why Pairing Should Concern You
Once a paring takes place, the computer with which the device has been paired has a significant level of access to any or all of the personal data on a device which, according to Zdziarski, malicious pairing has a number of "frightening" implications.
1. Pairing is Quick: Though it takes place over USB, it takes only a matter of seconds and, unless you have "Require Passcode" set to "Immediate" it can happen anytime the device is connected to the "charger."
2. Pairing Lasts Until Restore: Once any device has paired with your phone, that pairing record stays on your device until you restore the phone.
3. Pairing Equals Ownership: After a device is paired with your phone can access everything on that phone over either USB or Wi-Fi regardless of whether or not you have Wi-Fi syncing turned on. This means that a hacker only needs a couple of seconds to pair with your device, and can then later on download all of your personal information off of the phone indefinitely if they can reach it over a network.
4. Wireless Attacks Now Possible: Besides being able to download data from your phone wirelessly, a hacker can take advantage of your phone's "known wireless networks" to force your phone to join their network when you're within range, and attack the phone wirelessly. This is due to iOS default behavior to automatically join networks whose name they've seen before.
5. Firewalls And Encryption Susceptible To Attack: Once paired with your device, hackers may be able to skirt a carrier's firewall, and connect to your phone via a cellular connection. In addition, once pairing takes place, there are numerous back doors attackers can use to download personal information from your device even with backup encryption turned on, locked or unlocked.
This pairing could potentially happen in places you might never expect. Outside of the kiosk charger example, it could also take place when plugging in to a hotel clock radio that has been tampered with. Any place your iPhone can connect through USB, you are potentially at risk.
How to Avoid Malicious Pairing on Your iOS Device
The extent of what harm can be done if a device is paired with malicious intent is not entirely known. As David Wang commented concerning the new iOS charger hack, "it will be interesting to see if they can bypass the requirement for an enterprise deployment certificate and if they can, have the app break out of the sandbox to do actual serious damage."
Still, even without the ability to break out of the sandbox, any malware that gets installed on the device could potentially use such a pairing record to get personal data that normally wouldn't be privy to the sandbox environment -- and if a developer is skilled enough, unapproved iOS apps have the ability to run in the background as well.
Of course, there are a couple solutions to this problem of unwanted pairing. One is to avoid "juicing up" or connecting to an unknown charging dock of any kind.
Another way, for those who have an iOS jailbreak on their iPhone is to utilize a tool Zdziarski recently wrote called pairlock, which allows a jailbroken iOS device to lock and unlock the device's pairing capabilities. The utility is free and can be downloaded from the given link.
Like this article?