This news couldn't wait for the Black Hat conference happening now in Las Vegas. We reported in June that Georgia Tech researchers had created a charging station that could pwn any iOS device. The full presentation revealed precise details on how they managed it. I'm never plugging my iPhone charger into a USB port in a hotel desk again.

iOS Security

Billy Lau, a research scientist at Georgia Institute of Technology, led off with a review of iOS security. "Apple uses mandatory code signing to enforce their walled garden model," noted Lau. "No arbitrary person can install an arbitrary app. Who can sign an app? Only Apple and iOS developers."

Lau explained that the Georgia Tech team saw developer code-signing as possible channel into creating iOS malware. "We went to the developer portal, submitted our credentials, paid $99, and then we are approved," said Lau. "Now I can sign any app and run it on any iOS device."

Lau explained that Apple rejects apps based on rules that aren't entirely public. By examining rejected apps, the team determined that any apps using Apple's private APIs would be banned. He also pointed out that the iOS sandbox features and entitlement checks make sure an app can't attack another app, "in contrast to PCs, where such attacks are easy." The Mactans attack works around both of these safety limitations.

How Does Mactans Do It?

"Mactans challenges the very fundamental security assumptions that people make," said Lau. "In particular, people assume it's safe to charge the device and use it when charging." He continued, "I must emphasize that this is not a jailbreak, and it does not require a jailbreak. The attack is automatic; simply connecting the device is enough. It's stealthy. Even if the user looks at the screen there's no visible sign. And it can install malicious apps on the target device."

The Mactans prototype is a bit large, as it's based on a three-inch square BeagleBoard inside a three-d printed case. Lau noted that there are plenty of ways to make it smaller, or hide it inside something larger.

Yeongjin Jang, a PhD student at Georgia Institute of Technology, took on the task of explaining the details. It turns out that any device you connect with an iOS via the USB port can obtain your device's Universal Device ID (UDID), as long as the device isn't passcode-locked. It just takes a second, so if you plug in your device while it's unlocked, or unlock it while plugged in, or just don't have a passcode, Mactans can attack.

Using the UDID, it effectively claims your device as a test device using the team's Apple developer ID. "The iOS device must pair with any USB host that claims it," said Jang. "Any USB host that initiates contact, they cannot reject it. It doesn't ask the user's permission and gives no visual indication. The only way to prevent a Mactans attack is to lock your device before charging it and keep it locked for the entire time." Once accomplished, the pairing is permanent.

The team found an attribute that Apple uses internally to make apps hidden, so they don't show up on the screen or in the task manager. They leveraged this, along with access to the Apple private APIs, to create a Trojan that can take over the phone completely and invisibly. As a final (and alarming) demonstration, they showed a Mactans-pwned phone turn itself on, swipe open, enter the passcode, and call another phone. The audience cheered wildly (though perhaps a bit fearfully).

What Can Be Done?

Chengyu Song, a PhD student at Georgia Institute of Technology, detailed just what Apple should do to make this type of attack impossible. Apple actually invited the team to have a look at an early version of iOS 7. Silent, forced pairing with any host is what gives the Mactans attack a foot in the door. "We noticed that they have added a new feature," said Lau. "When you connect to a new host it will ask if the host is trusted."

However, that was the only good news. Song detailed a number of other changes that Apple would have to make in order to prevent attacks like Mactans.

Any current iPhone is vulnerable to this attack. The only defense is a very simple rule: don't plug your phone into a charger you don't own. If you do, you could find your supposedly-secure iOS device totally owned by malware. Even then, don't assume you're safe. As a parting shot, the team recommended a coming UseNix talk called "Jekyll on iOS" which will explain a non-hardware technique that lets an app bypass Apple's review.

Further Reading

Security Reviews