Billy Lau and Yeongjin Jang from Georgia Institute of Technology have presented a demo at Black Hat of a way of stealthily compromising Iphones and other Ios devices with gimmicked chargers. The devices need to be unlocked — either having no unlock code to begin with, or unlocked by the user after connection — but apart from that, the device can compromise any Ios device.
Using the UDID, it effectively claims your device as a test device using the team’s Apple developer ID. “The iOS device must pair with any USB host that claims it,” said Jang. “Any USB host that initiates contact, they cannot reject it. It doesn’t ask the user’s permission and gives no visual indication. The only way to prevent a Mactans attack is to lock your device before charging it and keep it locked for the entire time.” Once accomplished, the pairing is permanent.
The team found an attribute that Apple uses internally to make apps hidden, so they don’t show up on the screen or in the task manager. They leveraged this, along with access to the Apple private APIs, to create a Trojan that can take over the phone completely and invisibly. As a final (and alarming) demonstration, they showed a Mactans-pwned phone turn itself on, swipe open, enter the passcode, and call another phone. The audience cheered wildly (though perhaps a bit fearfully).
Black Hat: Don’t Plug Your Phone into a Charger You Don’t Own [Neil J. Rubenking/PC Mag]
(via Hacker News)