

Injecting malware into iOS devices via malicious chargers - klausa
http://www.blackhat.com/us-13/briefings.html#Lau

======
adlpz
As people commented on Reddit, this is not significantly different from any
jailbreak using a computer. This is USB we are talking about, and the
_malicious charger_ in this case is a full-featured Linux computer.

So yes, they are installing unsigned software through USB on an iPhone by
plugging it into a USB socket in a computer. That is just normal jailbreaking,
and has been done forever, isn't it?

~~~
caseysoftware
I think the big difference here is that people willingly plug their phones
into the airport kiosk chargers, share chargers, use car-based usb plugs, and
generally don't even think of it as an attack vector.

On another note, I've been _amazed_ by the number of people who let others
plug phones into their computer for a quick charge.

I'll let people borrow my wall charger if I'm sitting there but _no one_ plugs
anything into my computer.

~~~
unimpressive
>no one plugs anything into my computer.

I believe the same, including vice versa for that matter. (That is, I would
never plug a phone into somebodies computer.)

------
blinkingled
>All users are affected, as our approach requires neither a jailbroken device
nor user interaction.

That's the bad part! Somebody screwed up big time if the package manager does
not insist on user permission for installs that are initiated without proper
authentication token. (Google does this for app installs from store over the
Internet - but you and your device both need to be obviously logged in to your
Google account for that to work.)

~~~
micampe
From the same page:

 _> The vulnerability involves discrepancies in how Android applications are
cryptographically verified & installed, allowing for APK code modification
without breaking the cryptographic signature; that in turn is a simple step
away from system access & control._

Bugs happen.

~~~
blinkingled
> (Bugs happen)

Yeah that's the point - having a closed device doesn't magically make it more
secure. FTA -

> Apple iOS devices are considered by many to be more secure than other mobile
> offerings.

Also the Android bug is different class - the vulnerability description
doesn't really say what is required to be able to modify the APK in transit
which is key to being able to exploit the bug. From the sparse description it
sounds like somebody needs to do a SSL MITM or the user needs to install an
APK from untrusted source and get fooled into thinking since its signature
matches it must be from the original author. (Just to be sure failing to
detect APK modification is horrible but whether or not it is easily
exploitable is a different thing altogether.)

In iOS charger case - it's clear that it's just a matter of plugging in your
device to a malicious charger.

~~~
micampe
Or I can put an APK on the store or on XDA with the exploit already in it.

~~~
blinkingled
What would that accomplish? User will still need to find your APK, trust you,
want your APK for some reason and then install it. Here you are relying on
high level of user stupidity. It's not like this bug allows you to login to
some other developer's account and replace the original APK.

------
kens
The potential for injecting malware via chargers was described in 2011 at
DefCon, although it looks like they didn't actually infect devices.

<http://krebsonsecurity.com/2011/08/beware-of-juice-jacking/>

------
pinko
Seems like it might be handy to travel with a tiny "USB sanitizer" dongle that
simply passes through power and not data. Does such a thing exist?

Edit: not quite a dongle, but something like <http://amazon.com/dp/B009W34XMM>
should fit the bill, no?

Edit 2: <http://amazon.com/dp/B0042LF23I> looks exactly right, although build
quality appears to be an issue.

~~~
jonknee
That would be trickier with Apple's proprietary adapter since the pins are
dynamic.

~~~
pinko
I don't understand. As along as the extension passes power through, it
shouldn't matter if the other end of the cable you plug into them is dock or
lightning connector, right? The reviews seem to indicate as much, since people
report success charging iPads with them.

~~~
jonknee
Ah, I thought you meant a pass through connecter you would plug into your
phone.

------
npsimons
_Apple iOS devices are considered by many to be more secure than other mobile
offerings._

This sounds like weasel words (eg, "some people believe"), and even if it's
true, why does this misconception exist?

~~~
freehunter
Because Android allows a hell of a lot more access with their apps than iOS
does. iOS aims for extremely locked-down security, Android aims for more
openness.

------
bretpiatt
Rather than using for evil, this sounds like an unpublished API that can be
used to side load apps without needing to jailbreak the device. Excited to
learn more.

~~~
ryanpetrich
So far as I can tell, this uses the standard method for sideloading apps via a
provisioning profile, but speaks the iOS's USB device protocol directly
instead of relying on the MobileDevice libraries from Apple.

~~~
eridius
Oh, that's it? That's not really news, then. How are they hiding it from the
user though? I would expect that would require modifying and restoring the
SpringBoard plist to the device, but surely the user will notice if their
phone goes into a restore session.

------
JDGM
If I understand the page correctly this is a description of a talk that will
be presented in just under 2 months.

What happens in this situation? Would Apple try to get them not to give the
talk? Will Apple patch the problem in the meantime? Does anyone get sued?

~~~
freehunter
Apple could try, but there's no reason they couldn't give the talk. Apple
could patch the problem, that's a possibility. Why would anyone get sued? It's
completely legal for a security researcher to test their own devices. These
guys aren't exploiting people on a widespread basis, they're researchers
presenting a new exploit. That's what the Black Hat conference is all about.

~~~
JDGM
I don't know anything about the law, I just assumed that this kind of thing
isn't something big companies really want being spread around and I've gotten
used to living in a world where legal action or at least the threat of it is a
default response. Good to hear it's not like that in this situation!

------
icpmacdo
This seems like a genius idea.

