

Don't Plug Your Phone into a Charger You Don't Own - vinhnx
http://securitywatch.pcmag.com/hacking/314361-black-hat-don-t-plug-your-phone-into-a-charger-you-don-t-own

======
msy
I'd pay decent money for a small, neat little power-only USB
passthrough/condom for peace of mind. Hotel clocks, planes, there's all sorts
of places I'd like to charge my phone and every time it feels like a risk.

~~~
voltagex_
I'd pay decent money for a small, USB adapter with the ability to swap the
pins (for international travel) and a guarantee that it would reach at least
1.8A and 5V.

~~~
nwh
You pretty much just described the Apple charger. 10W, with multiple
duckheads, will take any voltage and has the option to plug any standard
figure 8 cable in if you have one lying around.

~~~
voltagex_
I'm so conflicted right now... I don't own any other Apple gear.

~~~
kirubakaran
Use this instead: Amazon Charger (usually shipped with a Kindle)

[http://www.amazon.com/dp/B005DOK8NW/](http://www.amazon.com/dp/B005DOK8NW/)

~~~
jlgreco
I believe those are 5 watts. That is the kind I've gotten with my eink kindles
but my, kindle fire came with a different charger that I believe is 10 watts.
I don't have any of them on my at the moment to check though.

~~~
mh-
the product name is

    
    
        Amazon 5W USB Charger

~~~
jlgreco
Ha, so it is. I only glanced at the picture.

------
joshuahedlund
> It turns out that any device you connect with an iOS via the USB port can
> obtain your device's Universal Device ID (UDID), as long as the device isn't
> passcode-locked

> The only defense is a very simple rule: don't plug your phone into a charger
> you don't own

These statements seem contradictory to me, unless I'm missing something.
Shouldn't it be, "don't unlock your phone while it's plugged into a charger
you don't own"? Or are they saying there are still vulnerabilities without the
charger getting access to the UDID?

~~~
vinhboy
This part also makes this a bit confusing: "As a final (and alarming)
demonstration, they showed a Mactans-pwned phone turn itself on, swipe open,
enter the passcode, and call another phone."

So can they attack a passcode protected phone or not?

Also, shouldn't this be one of those bugs they let apple fix first BEFORE they
talk about it?

~~~
deveac
I understood it that the initial attack vector required the target device to
be unlocked. Once the malicious code was installed, the attacker could then
gain complete control, including passcode unlock.

------
stevenrace
Paper: [https://media.blackhat.com/us-13/US-13-Lau-Mactans-
Injecting...](https://media.blackhat.com/us-13/US-13-Lau-Mactans-Injecting-
Malware-into-iOS-Devices-via-Malicious-Chargers-WP.pdf)

Slides: [https://media.blackhat.com/us-13/US-13-Lau-Mactans-
Injecting...](https://media.blackhat.com/us-13/US-13-Lau-Mactans-Injecting-
Malware-into-iOS-Devices-via-Malicious-Chargers-Slides.pdf)

------
nwh
You could alternatively use a USB condom; just a cable with the data lines
completely removed.

(Well, for an iPhone they'd need to be tied together with a resistor in the
other end, but the idea is still the same.)

~~~
voltagex_
Isn't that closer to a USB vasectomy? (not a sentence I thought I'd ever
write)

~~~
StavrosK
It... actually is pretty much that.

------
jgrahamc
I was on a BA Boeing 777 the other day and the seat back entertainment system
had a USB socket on it for me to plug in my own device.

All I could think was (a) why would I do that? and (b) that looks like a
security vulnerability.

~~~
senorprogrammer
Most IFE systems are air-gapped from flight control systems, if that's what
you're worrying about.

~~~
Robin_Message
Most? Now I am worried.

~~~
arjunnarayan
The new 787 isn't, ostensibly to save weight.

And now I'm on some watchlist somewhere.

------
616c
It is interesting because there was concern about rooted phones, especially
for people like me, because I left ADB debug mode on. For the uninitiated,
this USB bridge is like a serial connection that can, among a lot of things,
open a terminal on the device.

The newest versions of ADB mode in Android have settings to address this. But
at the time this was a big deal in the Android community (or I should say
XDA), one recognized dev developed an app for it.

[https://play.google.com/store/apps/details?id=com.stericson....](https://play.google.com/store/apps/details?id=com.stericson.adbSecure&hl=en)

I am glad all phone platforms are getting wise to these things.

------
xedarius
I knew there was a good reason XCode kept telling me it couldn't launch my app
as the device was locked. So unless I missed something, if the device is
locked this hack doesn't work.

~~~
yannyu
As laid out in the article:

It turns out that any device you connect with an iOS via the USB port can
obtain your device's Universal Device ID (UDID), as long as the device isn't
passcode-locked. It just takes a second, so if you plug in your device while
it's unlocked, or unlock it while plugged in, or just don't have a passcode,
Mactans can attack.

------
elif
This title is a bit misleading.

It should be 'don't plug your iphone into a charger you don't own'

the other 90% of us are unaffected by this hack.

~~~
valleyer
Your implicit comment that the link only points out an iOS vulnerability is
correct, but don't you think it's good advice generally?

------
Someone
Why only those you don't own? For all I know, the north
Koreans/Mossad/NSA/Chinese government/... (Pick whoever you want as the
villain) could have planted this functionality in every USB adapter
Apple/brand X (pick whoever you feel could fall for this) sells.

~~~
biafra
IIRC the adapter would need internet access to add your devices UDID to the
certificate.

Unless they use an enterprise signing certificate.

------
DavidWanjiru
Instead of carrying a power pack or USB condom and what not, isn't it just
easier to carry the charger you trust? After all, it's the untrusted charger
you want to avoid, no?

------
cjrp
A few of these plugged in at airport boarding areas with a "For your
convenience" sign would be very successful.

------
molbioguy
I thought developer accounts were limited to 100 test devices per year. Does
this get around that limit?

------
danielhughes
It would be nice if phone manufacturers would simply separate the power and
data ports into two. Designers probably cringe at that suggestion because it
would interrupt the sleek form factor but isn't it the best possible solution
to this security risk?

~~~
oftenwrong
Most consumers don't think about security beyond enabling a lock screen.
Average people do not think twice about promiscuously plugging their devices
into any ports they find. This attack vector is entirely off their radar. On
the other hand, gadget purchasers care deeply about sleekness. Based on
reactions I have witnessed, I suspect some people may even be sexually aroused
by gadget sleekness. Therefore, at this point there is little incentive for a
company to sacrifice their product's sleekness for a security enhancement.
Until typical customers start caring I do not see a split-port solution
happening.

------
sheraz
Wow -- this hadn't even crossed my mind. Regarding Android devices (mine
included):

Could I just hide a tiny linux OS inside a charger? Then when someone plugs in
the device just auto-mounts the SD card and copies away? Is it that simple?

~~~
_quasimodo
Does android ask you for permission to be mounted or at least notify you?

Im still using an old n900 which asks you if you want it to just load its
battery, be a modem or be a mass storage device.

~~~
hfsktr
I'm not sure if this is what you meant but mine always has a prompt of some
kind (varied between phones) for connecting to pc. I'm not sure if there is a
way to disable that or if it was phone specific.

------
uptown
I've always wondered how safe those dirt-cheap USB hubs on eBay are. Seems
like a potential attack vector for unsuspecting buyers where you also likely
know the name and address of the victim from shipping it to them.

------
tszming
If you can order from Taobao (China) directly, here is the device I bought
last week:
[http://detail.tmall.com/item.htm?spm=a230r.1.14.27.Op5P4y&id...](http://detail.tmall.com/item.htm?spm=a230r.1.14.27.Op5P4y&id=21996816947)
(not affiliated, around $0.8 USD).

Another added advantage in using the device is it can double the current
output from my Macbook Air USB port, i.e. from 500ma to 1000ma, so now I can
fully charge my Samsung S4 within 4 hrs (as compared to 7-8 hrs previously).

------
fnayr
I don't understand the threat.

All it does is install a provisioning profile on the device to allow it to
install any app it wants, that can make private API calls that would normally
be rejected by Apple if they tried to submit the app.

So essentially, it allows them to install apps that have the exact same
restrictions as apps for jailbroken devices. Or do I have it wrong?

~~~
jbrechtel
Well, then it installs an app. And yes, it's the same restrictions as apps for
jailbroken devices....and they can take over your phone pretty easily (as
described in the article). Sounds like you have the specifics right but may
not understand the implications?

~~~
fnayr
Okay. I just find the originality of the vulnerability exaggerated (e.g.
giving the process some special name (mactans) when all it is is a dev account
installing an app on a device).

~~~
dllthomas
The interesting part is that it can be done invisibly when you thought you
were just plugging in to charge.

------
batemanesque
on the subject: [http://www.macobserver.com/tmo/article/apple-fixes-threat-
fr...](http://www.macobserver.com/tmo/article/apple-fixes-threat-from-fake-
iphone-chargers-in-ios-7)

------
schtev
Just use a wall socket adapter. Problem solved.

~~~
nly
Well... we have Ethernet over power line, so why not USB? ;)

