This week has seen quite a lot of hubbub surrounding malicious mobile device chargers. Specifically, malicious chargers that were created using a small single-board computer that apparently allows an attacker to install malware on any iOS device without user consent and then hide it from the user. Details have not yet been made public, but let’s take a look at some of the possible mechanisms and try to separate fact from fiction.
Hypotheses have flourished over the mechanism this device, called a “Mactan”, uses to gain access to an iOS device running the latest version of Apple’s mobile OS. Some believe it uses a custom polished version of the exploit used to jailbreak devices. Others point back to an older technique dubbed “juice jacking”, which similarly baits a user with a low battery to connect to a malicious charging station. Juice jacking emulates the same process iTunes uses to pair an iOS device with a computer, which gives a surprising amount of access and control over the device. Pairing creates a lifelong link between the iOS device and the computer and, combined with the development and debugging capabilities of Xcode, might explain just what is afoot.
Pairing a device to a computer is akin to owning the device. It is an automatic process that happens quickly between the device and the computer. For example, if you connect your iPhone to your friend’s computer with iTunes just to charge it, iTunes likely pairs with the device and gains access- even when it is simply on the same network (with or without wireless syncing enabled). Let’s take a quick look at what pairing does:
- Pairing is automatic and quick: On an unlocked passcode protected device, or a device without a passcode, pairing will happen in seconds. A private key and certificate are automatically created and the device gives the computer a certificate that allows the computer to securely communicate with the device in the future.
- Pairing is semi-permanent: Unless the device is restored to factory defaults, the pairing will endure. A single USB connection is enough to bond the two devices for the foreseeable future.
- Pairing means sharing: Once paired with the device, the computer is granted full access to the device... and not just when it is connected over USB, but also over the network- regardless of the WiFi sync setting.
- Wireless access begets wireless access: With wireless access to the device, an attacker can add new “known” wireless networks to the device to ensure future connectivity.
- Open access: Once the device has been accessed, it may allow future access over cellular carrier connection, removing the constraint to be connected to a nearby WiFi network. This access may also grant an attacker access to data despite lock settings and encryption settings since it is a “legitimate” and “secured” connection.
Despite the hype, it’s not necessarily time to panic, gnash teeth, and storm Cupertino with pitchforks and torches. …As we say in our mobile and travel ISPA courses- think before you connect! Physical access is king, and this entire scenario is possible because the user gave up the keys to the kingdom. Simply do not use a physical connection on any device to charge your iOS device. Some of the more obvious places are USB charging kiosks at airports and, ahem, security conferences. Some less obvious connections include convenient USB connections on airplanes, and hotel room alarm clocks that include a dock connector. Bring your own charger and use power plugs only. As an added measure, set your iOS device “Require Passcode” setting to “Immediate”. You do have a passcode (or better yet a password) set, don’t you? You now have to unlock it each and every time you open the device, but it is much more secure. References: http://www.idesigntimes.com/articles/5829/20130604/new-iphone-charger-hack-throwback-2011-ios.htm