Wolf in sheep's clothing at Black Hat: Getting pwn'd by innocent looking devices
By Darlene Storm
August 1, 2013
A trio of researchers presented "Mactans: Injecting Malware into iOS Devices via Malicious Chargers" at Black Hat, demonstrating how an "iOS device can be compromised within one minute" after plugging into a maliciously crafted charger. Until Apple patches the vulnerability that allows the exploit, all iPhone or iPad users are vulnerable as the device does not need to be jailbroken for the attack to work. It takes advantage of an iOS flaw that allows pairing without any notification to the user.
Their proof-of-concept charger, dubbed Mactans, was built using a $45 BeagleBoard. As soon as an iOS device is plugged in, the fake charger instantly captures the Unique Device Identifier (UDID). Then it connects to Apple's developer support website and submits that UDID for a "provisioning profile." The charger installs code and the attacker now has full control of the device. GTISC associate director Paul Royal said, "Getting the UDID is trivial, and getting a provisioning profile is easy and automated."
In one demonstration of what an attacker could do remotely, the researchers plugged an iPhone 5 into the charger, hid the iPhone Facebook app and installed a malicious copy over it that launched before the legitimate "hidden" copy. The Mactans' malicious payload could be about anything, from allowing "a remote attacker to make an unauthorized phone call from the iOS device" to taking "a screenshot whenever the user enters a password or other sensitive information." Basically it turns an iOS device into a spy tool.
..