Mactans: Injecting Malware Into iOS Devices via Malicious Chargers

Presented at Black Hat USA 2013, July 31, 2013, 5 p.m. (30 minutes).

Apple iOS devices are considered by many to be more secure than other mobile offerings. In evaluating this belief, we investigated the extent to which security threats were considered when performing everyday activities such as charging a device. The results were alarming: despite the plethora of defense mechanisms in iOS, we successfully injected arbitrary software into current-generation Apple devices running the latest operating system (OS) software. All users are affected, as our approach requires neither a jailbroken device nor user interaction.

In this presentation, we demonstrate how an iOS device can be compromised within one minute of being plugged into a malicious charger. We first examine Apple's existing security mechanisms to protect against arbitrary software installation, then describe how USB capabilities can be leveraged to bypass these defense mechanisms. To ensure persistence of the resulting infection, we show how an attacker can hide their software in the same way Apple hides its own built-in applications.

To demonstrate practical application of these vulnerabilities, we built a proof of concept malicious charger, called Mactans, using a BeagleBoard. This hardware was selected to demonstrate the ease with which innocent-looking, malicious USB chargers can be constructed. While Mactans was built with limited amount of time and a small budget, we also briefly consider what more motivated, well-funded adversaries could accomplish. Finally, we recommend ways in which users can protect themselves and suggest security features Apple could implement to make the attacks we describe substantially more difficult to pull off.


Presenters:

  • Billy Lau - Georgia Institute of Technology
    Billy Lau is a research scientist at Georgia Institute of Technology. He is primarily interested in information security, with emphasis on hypervisors, operating systems and user applications. Recently, he has been examining the security designs and impacts of the emerging mobile devices in the marketplace. In particular, he loves to challenge the status quo on conventional security assumptions which are often broken when put to test. He graduated from University of Michigan at Ann Arbor with a Master's of Engineering in Computer Science and University of Illinois at Urbana-Champaign with a Bachelor's of Science in Computer Engineering. He hopes to make a difference by making usable computer systems more secure and secure systems more usable.
  • Yeongjin Jang
    Yeongjin is a PhD student at Georgia Institute of Technology. His research interests are focused on operating system and mobile security. Prior to joining Georgia Tech, he participated in various capture-the-flag (CTF), including DEFCON CTF, CODEGATE, etc. He received his B.S. degree in Computer Science from KAIST in 2010.
  • Chengyu Song
    Chengyu Song is a PhD student at Georgia Institute of Technology. His current research interest is in system security, with a special focus on topics that may have practical impact. Prior to Georgia Tech, Chengyu received his Bachelor's and Master's degree from Peking University China, where he worked with other researchers on malware analysis, botnet, underground economy and drive-by download attacks. He is also a member of the Honeynet Project.

Links:

Similar Presentations: