One of the most highly publicized software security issues being discussed at this year’s Black Hat hacker conference in Las Vegas has been a flaw in Apple’s iOS that would enable an attacker to quickly inject an iPhone or iPad with malware by using a maliciously engineered custom USB charger. Apple recently announced that its upcoming iOS 7 update will fix the issue.
“We would like to thank the researchers for their valuable input,” Apple spokesman Tom Neumayr said.
Devices running Android are immune to such an attack because the OS warns users if they plug their device into a computer, even one that has been disguised as a regular charging station, researcher Billy Lau told Reuters. Apple’s fix for iOS 7 will add a similar feature, showing users an alert any time they plug their device into a computer for charging.
This fix will address the hack, which used a small, cheaply available computer called a BeagleBoard to store and run malware. The exploit was discovered by Billy Lau, a research scientist at the Georgia Institute of Technology, along with graduate students Yeongjin Jang and Chengyu Song. In their original statement on the attack, the researchers noted that any iOS device could be breached in this way and that the attack required neither access to a jailbroken device nor any user interaction.
“The results were alarming: despite the plethora of defense mechanisms in iOS, we successfully injected arbitrary software into current-generation Apple devices running the latest operating system (OS) software,” they wrote in their summary.
Developers can work to avoid such issues and build in more user warnings for potential errors by taking security into account during the development process. Using tools such as static analysis software and approaches such as peer code review, programmers can more easily catch design flaws that could lead to attacks.