A research team from Georgia Tech University has created a way to compromise any Apple iOS device within a minute by plugging it into a customized malicious charger. The group’s findings will be presented in full at the end of July at the Black Hat USA hacker conference in Las Vegas. A summary of the hack was recently announced on the conference’s website.
Researchers Billy Lau, Chengyu Song and Yeongjin Jang – the first is listed as a research scientist at Georgia Tech’s College of Computing and the latter two are Ph.D. students, the Atlanta Journal Constitution noted – developed a proof-of-concept charger that uses a small computer called a BeagleBoard. They called their device Mactans – after the scientific name for the Black Widow spider, Forbes reported – and used low-cost parts to demonstrate the ease of constructing such an attack on iOS devices, which they noted are known for being secure.
“The results were alarming: despite the plethora of defense mechanisms in iOS, we successfully injected arbitrary software into current-generation Apple devices running the latest operating system (OS) software,” the researchers wrote in their report summary. “All users are affected, as our approach requires neither a jailbroken device nor user interaction.”
Breaking into iOS
The researchers added that their presentation will explore how USB capabilities can be used to bypass Apple’s various security mechanisms and will show how an attacker can hide malicious software in the same way the company hides its built-in applications. They will then make recommendations as to how Apple can fix the vulnerability and users can protect themselves.
The team has contacted Apple about the vulnerability but has not said more, Forbes reported. The publication noted that USB connections have been the basis of many prior hacks on iOS devices, most notably as an entry point for those looking to jailbreak their devices and remove Apple’s restrictions. A jailbreak released in February that took advantage of five different vulnerabilities to disable the device’s security measures was used more than 18 million times before Apple updated its software to block the exploit.
The group will present the rest of their findings at Black Hat USA, which takes place from July 27 through August 1 in Las Vegas. They have declined to make additional comments prior to the presentation. As onlookers wait for more details to emerge, however, such incidents can serve as a wakeup call for securing the embedded software on consumer electronics. Using tools such as static analysis software, developers can catch errors on their devices and secure them to prevent malicious behavior.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.