Malware

Details of Malicious iOS Charger Presented at Black Hat Conference

Posted on August 1st, 2013 by

MaliciousCharger

Every year the Black Hat security conference promises spectacular headlines of the ways hackers can use to make our lives difficult. From a practical perspective, the information is interesting, as it can help defenders look to better protect users of those devices and it can help device-makers beef up the security of their products. But as a home user, it can be a little terrifying to hear this information out of context. How can you really gauge the seriousness of the threat? When researchers make things sound so simple and devastating, it can be very hard to come up with that information if you're not particularly technically inclined.

Since the Black Hat conference dealt with a device that's in many people's homes or offices, let's take a little look at the information as it was presented yesterday. Researchers from Georgia Institute of Technology announced earlier this summer that they had found a way to create a malicious iOS charger, which allowed them to get around the usual safeguards in order to install a malicious app. Sounds pretty scary, right? Yeah, in theory.

For starters, this would require you to use a knockoff iOS charger. Using an unauthorized charger is a bad idea, for any reason. Plugging any computing device into a strange accessory (or vice versa) inherently carries some risk. Do you trust the maker of that device? Or did you just find that USB in a car park and plug who-knows-what into your computer? (Yuck!) Fortunately, iOS 7 has added a warning about using unauthorized accessories, which is a nice reminder.

And while we're on the subject of iOS 7 improvements, because this research was disclosed to Apple, they've been able to address the vulnerabilities that were found in the upcoming version of the OS. Because the malicious charger is more of a small computer with its own separate OS than a simple charger, one of the improvements is that you get a more specific warning in iOS 7 asking you if you trust the computer you're about to connect with. Allowing this trusted connection will allow the computer "full access to your device and all of its data." I'd say that description pretty well covers the situation! And it's another compelling reason to make sure you update to the new OS when it's officially released.

Lastly, going into manufacturing malicious devices is a pretty low return on potential investment for attackers. Of all the ways to make a few bucks from infecting your computing devices, this ranks pretty low. When phishing, malware and direct attack are such simple, cost-effective ways to access devices, who needs to go to the trouble of creating fake chargers? It's unlikely we'll see this tactic used any time soon, unless something in the world of online crime changes drastically such that this becomes a potentially lucrative business opportunity.
photo credit: Divine Harvester via photopin cc

  • Doug Nix

    I see this as more likely to be implemented in those free USB charging stations that you see in airports and some hotels. Still more of an investment than most black hats would be interested in making…

    • LysaMyers

      That could be – much like ATM skimming is becoming a common issue, this could be used in a similar way to subvert public charging hotspots. Another possibility would be selling them to customers directly (though it would necessarily be a place with little reliance on feedback or reviews, or to be switching usernames frequently).

      • Doug Nix

        Lysa, I agree. I think that people buying cheap chargers on the web or in busy marketplaces in non-G8 countries are the most likely to be hooked this way. The public charging stations could be subverted, even if the original equipment was purchased from a reputable manufacturer. All you need is a clever maintenance person with malicious intent…

        • LysaMyers

          Or someone pretending to be a maintenance person…

          • Doug Nix

            Exactly. The right tools and a bad intent are the prerequisites.