Details of Malicious iOS Charger Presented at Black Hat Conference

Posted on August 1st, 2013 by


Every year the Black Hat security conference promises spectacular headlines of the ways hackers can use to make our lives difficult. From a practical perspective, the information is interesting, as it can help defenders look to better protect users of those devices and it can help device-makers beef up the security of their products. But as a home user, it can be a little terrifying to hear this information out of context. How can you really gauge the seriousness of the threat? When researchers make things sound so simple and devastating, it can be very hard to come up with that information if you’re not particularly technically inclined.

Since the Black Hat conference dealt with a device that’s in many people’s homes or offices, let’s take a little look at the information as it was presented yesterday. Researchers from Georgia Institute of Technology announced earlier this summer that they had found a way to create a malicious iOS charger, which allowed them to get around the usual safeguards in order to install a malicious app. Sounds pretty scary, right? Yeah, in theory.

For starters, this would require you to use a knockoff iOS charger. Using an unauthorized charger is a bad idea, for any reason. Plugging any computing device into a strange accessory (or vice versa) inherently carries some risk. Do you trust the maker of that device? Or did you just find that USB in a car park and plug who-knows-what into your computer? (Yuck!) Fortunately, iOS 7 has added a warning about using unauthorized accessories, which is a nice reminder.

And while we’re on the subject of iOS 7 improvements, because this research was disclosed to Apple, they’ve been able to address the vulnerabilities that were found in the upcoming version of the OS. Because the malicious charger is more of a small computer with its own separate OS than a simple charger, one of the improvements is that you get a more specific warning in iOS 7 asking you if you trust the computer you’re about to connect with. Allowing this trusted connection will allow the computer “full access to your device and all of its data.” I’d say that description pretty well covers the situation! And it’s another compelling reason to make sure you update to the new OS when it’s officially released.

Lastly, going into manufacturing malicious devices is a pretty low return on potential investment for attackers. Of all the ways to make a few bucks from infecting your computing devices, this ranks pretty low. When phishing, malware and direct attack are such simple, cost-effective ways to access devices, who needs to go to the trouble of creating fake chargers? It’s unlikely we’ll see this tactic used any time soon, unless something in the world of online crime changes drastically such that this becomes a potentially lucrative business opportunity.
photo credit: Divine Harvester via photopin cc