Apple said it will roll out a fix to a relatively obscure security flaw that allows hackers to access sensitive information on an iPhone or iPad via a "modified charger," with the patch already instituted in the latest iOS 7 beta.
As reported by Reuters, Apple will have a fix ready for a security hole that lets nefarious parties insert malware onto an iOS device when it is attached to a small Linux computer made to look like a power adapter. The hack, called Mactans, was demonstrated at the 2013 Black Hat convention on Wednesday.
Apple was previously made aware of the vulnerability by the three Georgia Institute of Technology researchers who discovered it earlier this year. The company said a patch for the flaw is already present in the latest iOS 7 beta.
"We would like to thank the researchers for their valuable input," Neumayr said.
According to Billy Lau, one of the researchers responsbile for the discovery, the custom-built charger is packed with a $45 BeagleBoard computer programmed to install malicious software onto any iOS device. He said the unit took one week to design.
From Lau's Black Hat demo brief:
This hardware was selected to demonstrate the ease with which innocent-looking, malicious USB chargers can be constructed. While Mactans was built with limited amount of time and a small budget, we also briefly consider what more motivated, well-funded adversaries could accomplish. Finally, we recommend ways in which users can protect themselves and suggest security features Apple could implement to make the attacks we describe substantially more difficult to pull off.
In Wednesday's demo, the fake charger infected an iPhone 5 running iOS 6 with a virus, which subsequently directed it to dial the phone number of one of the researchers.
"It can become a spying tool," said Lau.
As for Apple's fix, Lau said iOS 7 will notify users when they are connected to a computer, rather than a regular charger, making it easier to distinguish an attempted hack.
Black Hat holds annual conventions around the world to bring together top security professionals for training, briefings and workshops.
15 Comments
Note to self don't use any cheapo knock off chargers or bum any charges from strangers
I wish this new feature would allow me to 'always trust' a certain computer. e.g. my work PC. I'm asked to trust it *every* time I plug in for a charge. Thankfully, I'm not asked if I trust my Mac at home (probably because it contains the iTunes install I sync to).
"We would like to thank the researchers for their valuable input," Neumayr said." Who's Neumayr?
Does the lightning connector provide any security in a case like this?
[quote name="Chick" url="/t/158817/apples-ios-7-to-patch-power-adapter-security-flaw-demonstrated-at-black-hat-convention#post_2371782"]Does the lightning connector provide any security in a case like this?[/quote] Don't know, but since it has a chip in it maybe its possible to update the software on it?