Who will protect me from Apple putting crap on my phone?
Scientists have invented a dangerous new charger capable of infecting iPhones with any malware they choose. Eggheads from the Georgia Institute of Technology claim to be able to hack an iPhone in under one minute using a "malicious charger" called Mactans. The team claimed their findings challenge the iPhone's reputation as …
Really, for any device (IOS, Android, WinPhone, Meego, Firefox, ...), plugging into J. Random USBPort to charge is dangerous if you have not totally neutered the port (disabled any form of sharing, debugging, etc).
I look at all these charging stations in the airports, and I think "Were I an evil bastard, I'd set one of these up, with a 1TB drive, and enough smarts to try to mount anything plugged in and look for emails, spreadsheets, Powerpoints, etc., and copy them down while 'charging' the device. And if I could stuff a Trojan in, all the better."
That wouldn't work with Android. It doesn't mount as a mass storage device till it's told to and USB debugging is disabled by default. J. Random User doesn't even know the USB debugging setting exists, let alone how to turn it on, leaving 90% of Android phones immune to this sort of attack.
Sadly, mine is one of the 10% that's not immune, but I've never plugged into a random charging port so I'm probably OK.
>> It doesn't mount as a mass storage device till it's told to
Do tell. Every one I've used looks like a mass storage device on plugging into A N Other machine. No intervention required. NB: Does have to be unlocked on connection, but then the article doesn't say whether or not this "fake charger exploit" works on a locked iPhone.....
>> J. Random User doesn't even know the USB debugging setting exists, let alone how to turn it on
Some come with it on by default. Acer? I'm looking at you here.....
"Do tell. Every one I've used looks like a mass storage device on plugging into A N Other machine. No intervention required."
Wrong. While an Android device appears straight away to a machine as a mass storage device it doesn't actually function as one unless mass storage mode is subsequently enabled on the Android device itself. Its a bit like how a computer can "see" an optical drive, without a disc in it, but it has to have a disc inserted to "enable" it. Furthermore, while it is possible with additional software or a custom ROM to have USB mass storage mode automatically switch on when plugged into another device, no "as manufactured" Android devices have this option.
"it doesn't actually function as one unless mass storage mode is subsequently enabled on the Android device itself"
I think you may be correct that out of the box Android will not auto connect as a mass storage device, however my devices (Moto Defy, Xperia Mini Pro, Xperia U) would auto connect as an MTP device...as standard...out of the box. Though, if the hack makes use of bugs in the USB implementation, maybe you don't need to get that far to be compromised?
"however my devices (Moto Defy, Xperia Mini Pro, Xperia U) would auto connect as an MTP "
And therein lies the difference of what was being discussed. MTP isn't the same as USB Mass Storage. MTP is a protocol over USB which sidesteps Androids built in "Click to Enable" USB Mass Storage mode.
Just snip the Data(-) and Data(+) wires on the USB Cable, I had an old USB cable that was broken, so I only wired the Power wires back on and my phone charges without problem. Nothing can get in wvia the power lines, so I suppose all my phones are no immune to this.
This will work fine for Android devices, but not for Apple.
In a bid to make you pay $50 for a USB cable that has been sanctified by the church of Jobs, Apple phones will not charge at all from a cable that only has the power pins connected. Stupid by design.
..if the dodgy code that got injected was actually a modified iDevice ready version of Windows Phone 8 that would self install itself over iOS!
Imagine that - plugging your iPhone in for a juice top up only to find its running Windows when you get back! I think MS are actually considering it to get their usage numbers up!
Paris because she doesn't care who's plug it is!
I usually charge my iPhone from my TV. There are lots of places something like this could be used. My car has USB ports as well and that is becoming more of a standard on all cars. Obviously an attack like this would be targeting a specific individual and their car would be what I would go for.
I have a useful little cable I got on eBay, which basically looks like a very short USB extension lead with red plugs. It only has the power pins connected and the data pins are deliberately not connected. Very useful for parasitically charging off a computer without it trying to establish a data connection.
I bought it so save the annoyance of a computer trying to make a data connection when all I want to do is charge the phone. It never occurred to me that it may be a hardware firewall. Don't tell the seller or they'll double the price. :o)
The problem with that "solution" is that in order to get an Apple device to recognise your charger, you have to provide the correct resistive voltage dividers on both DM and DP pins. If you leave the data pins open, it will simply tell you that "Charging is not supported with this accessory" and refuse to charge.
Given that some of the small USB chargers that are posing as Apple ones exist (usually cost reduced by removing the hash filters!), this might be a real problem. The biggest problem is that the space for the "nasty" part is quite small. That being said, it could be reduced down to a single chip if its only function were to install a file on the "host".
Lots of $$$ needed for this, but some people (governments) had such resources! Possibly even the US government you never know (file detects Arabic script and goes further...).
Look, it may have already been done, and we just don't know about it!
I've never heard the term "hash filter" outside of people rolling their own special cigarettes. Is that like a the RFI choke?
It would not be very expensive to make a circuit board that would fit in a itingy charger like space. Micro controllers are available in CSBGA these days and circuit boards are pretty cheap. It would be thousands of dollars including engineer time not millions.
I don't know how it works software/hardware wise, but Android allows you to set a default action on connecting. From what I've seen my computer is not aware of any device being connected when I switch to charge-only. Does it just ignore the data pins and dump anything from them straight to /dev/null?
If not, could a similar exploit be used against Android phones with the only mitigation being power-only USB cables? I guess at least Android (and Windows?) phones can mitigate it that way.
I want your contacts, passwords etc. to get them from your iphone I need to:
- break into your house or office
- take photos of your iphone charger
- go home, replicate charge as close as possible
- devise the internals, and a bit of malware to get uploaded
- break into your house or office again
- replace charger with mine
- hope you don't notice that your charger has been replaced. Or that your house was broken into. Twice.
Chances of exploit: Slim...?
Much easier to write/buy an exploit for the software platform based on open source and has the largest market share, surely...
The iCharger an iPhone owner has at home is most likely the original iCharger, or else one of the bazillion clones all looking almost exactly like an original iCharger You, wanting to perform nefarious activities, just have to buy one of those, and for good measure just a few of the other models of the aftermarket iPhone chargers, modify them, and replace the found iCharger with that one of yours looking just like it.
Just one burglary needed