Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Black Hat: Researchers Use iPhone Charger As Hacking Tool

Charging your iPhone just got a bit riskier.

LAS VEGAS – At Black Hat USA Wednesday in Las Vegas, a trio of researchers from The Georgia Institute of Technology demonstrated how to abuse USB functionality of Apple iPhones to compromise the device. Using a Beagleboard, the researchers built a proof-of-concept malicious charger they refer to as Mactans.

Charging your iPhone just got a bit riskier.

LAS VEGAS – At Black Hat USA Wednesday in Las Vegas, a trio of researchers from The Georgia Institute of Technology demonstrated how to abuse USB functionality of Apple iPhones to compromise the device. Using a Beagleboard, the researchers built a proof-of-concept malicious charger they refer to as Mactans.

“After pairing, Mactans can do anything that can be done through the USB connection,” said Yeongjin Jang, a PhD student at Georgia Tech who was joined on stage with fellow researchers Billy Lau and Chengyu Song.

That includes creating a developer provisioning profile and adding applications onto the device without the user’s permission. To do this, the researchers had to first steal the UDID [unique device identifier] for the device, which Jang described as “trivial.” Once the new provisioning profile is created and deployed on the phone, a malicious application can be loaded by the attacker.

In the case of their demo, they replaced a legitimate version of the Facebook app with a malicious one that they secretly loaded onto the phone in roughly a minute. Though Jang explained that the app is still sandboxed, it can still call private APIs and be used for a number of nefarious tasks, including taking screenshots of the victim’s password as it is being entered or even placing telephone calls at the behest of the attacker.

There are a few possible attack scenarios for Mactans, explained Lau. For example, USB outlets in airports or hotels could be targeted. In addition, state-sponsored attackers that are well-financed could build a device that looks like a regular charger but actually is malicious, he said.

The device does not need to be jailbroken for Mactans to work. However, if the device is locked while it is charging, the Mactans attack will not work, according to Jang.

Following the disclosure of the attack, Apple implemented a feature in iOS7 to notify users when they plug in any USB device that attempts to establish a data connection. 

Advertisement. Scroll to continue reading.
Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Fraud & Identity Theft

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities...

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.