Black Hat: MACTANS Hacking Apple iOS with a Battery Charger

LAS VEGAS: Be careful where you plug in your Apple iPhone device to charge.

Speaking at the Black Hat security conference here, researchers from the Georgia Institute of Technology demonstrated how a small Linux ARM device they call a MACTANS could infect Apple iOS devices with a Trojan.

The way the attack works is relatively simple. The user’s device is infected with a trojan when he or she plugs the iOS device into the MACTANS charger.

That trojan could be any form of malicious payload hackers want to deploy, whether it’s for stealing information or controlling the user’s phone remotely.

The MACTANS device is running Linux on top of an ARM powered BeagleBoard.

Billy Lau, research scientist at the Georgia Institute of Technology, said that MACTANS device and attack work on existing stock Apple iOS devices. The devices do not need to be jailbroken in order for the MACTANS to work. A jailbreak is when a user breaks Apple’s lock on the device, typically to enable non-Apple approved apps to run.

Unsafe Sandbox

“Our attack does not have root privileges, and our injected app stays inside of Apple’s sandbox protection,” said Yeongjin Jang, a doctoral student at Georgia Institute of Technology. “You might think that nothing bad can happen when you have sandbox protection, but that’s not true.”

The Apple sandbox is supposed to be a protected area within the iOS system that limits the ability of apps to go outside of a specific space on the device to perform non-approved activities. Jang said that with MACTANS, he is able to call on private APIs in Apple iOS that normally have restricted access.

“We found some ways to do some malicious things,” Jang said. “For example, we can call on the private API to take a screenshot of the open window.”

The MACTANS app could potentially be enabled to take a screenshot whenever the user enters a password or other sensitive information. The MACTANS could also be used by a remote attacker to make an unauthorized phone call from the iOS device.

Apple Disclosure

The researchers did disclose their findings to Apple and said they have provided a list of the issues they discovered. One of the key issues is the fact that Apple iOS did not ask for user input or consent before the MACTANS charger runs and executes the injection attack.

The researchers suspect the fix to the MACTANS attack is already present in the latest iOS 7 beta. Apple is currently in development with iOS 7, which is expected to be released later this year.

“We were invited to test the iOS 7 beta,” Lau said. “Upon inspection we found that when a device with the iOS 7 beta is plugged into the MACTANS charger, a popup is displayed to the user to ask if the user wants to trust the device.”

Sean Michael Kerner is a senior editor at eSecurity Planet and Follow him on Twitter @TechJournalist.

Sean Michael Kerner
Sean Michael Kerner
Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.

Top Products

Related articles