When it comes to threats to mobile devices, most people don't think of chargers as a likely point of attack. But plugging in an iPhone — or any smartphone or tablet — could come at a price.
At next month's Black Hat security conference in Las Vegas, three Georgia Institute of Technology researchers will show how a USB-connected charger can silently install malicious code onto an iOS device. It's a concept referred to in computer-security circles as "juice jacking."
"Despite the plethora of defense mechanisms in iOS, we successfully injected arbitrary software into current-generation Apple devices running the latest operating system (OS) software," the briefing abstract posted on the Black Hat website said. "All users are affected, as our approach requires neither a jailbroken device nor user interaction."
Boston-based security expert Jonathan Zdziarski, who designs iOS hacking tools for law enforcement, said he's long been aware that Apple devices are vulnerable to such attacks — and that the exploit the Georgia Tech researchers will show may be just the tip of the iOS-weakness iceberg.
"The [Black Hat] talk does not appear to be anything particularly new, although I can only judge it based on the abstract," Zdziarski told TechNewsDaily. "Everyone in the community is already well aware that juice jacking is technically very easy to do."
Furthermore, Zdziarski said, if the malicious charger does what he thinks it will, it could grant a hacker permanent access to an iPhone or iPad — thanks to the way iOS handles USB connections.
"Juice jacking is nothing new, and neither is Apple’s flagrant disregard for the security of iOS devices," he said in a blog posting today (June 3).
Plug in here to give up your data
Georgia Tech researchers Billy Lau, Yeongjin Jang and Chegyu Song said they built their juice jacker out of a small $45 computer called a BeagleBoard. They wanted to show how easy and accessible it is to build a malicious but innocuous-looking charger that can install hard-to-detect malware.
"We demonstrate how an iOS device can be compromised within one minute of being plugged into a malicious charger," the summary reads. “We show how an attacker can hide their software in the same way Apple hides its own built-in applications."
The smallest BeagleBoard is a bit too big to fit into an iPad charger, but could easily be stuffed into a charging dock or USB hub.
Asked for further details about the exploit by Forbes' Andy Greenberg, Jang declined to comment. But Zdziarski said what the Georgia Tech researchers promise sounds doable.
"I can speak from first-hand experience to say it is possible to write an application that, when running on the iPhone, can access all of a user's personal information — SMS, photos, etc. — without any special application permissions," Zdziarski told TechNewsDaily. "I don't know if these guys have thought of or will demonstrate such techniques."
At the DEF CON hacker conference two years ago, pranksters set up a charging kiosk to trap unsuspecting smartphone users in need of a power fix. If a user plugged in, a scolding message appeared.
"You should not trust public kiosks with your smartphone," the message read in all capital letters. "Information can be retrieved or downloaded without your consent. Luckily for you, this station has taken the ethical route and your data is safe. Enjoy the free charge!"
That charging kiosk didn't actually steal any data, but Zdziarski said doing so wouldn't be difficult — at least on iPhones and iPads, thanks to two weak spots in iOS USB security.
One of those vulnerabilities is Apple's own implementation of the USB protocol, which never alerts the user that a USB data connection has been made. (Zdziarski has created a utility that lets owners of jailbroken iOS devices turn off automatic USB connections.)
"Because Apple has not installed a way to deny a [USB] pairing request on the phone, anything that plugs into it while it is unlocked can pair with the device, which will give it access to a significant amount of personal data, regardless of the encryption used on the device," Zdziarski said.
"Sadly, pairing security is only one of many design omissions Apple has made that leaves you, the end user, vulnerable to everything from malicious hackers to government surveillance," Zdziarski wrote on his blog today.
The other weak spot in Apple's USB implementation is the user himself.
"In its simplest form, juice jacking is merely social engineering," Zdziarski told TechNewsDaily. "You're convincing the device owner that they're connecting to a power source and that the device on the other end is not a computer.
"In this presentation, the device is a nonstandard charger-type device," Zdziarski added, "but I've seen alarm clocks, USB hubs and other small devices built in with juice-jacking capabilities as well."
On your iPhone forever
In fact, Zdziarski said, there's an even scarier aspect of juice jacking that the Georgia Tech researchers didn't mention.
"Once you establish a pairing record [data connection] with a device over USB, it's possible to connect wirelessly to the device at any point in the future (until the user restores their device) and perform the same tasks (running the built-in packet sniffer, downloading personal data from the device, etc.) at any time and without the user's knowledge," he said.
In other words, if a desktop or laptop has been connected to your iPhone once, it can connect to your iPhone forever — over Wi-Fi, or even over "a cellular network, if you were a government agency," as Zdziarski explained on his blog recently.
"If I have only a couple of seconds with your iPhone either unlocked, or just locked before a passcode is required, I can pair with your device (either via juice jacking, or with my iPad which runs a custom forensic imaging toolkit, or with my laptop) and instantly from that moment on have wireless access to all of your data whenever you are within network's reach of me," Zdziarski told TechNewsDaily.
Zdziarski noted that once a device is plugged in and unlocked, it grants data access to whatever computer it's connected to for the duration of the connection, even after the home screen appears to lock again.
Even if your phone is locked when it's plugged in, unlocking it to check a message or change a song could establish an unwanted data link between your phone and whatever it's connected to.
There is, however, a last line of defense against a USB-based attack, Zdziarski said — the humble passcode. In order for the charger hack to work, an iOS device needs to be unlocked.
"The reason something like juice jacking works," he said, "is because most people leave their phone unlocked (at least for a short time) when connected to a power source. Perhaps they want to check a message, or turn on some music — it only takes a couple seconds to establish a life-long pairing record on the device."
A recent study by Microsoft found that only about a third of smartphone users enable passcode locks. Zdziarski pointed out that if you have your "Require Passcode" setting turned to anything other than "Immediately," you're also vulnerable, because the phone will still be unlocked for a short time after you turn off the screen.
Hackers commonly use the USB port on their devices to jailbreak and carrier-unlock their own phones, but thus far, criminals have not used that same entry point to attack users who plug their phones into public kiosks.
As the security risks associated with mobile devices' USB ports come to light, Apple and other companies may become more aggressive in their software patches, making it more difficult for attackers and jailbreakers alike to succeed.
The safest way to charge your iPhone or other mobile device is by connecting the USB cable and charger that came with the device directly to a wall power outlet. Those who are frequently on the road may want to consider purchasing a battery-powered charging device, or a phone case that stores an extra charge.
If it is necessary to use a random charging station, power off your phone first. Some phones keep data protected when they are totally powered down.