It’s counterintuitive to think that a mobile device – in this case, an iOS device – can be hacked through its charger. That, however, is exactly what a hack developed by the Georgia Institute of Technology can do.
Mactans, named after the black widow spider Latin taxonomy, first was revealed in June. Developers Bill Lau and Yeongjin Jang provided details at the Black Hat conference in Las Vegas last week. The approach, according to PCMag, is pretty simple: Any iOS device connected to a charger via USB port automatically now gets access to its Universal Device ID (UDID) if the device isn’t password protected. Mactans is then in control:
Using the UDID, it effectively claims your device as a test device using the team’s Apple developer ID. “The iOS device must pair with any USB host that claims it,” said Jang. “Any USB host that initiates contact, they cannot reject it. It doesn’t ask the user’s permission and gives no visual indication. The only way to prevent a Mactans attack is to lock your device before charging it and keep it locked for the entire time.” Once accomplished, the pairing is permanent.
IB Times had more details. The site said that the “BeagleBoard” – a developers work area, essentially – was used to show the vulnerability could have been a RaspBerry Pi micro-computer. The point is that a malicious hacker does not need sophisticated equipment to mount the attack. The story says that the “charger” invisibly switches the target app – in the case of the demo, Facebook – and replaces it with a perfect replacement in the same spot. The results are rather chilling:
In actual fact this is malware and once you launch it, your phone/tablet has been compromised. This malware could be used to capture passwords, take screenshots, access your contacts, messages and phone calls, or even make premium rate calls.
The good news is that the problem seems relatively easy to fix. Daily Tech says that Apple is addressing the issue in the latest beta of iOS 7, which is in developers’ hands. The key difference is that the device will ask the user for permission to pair with the UDID. On that timeline, however, the potential for problems would persist into September when the update is released to the public.
In the bigger picture, it is important for users to understand that iOS and Android are different from the security perspective. Sophos claims that iOS is more secure, while Veracode offers a nicely done and very detailed graphic – and lets the reader draw his or her own conclusion. It is unclear if it is possible for hackers to create a version of Mactans for Android.