Did you know that someone could hack through to your iPhone with just a USB charger? At a recent black hat security conference in Las Vegas, Nevada, three researchers from the Georgia Institute of Technology showed us how a USB connected charger can silently install malicious code onto an iOS device. It’s a concept referred to in computer security circles as “juice jacking”.
“Despite the plethora of defense mechanisms in iOS, we successfully injected arbitrary software into current-generation Apple devices running the latest operating system (OS) software,” the briefing abstract posted on the official Black Hat website. “All users are affected, as our approach requires neither a jail broken device nor user interaction.”
A Boston-based security expert named Jonathan Zdziarski, who designs iOS hacking tools for law enforcement officials, said he’s known for a long time that Apple devices are very vulnerable to these kinds of attacks and that the exploit the Georgia Tech researchers showed at the conference may be just the tip of the iOS-weakness iceberg.
“The Black Hat talk does not appear to be anything particularly new, although I can only judge it based on the abstract,” says Zdziarski. “Everyone in the community is already well aware that juice jacking is technically very easy to do.”
Furthermore, Zdziarski says, if the malicious charger does what he thinks it will do, and then it could possibly grant a hacker permanent access to an iPhone or iPad because of the way iOS currently handles USB connections.
“Juice jacking is nothing new, and neither is Apple’s flagrant disregard for the security of iOS devices,” he said in a recent blog posting.
Georgia Tech researchers Billy Lau, Yeongjin Jang and Chegyu Song said they built their juice jacker out of a small computer called a BeagleBoard. They wanted to show how easy and accessible it is to build a malicious but innocuous-looking charger that can install hard-to-detect malware.
“We demonstrate how an iOS device can be compromised within one minute of being plugged into a malicious charger,” the summary says. “We show how an attacker can hide their software in the same way Apple hides its own built-in applications.”
The smallest BeagleBoard is a bit too big to fit into an iPad charger, but could easily be stuffed into a charging dock or USB hub.
Asked for further details about the exploit by Forbes’ Andy Greenberg, Jang declined to comment. But Zdziarski said what the Georgia Tech researchers promise sounds doable.
“I can speak from first-hand experience to say it is possible to write an application that, when running on the iPhone, can access all of a user’s personal information — SMS, photos, etc. — without any special application permissions,” says Zdziarski. “I don’t know if these guys have thought of or will demonstrate such techniques.”
Two years ago at a DEF Con hacker conference, pranksters set up a charging kiosk to trap unsuspecting smartphone users in need of a power fix. If the user decided to plug their device in, a warning message appeared that said:
“You should not trust public kiosks with your smartphone. Information can be retrieved or downloaded without your consent. Luckily for you, this station has taken the ethical route and your data is safe. Enjoy the free charge!”
That charging kiosk didn’t actually steal any data, but Zdziarski said doing so wouldn’t be difficult — at least on iPhones and iPads, thanks to two weak spots in iOS USB security.
One of those vulnerabilities is Apple’s own implementation of the USB protocol, which never alerts the user that a USB data connection has been made at all. Zdziarski has created a utility that lets owners of jail broken iOS devices turn off automatic USB connections – which can be very useful in these situations.
“Because Apple has not installed a way to deny a USB pairing request on the phone, anything that plugs into it while it is unlocked can pair with the device, which will give it access to a significant amount of personal data, regardless of the encryption used on the device,” says Zdziarski.
“Sadly, pairing security is only one of many design omissions Apple has made that leaves you, the end user, vulnerable to everything from malicious hackers to government surveillance.”
The other weak spot in Apple’s USB implementation is the user himself.
“In its simplest form, juice jacking is merely social engineering,” says Zdziarski. “You’re convincing the device owner that they’re connecting to a power source and that the device on the other end is not a computer.
“In this presentation, the device is a nonstandard charger-type device,” Zdziarski added, “but I’ve seen alarm clocks, USB hubs and other small devices built in with juice-jacking capabilities as well.”
In fact, Zdziarski said, there’s something even worse that juice jacking offers that the Georgia Tech researchers didn’t mention.
“Once you establish a pairing record data connection with a device over USB, it’s possible to connect wirelessly to the device at any point in the future until the user restores their device and perform the same tasks running the built-in packet sniffer, downloading personal data from the device, etc. at any time and without the user’s knowledge,” he said.
So basically if a desktop computer or a laptop has been connected to your iPhone once, it can connect to your iPhone forever — over Wi-Fi, or even over “a cellular network, if you were a government agency,” as Zdziarski explained.
“If I have only a couple of seconds with your iPhone either unlocked, or just locked before a passcode is required, I can pair with your device either through juice jacking, or with my iPad which runs a custom forensic imaging toolkit, or with my laptop and instantly from that moment on have wireless access to all of your data whenever you are within network’s reach of me,” says Zdziarski.
Zdziarski also mentioned that once a device is plugged in and unlocked, it grants data access to whatever computer it’s connected to for the duration of the connection, even after the home screen appears to lock again.
So that means that even if your phone is locked when it’s plugged in, unlocking it to check a message or change a song could establish an unwanted data link between your phone and whatever it’s connected to.
There is, however, a last line of defense against a USB-based attack, Zdziarski said — the humble passcode. In order for the charger hack to work, an iOS device needs to be unlocked.
“The reason something like juice jacking works,” he said, “is because most people leave their phone unlocked at least for a short time when connected to a power source. Perhaps they want to check a message, or turn on some music — it only takes a couple seconds to establish a life-long pairing record on the device.”
A recent study by Microsoft found that only about a third of smartphone users enable passcode locks. Zdziarski pointed out that if you have your “Require Passcode” setting turned to anything other than “Immediately,” you’re also vulnerable, because the phone will still be unlocked for a short time after you turn off the screen.
Hackers commonly use the USB port on their devices to jailbreak and carrier-unlock their own phones, but thus far, criminals have not used that same entry point to attack users who plug their phones into public kiosks.
As the security risks associated with mobile devices’ USB ports come to light, Apple and other companies may become more aggressive in their software patches, making it more difficult for attackers and jail breakers alike to succeed.
The safest way to charge your iPhone or other mobile device is by connecting the USB cable and charger that came with the device directly to a wall power outlet. Those who are frequently on the road may want to consider purchasing a battery-powered charging device, or a phone case that stores an extra charge.
If it is necessary to use a random charging station, power off your phone first. Some phones keep data protected when they are totally powered down.