Hacked iPhone chargers could let snoops spy on devices
The next time your plug in your iPhone into someone else's charger, you could be putting all your personal data at risk. Malicious software could be installed without your knowledge that lets hackers attack your device.
Georgia Tech Information Security Center researchers presented how they were able to hack into an iPhone using its charger at a briefing on Wednesday at the Black Hat cybersecurity conference in Las Vegas.
During a demonstration for CBSNews.com, research scientist Billy Lau and Ph.D. student YeongJin Jang explained that they installed software into a custom device, called Mactans, that mimics Apple's charger.
The device they presented, which is a small white box made with a 3D printer, is much larger than an iPhone charger. However, Lau says it is possible for a tenacious hacker to make a counterfeit version that looks exactly like one bought at an Apple store.
Once an iPhone is plugged into the device it could take less than a minute to install malicious software, called a Trojan. That time is lengthened to about 80 seconds if a specific app is being uploaded to duplicate and hide an existing one. After the Trojan is installed, an iPhone owner could carry on without knowing their phone is being attacked.
The researchers showed how a replica of Facebook's mobile app is installed on an iPhone. To the unsuspecting victim, nothing appears different, including the icon. Only a slight screen swap that lasts about a second gives any clue of suspicious activity. Everything else appears normal, but once the phone is turned off, the Trojan can begin to wreak havoc. The phone can then act on its own to punch in numbers and make calls.
Lau says that any app on an iPhone can be replaced in a similar manner, including a mobile banking app. There is also the potential that a phone can be put under surveillance, via screen sharing. Hackers can survey the device and see what is being typed on the screen, possibly stealing sensitive data like banking credentials and home addresses.
Lau says they are in touch with Apple, but it is not clear if the company is planning a fix for the exploit. He points out that a feature on iOS 7 beta will prompt users when a third-party charger is plugged in, but the same cannot be said for iOS 6 devices. Apple has not responded to several requests for comment.
In other demonstrations at Black Hat this week, researchers showed how cyber-criminals could hack into 'smart home' control systems. They're also exposing vulnerabilities in Smart TVs, driverless cars and other high-tech devices.