2. Introduction
• iOS is considered more secure.
- mandatory code signing
- app sandboxing
- centralized app store.
• Charging a device is everyday activities in our life.
• Successfully install & execute arbitrary software.
• Mactans (BeagleBoard, looks like charger)
• Patched on iOS 7 beta 2
3. Observations
• Any Host is trusted by the Client.
• Client does not indicate what Host
does.
• Installed app can be hidden.
• Host can execute apps on the
Client in stealth mode
• Provisioning for making Client
as a Developer device is easy.
• Unified Data, Control, Power
Interface
?
Host
Client
?
5. Stealth Execution
• Mounts disk image(DeveloperDiskImage.dmg)
• Launch com.apple.debugserver
• Can execute hidden application
6. Provisioning
• Obtain UDID easily
• Provisioning also can be easily automated
• To obtain a provisioning profile
-> To install a malware application to Client
11. Proof-of-Concept
• 30Pin or Lightening USB cable
• Active Developer’s License
• Internet Connection
• Mactans charger (BeagleBoard)
- USB power source
- microprocessor/microcontroller
- Linux OS
- iOS RPC comm. library
13. Obtain UDID
• UDI.D
- 40 digit hexadecimal ID
- SHA1(serial + ECID + WiFiMAC + BluetoothMAC)
• Simply obtained while query over USB
14. With UDID..
• UDID Registration via
developer.apple.com
• Provisioning Profile can be
generated
• Allow devices to run apps
signed by a non-Apple
entity
15. An.d install Malware...
• Replace original famous app wi.th repackaged,
hidden version
• Install malware wi.th icon of replaced app
• When launched, malware plays then executes
original app
16. Malware can do..
• Taking screenshots with Private API call
• Simulating touch event
• Simulating button pressing (Home, Sleep ..)
• And so many other things…
17. Attack Scenarios
• General
- Public charging stations (e.g., airports, libraries)
• Targeted
- Exchange or provide charger to target
- Modify environment of target
(e.g., airplane seat, hotel room)
19. Fixing the problems
• Charger? Computer?
• Provisioning profile abuse
- Use CAPTCHA
• Over-privileged USB capabilities
• Third party hidden apps considered harmful