Mactans is a proof-of-concept malicious charger that can inject malware into iOS devices via their charging port. It works by first obtaining the device's UDID to register it and generate a provisioning profile, allowing installation of apps signed by a non-Apple entity. The charger then replaces a legitimate app with a hidden, repackaged version containing malware. When launched, the malware executes before the original app. This attack highlights issues with iOS trusting any host device and the ease of provisioning profiles to install third-party apps without user interaction. Apple has since patched the vulnerabilities in iOS 7, but similar attacks may still target public charging stations or modified environments to infect devices stealthily.

1. MACTANS: Injecting Malware
into iOS Devices via Malicious Chargers
석사 29기 박준영

2. Introduction
• iOS is considered more secure.
- mandatory code signing
- app sandboxing
- centralized app store.
• Charging a device is everyday activities in our life.
• Successfully install & execute arbitrary software.
• Mactans (BeagleBoard, looks like charger)
• Patched on iOS 7 beta 2

3. Observations
• Any Host is trusted by the Client.
• Client does not indicate what Host
does.
• Installed app can be hidden.
• Host can execute apps on the
Client in stealth mode
• Provisioning for making Client
as a Developer device is easy.
• Unified Data, Control, Power
Interface
?
Host
Client
?

4. Hide app on SpringBoard
• /Application/<appname>.app/Info.plist
……
<key>SBAppTags</key>
<array>
<string>hidden</string>
</array>
……

5. Stealth Execution
• Mounts disk image(DeveloperDiskImage.dmg)
• Launch com.apple.debugserver
• Can execute hidden application

6. Provisioning
• Obtain UDID easily
• Provisioning also can be easily automated
• To obtain a provisioning profile
-> To install a malware application to Client

7. Proof-of-Concept

8. Proof-of-Concept
• 30Pin or Lightening USB cable

9. Proof-of-Concept
• 30Pin or Lightening USB cable
• Active Developer’s License
- For use of provisioning portal

10. Proof-of-Concept
• 30Pin or Lightening USB cable
• Active Developer’s License
• Internet Connection

11. Proof-of-Concept
• 30Pin or Lightening USB cable
• Active Developer’s License
• Internet Connection
• Mactans charger (BeagleBoard)
- USB power source
- microprocessor/microcontroller
- Linux OS
- iOS RPC comm. library

12. BeagleBoard
• Cortex-A8 CPU
• US.B, HDMI, SD/MMC, JTAG..
• 7.5cm x 7.5cm

13. Obtain UDID
• UDI.D
- 40 digit hexadecimal ID
- SHA1(serial + ECID + WiFiMAC + BluetoothMAC)
• Simply obtained while query over USB

14. With UDID..
• UDID Registration via
developer.apple.com
• Provisioning Profile can be
generated
• Allow devices to run apps
signed by a non-Apple
entity

15. An.d install Malware...
• Replace original famous app wi.th repackaged,
hidden version
• Install malware wi.th icon of replaced app
• When launched, malware plays then executes
original app

16. Malware can do..
• Taking screenshots with Private API call
• Simulating touch event
• Simulating button pressing (Home, Sleep ..)
• And so many other things…

17. Attack Scenarios
• General
- Public charging stations (e.g., airports, libraries)
• Targeted
- Exchange or provide charger to target
- Modify environment of target
(e.g., airplane seat, hotel room)

18. Fixing the problems

19. Fixing the problems
• Charger? Computer?
• Provisioning profile abuse
- Use CAPTCHA
• Over-privileged USB capabilities
• Third party hidden apps considered harmful

20. Mactans concept
• Not a jailbreak
• Automatic
• Stealthy
• Powerful

21. Q&A