SadMacThis year’s Black Hat security conference in Las Vegas revealed a serious security threat for iOS users.  Researchers from the Georgia Institute of Technology demonstrated a charging device which can be used to invisibly install malware on a device running the latest version of Apple’s iOS.  The charging device is small and cheap enough to manufacture that it could be installed in public places without the knowledge of management and poses a risk to travelers and users on the go.

The researchers’ malicious charger, or “Mactans”, as they call it, is built from a three-inch open- source single board computer that sells for less than $100.  The device is larger than a normal Apple AC adapter, but not by much; the researchers stress that it wouldn’t be difficult to reduce the size further.  Because iOS devices use a universal USB port for charging, any device they are connected to gains access to the devices operating system.  This means that if your device isn’t passcode-locked before you plug it in, or if you try to use it while it’s charging, Mactans can attack.

Billy Lau, one of the researchers giving the presentation explained, “Mactans challenges the very fundamental security assumptions that people make,” said Lau. “In particular, people assume it’s safe to charge the device and use it when charging.” He continued, “I must emphasize that this is not a jailbreak, and it does not require a jailbreak. The attack is automatic; simply connecting the device is enough. It’s stealthy. Even if the user looks at the screen there’s no visible sign. And it can install malicious apps on the target device.”

The Mactans researchers have contacted Apple with their work, though they are still waiting to hear back.  As it stands now, any iOS device is vulnerable to a Mactan attack.  The only sure defense is to avoid using public charging terminals and if you don’t recognize a charging cord don’t use it.

– Richard Keene
IT Computer Support of New York
Webmaster and Lead Designer