Apple Fixes Threat from Fake iPhone Chargers in iOS 7 [Update]

| News

Apple is addressing the threat from maliciously crafted, fake USB-based iPhone chargers in iOS 7. Security researchers announced in June that they discovered how to hack an iPhone using a Linux-computer disguised as a charger. The team demonstrated that technique at this week's Black Hat conference in Las Vegas, and Apple has said it will address the issue in iOS 7.

Hackers

"Despite the plethora of defense mechanisms in iOS, we successfully injected arbitrary software into current-generation Apple devices running the latest operating system (OS) software," the researchers wrote on their Black Hat presentation description in June. "All users are affected, as our approach requires neither a jailbroken device nor user interaction."

Reuters covered the news from Las Vegas, where the team successfully demonstrated their attack using a device that cost $40 to make and a week to design. They used it to automatically infect an iPhone with software that then successfully called another phone without user interaction.

A real attacker could have all manner of software that would completely take over your iPhone, give the attacker remote control over it, access emails, contact info, or text messages, log your passwords, or scariest of all, use it to track your location.

Apple said that the problem will be eliminated in iOS 7 by alerting the user they are connecting their iOS device to a computer, whether or not it looks like a computer. Android does this in current versions of the mobile operating system.

iOS 7 beta 4 users are asked if they want to, "Trust the currently connected computer?" a prompt requiring user action. If your iPhone is locked, that user interaction won't be possible until it is unlocked. ArsTechnica posted a screenshot of the warning.

Apple made the rare move of acknowledging the security researchers in a statement given to Reuters, which said, "We would like to thank the researchers for their valuable input."

[Updated with more specifics on the iOS 7 changes. - Editor]

Image made with help from Shutterstock.

The Mac Observer Spin The Mac Observer Spin is how we show you what our authors think about a news story at quick glance. Read More →

The reality is that this particular exploit has very limited exposure. There simply aren't that many times when people approach a stranger so that they can charge their iPhone or iPad. People ask friends or coworkers for such things far more than strangers, and it would be lovely to think that those circles have a lower incident of malicious hackers in their numbers.

You never know, of course, and it does happen—we can see a motivated bad guy hanging out at a busy coffee shop and looking for people in need of a charger. We can also see the potential for the bad guys simply picking up a target phone and plugging it into their "charger" under the guise of, "Oops, I thought this was mine," and boom, the damage is done.

Accordingly, it's nifty that Apple is addressing the issue in iOS 7. We'd also like to see it fixed in iOS 6. Apple has historically seen iPhone users upgrade to the newest version iOS in staggeringly high numbers, but eliminating this problem across the board seems the wiser choice.

Popular TMO Stories

Comments

Lee Dronick

The risk is probably very low, but best to protect against it. There are public chargers in airport terminals, after disasters such as hurricanes and such.

mrmwebmax

+

There are also automated kiosks called ecoATMs (Google ecoATM) that provide instant cash for used electronics such as smartphones. These have courtesy chargers as well. One’s in a mall not far from where I live. I never would have thought twice about using the charger if I had to, but would certainly hesitate now because of the iOS flaw.

webjprgm

” by alerting the user they are connecting their iOS device to a computer, whether or not it looks like a computer.”

I don’t see how this fixes the flaw. It sounds like it just alerts the user, who will most likely ignore it or be confused by it. It also doesn’t fix the case you suggested of a person plugging your phone into their charger with an “oops I thought this was mine” because they would just tap to accept the charger.

Bryan Chaffin

webjpgrm, I added some information that hopefully clears this up. The warning requires user interaction, so locked phones should be protected. The current wording (iOS 7 is still in beta as of this writing) makes it clear you’re connecting to a computer, too.

I think that combo will greatly limit exposure to this issue. Security researchers haven’t had time to have a go at it, though, so we’ll have to see.

Leo Da Vinci

I have never needed to charge my phone outside my home. Granted, I don’t use my phone that much at all, not compared to others. I prefer the iPad for my browsing & entertainment….

I will say that’s one heck of a clever way to get your info. Hey need a charge, zip, got all your info & making calls & texting people. I also don’t keep any of my personal info on my phone or iPad. I just don’t trust it like that, but the way things are heading, may not be able to avoid it forever…..

Eric West

Now that IOS7 has been put into production, this particular security feature is a real PITA! It ALWAYS asks when connecting to my work PC. It does not remember the TRUST action. It ALWAYS asks. I think it is an overzealous security patch. After all, I am the one plugging MY PHONE into MY COMPUTER. I will accept the consequences of my faults. Apple shouldn’t. So remove this silly feature, please Apple.

Greg Cox

Some lazy ass Apple [explicative deleted]... If a device was hacked from a windows client, would they blacklist windows and not look back? Apple can [childish vulgarity deleted].

Log-in to comment