free hit counter maxconsole.com share image
maxconsole
www.maxconsole.com - 29.08.2015
 
 
Visit Zevera!
HOME - FORUM - REVIEWS - $ SUBMIT NEWS $
nac3 nds
     
Apple updates iOS7 to block Fake Chargers!    

  Apple updates iOS7 to block Fake Chargers!
Added by garyopa on 2.08.2013

Trusting iPhones plugged into bogus chargers get a dose of malware

iPhones will pretty much trust any computer they're plugged into, but now the new iOS7 update will pop-up an warning screen asking if the user wishes to 'trust' this computer or not, when charging!

 

Like ... Dislike ..
Total Likes : 5
Total dislikes : 3

icon
  Discuss in our forums

line1

We reported on the 'bogus fake chargers' hack a month or so ago, on our MaxConsole Underground Forums, and now Apple has responded saying they have updated their iOS7 and the latest version being tested currently by developers will now pop-up a warning screen asking if the user should 'trust' this computer, and hopefully that will make them more aware the device they plugging into is more then just an charger.

Plugging your phone into a charger should be pretty safe to do. It should fill your phone with electricity, not malware. But researchers from Georgia Institute of Technology have produced fake chargers they've named Mactans that do more than just charge your phone: they install custom, malicious applications onto iPhones.

Their bogus chargers-which do, incidentally, charge the phone-contain small computers instead of mere transformers. The iPhone treats these computers just as it does any other computer, but instead of just charging, it responds to USB commands. It turns out that the iPhone is very trusting of USB-attached computers; as long as the iPhone is unlocked (if only for a split second) while attached to a USB host, then the host has considerable control over the iPhone.

The researchers used their USB host to install an app package onto any iPhone that gets plugged in. iOS guards against installation of arbitrary applications with a strict sandboxing system, a feature that has led to the widespread practice of jailbreaking. This attack doesn't need to jailbreak, however.

Instead, it takes advantage of the system that Apple devised to permit developers to deploy applications to their own devices for testing purposes. Deploying such applications requires the creation of a provisioning profile. A provisioning profile identifies a specific phone and a specific application, allowing the named application to run on the named device. These provisioning profiles are generated by Apple and installed over USB.

The malicious charger interrogates the attached iPhone to read its UDID, the unique ID number that identifies a particular iPhone. It then sends the UDID to Apple's Web page that generates provisioning profiles. With the provisioning profile in hand, it can deploy the provisioning profile to the phone, and then deploy the malicious app identified by the provisioning profile.

Though the malicious app is still sandboxed, it doesn't have to pass through Apple's normal application vetting process, and so it can still do plenty of useful malicious things. The demonstration showed a malicious Facebook app that replaced the real Facebook app with a trojaned version. The trojaned version could then do things like take screenshots of the iPhone whenever passwords are being entered, and simulate key presses to, for example, dial numbers without user intervention.

There are limits to this kind of attack. As well as requiring the phone's screen to be unlocked, the generation of the provisioning profile requires the attacker to have a valid developer account. Each developer account can only generate provisioning profiles for 100 different phones, and there's no facility to remove a UDID that's associated with a developer's account.

This will tend to limit the attacks to specific ones against individual users, rather than widespread, indiscriminate attacking. In principle, a Mactans charger could be made to look identical to an official Apple charger; a suitably motivated attacker could replace proper chargers with the malicious chargers to attack targets' phones.

Apple has responded to this research by making the iPhone a little less trusting. Instead of trusting any USB host that it's connected to, iOS 7 will prompt users the first time, asking if they want to trust the currently connected computer. This notification will immediately disclose that a charger isn't a charger at all, but in fact a Mactans-like device.

 




Maxconsole:
Your #1 source for gaming news

line2

text
Discuss this in our forums

Click here to discuss about this news in the forums


 

  cloud  
     
  iphone provisioning apple malicious charger phone profile chargers usb app trust instead host applications just fake attack mactans version user  

 

 
 

top posts



new

icon
Alleged PSN & Xbox Live Cyber-Attackers Arrested
The long arm of the law is also patient and persistent as Lizard Squad has just learned the hard way
icon
Introducing the Xiaomi Redmi Note 2 4G Phablet
MTK Helio X10 64bit 2.0/2.2GHz OctaCore, Android 5.1, 5.5 inch FHD, 2GB RAM. 16/32GB ROM, 5.0MP+13MP
icon
Satellite Reign Released Today for PC Gamers
20% off on Steam - Plus New Gameplay Trailer
icon
Introducing the ZTE Nubia Z5 NX501 from Pandawill
Smartphone NFC MHL 5.0 Inch FHD 2GB 16GB Snapdragon 600 1.5GHz
icon
Frozenbyte Responds to Trine 3: TAOP feedback
The game is out now, but there been some 'bad press' over the release!

review

icon
EXCLUSIVE: Official MaxConsole Amiiqo Review
Amiibos. You've probably heard of them by now!
icon
REVIEW: 'Satellite Reign' from Early Access Steam
What it is: A futuristic/cyberpunk top-down strategy/action game.
icon
The Best Gaming Consoles That People Buy
Now that the new generation is out, the old console favourites still have alot of value in them.
icon
Cobra ODE Review
Senaxx over at PS3Crunch reviews the Cobra ODE device on his PlayStation 3
icon
REVIEW: JXD-S7300 Gamepad2
Another Exclusive In-Depth Hardware Review by Maxconsole

 

DirectElectronique.com Distributeur officiel R4i SDHC

 


 

down1

SF

 

Contact us


Advertise on maxconsole.com





1 wallclock secs - 0.40 cpu secs