Read previous part: Mactans - Injecting Malware into iOS Devices via Malicious Chargers
Billy Lau and Yeongjin Jang continue their Black Hat talk with describing the Mactans attack proper, including the charger’s properties and the attack phases.
Billy Lau: Now I shall guide you through a step-by-step introduction to Mactans. Basically, Mactans challenges the very fundamental security assumptions that people make when they are performing their day-to-day tasks, in particular, charging their devices and using the devices when they are being charged, because Mactans exactly leverages this to exploit the weaknesses that we find in order to then install arbitrary malicious apps.
So, conceptually, let’s answer a few questions about what Mactans is and what Mactans is not. I must really emphasize: what makes Mactans unique is that, firstly, it is not a jailbreak, it does not require the target device to be jailbroken before Mactans attack can happen; nor does it cause the phone to be jailbroken after Mactans attack has happened. The attack is very automatic – by simply connecting the device to the Mactans charger the attack is done. And during the Mactans attack, it’s very stealthy – basically, if the user would even look at the screen there are no visible clues that something suspicious is going on. Last but not least, Mactans delivers a very powerful attack, because unlike the conventional, traditional way of downloading an app from the App Store, the arbitrary apps that Mactans installs onto a target device can really do malicious things that other apps cannot do, which you will see in a short video demo later in this talk.
With this concept, we have implemented a prototype with BeagleBoard, as you can see here. We’ve chosen the BeagleBoard largely because it is open-source and it is commercially available. This shows that such an attack really has a very low entry barrier. As you can see here, BeagleBoard comes with a USB port which becomes the interface to plug in the USB to lightning cable and then use it to charge the device. Now, for a moment you may think that this does not at all look like Apple’s original charger.
But please do not be fixated with the form because, as you can see here (see left-hand image), there are so many other forms of, basically, minicomputers that can be so much smaller. In fact, with today’s technology we can fabricate chips with x86 processing power the size of only the tip of the index finger. So, really, size is not a matter. We just chose that because of time constraint and a small financial budget.
Now, with that in mind, let me first guide you through a high-level overview of what happens when a user has connected his or her device onto Mactans charger. So, #1 – Mactans will immediately obtain the device UDID. With the device UDID, it will then generate an appropriate provisioning profile. Then it waits for an opportunity to pair with the device. Once the pairing is done, it will then install the generated provisioning profile. After the provisioning profile has been successfully installed, then Mactans can install an arbitrary malicious app that it wants.
Now, to cover these terms I mentioned – UDID, provisioning profile and so on – my colleague Yeongjin will take over to go into further detail.
Yeongjin Jang: Hello audience. I will now talk about the technical details of the Mactans attack. The first step of the Mactans attack is getting UDID, which stands for Universal Device Identifier. It is a unique identifier for distinguishing iDevices. Apple uses this UDID for registering a device to a certain developer’s license for the development purpose. It is quite sensitive information, because if anyone can get hold of it then they can register someone’s device for a development device. However, obtaining the UDID is quite trivial. We don’t know the reason, but Apple exposed this UDID as a USB serial number. So, right after connecting with the USB cable, it is automatically sent to the USB host as a USB device description header, so anyone can get this number by connecting it and just typing ‘lsusb’ – it will print out the UDID.
Next step is pairing with the device. To interact with an iDevice through a USB connection, the Mactans required it to be paired with the device. So, once it is connected, Mactans will try to pair with it. This pairing step is for exchanging session key which is used for encrypting the further communication. On this pairing, we leverage two weaknesses. One is - on this pairing the iDevices do not do any authentication of the USB host that initiates this pairing. So, if the devices are available for the pairing and any USB host initiates the pairing, then they cannot reject it. And also, it does not ask for the user’s permission, nor does it give any visual indication for this pairing.
There is one protection mechanism for this pairing, that is, the pairing can only be done when the device is passcode-unlocked. But every iDevice is shipped without a passcode by default; in that case, if it is connected with the Mactans, then it will be automatically paired and Mactans can launch the attack. Or, for a more general case, if the device is set with a passcode, then that device is passcode-unlocked and connected with the Mactans, and it will be automatically paired. Or it is connected while it is locked, but the user unlocks it to, for example, reply to SMS or send a Facebook message – then it will be automatically paired.
So another weakness comes in at this stage: once it is paired, the connection will remain permanently and that can be used whether or not the device is locked. So, if Mactans can get any moment of the pairing while the device is charging, then the pairing is done and Mactans can launch the attack. For preventing the Mactans attack, the only way is to keep the device locked before the charging, plug it in and keep it locked the entire time of the charging. Then Mactans cannot do the pairing and it will not deploy the attack.
After the pairing, Mactans can do anything that can be done through the USB connection. Simply put, it is what iTunes or Xcode can do. For example, it can get some device information or install and remove apps and provisioning profiles, backup and restore; or we can also do the debugging. But for a Mactans attack, we specifically exploit the second feature – installing and removing apps and provisioning profiles – to inject our own signed code to the device.
Read next part: Injecting Malware into iOS Devices via Malicious Chargers 3 - Installing an Arbitrary Hidden App