Injecting Malware into iOS Devices via Malicious Chargers 2 - Overview of the Mactans Attack
Read previous part: Mactans - Injecting Malware into iOS Devices via Malicious Chargers
Billy Lau and Yeongjin Jang continue their Black Hat talk with describing the Mactans attack proper, including the charger’s properties and the attack phases.
Billy Lau: Now I shall guide you through a step-by-step introduction to Mactans. Basically, Mactans challenges the very fundamental security assumptions that people make when they are performing their day-to-day tasks, in particular, charging their devices and using the devices when they are being charged, because Mactans exactly leverages this to exploit the weaknesses that we find in order to then install arbitrary malicious apps.
With this concept, we have implemented a prototype with BeagleBoard, as you can see here. We’ve chosen the BeagleBoard largely because it is open-source and it is commercially available. This shows that such an attack really has a very low entry barrier. As you can see here, BeagleBoard comes with a USB port which becomes the interface to plug in the USB to lightning cable and then use it to charge the device. Now, for a moment you may think that this does not at all look like Apple’s original charger.
Now, with that in mind, let me first guide you through a high-level overview of what happens when a user has connected his or her device onto Mactans charger. So, #1 – Mactans will immediately obtain the device UDID. With the device UDID, it will then generate an appropriate provisioning profile. Then it waits for an opportunity to pair with the device. Once the pairing is done, it will then install the generated provisioning profile. After the provisioning profile has been successfully installed, then Mactans can install an arbitrary malicious app that it wants.
Now, to cover these terms I mentioned – UDID, provisioning profile and so on – my colleague Yeongjin will take over to go into further detail.
Next step is pairing with the device. To interact with an iDevice through a USB connection, the Mactans required it to be paired with the device. So, once it is connected, Mactans will try to pair with it. This pairing step is for exchanging session key which is used for encrypting the further communication. On this pairing, we leverage two weaknesses. One is - on this pairing the iDevices do not do any authentication of the USB host that initiates this pairing. So, if the devices are available for the pairing and any USB host initiates the pairing, then they cannot reject it. And also, it does not ask for the user’s permission, nor does it give any visual indication for this pairing.
There is one protection mechanism for this pairing, that is, the pairing can only be done when the device is passcode-unlocked. But every iDevice is shipped without a passcode by default; in that case, if it is connected with the Mactans, then it will be automatically paired and Mactans can launch the attack. Or, for a more general case, if the device is set with a passcode, then that device is passcode-unlocked and connected with the Mactans, and it will be automatically paired. Or it is connected while it is locked, but the user unlocks it to, for example, reply to SMS or send a Facebook message – then it will be automatically paired.
So another weakness comes in at this stage: once it is paired, the connection will remain permanently and that can be used whether or not the device is locked. So, if Mactans can get any moment of the pairing while the device is charging, then the pairing is done and Mactans can launch the attack. For preventing the Mactans attack, the only way is to keep the device locked before the charging, plug it in and keep it locked the entire time of the charging. Then Mactans cannot do the pairing and it will not deploy the attack.
Read next part: Injecting Malware into iOS Devices via Malicious Chargers 3 - Installing an Arbitrary Hidden App