US-B Careful: Public iPhone Chargers Lie in Wait

I’ve mentioned many times about the dangers of connecting to public Wi-Fi, but who would have thought that connecting your phone to a public USB charger could expose you to similar malware dangers? Researchers at Georgia Tech have found a vulnerability in Apple’s iPhone that allows for malicious apps to be installed—without ever downloading from or even visiting an app store. The malicious app, installed via a compromised USB charger, works like most other malware—commandeering your device to access banking login information, listen in on phone calls, and even remotely control your device. Where the difference lies is how it gets onto your iPhone.

First, the Georgia Tech researchers needed security clearance from the team at Apple in order to test their theory. So, they created an app that looked and operated just like Facebook. The only difference? This Facebook lookalike had a hidden piece of code containing malware. Once they had this clearance, the team went to work on building a method for deploying the malware onto devices—that’s where the iPhone charger comes in.

The experimental malware is activated and released when an unsuspecting victim plugs his or her iPhone in for a charge to a public USB port that is connected to a hidden computer, most likely behind the wall where the charger is plugged in. iPhones locked with a personal identification number (PIN) or passcode will not be breached. However, if the phone is unlocked (even for a second), the malicious app is activated.

Once the charging iPhone is unlocked, the hacker is able to use the faux Facebook app (downloaded onto the phone through the USB charger) to operate the device remotely—making calls, viewing passwords, changing settings, and more. These types of threats are referred to as “AutoRun” threats, and are commonly spread via USB drives. These threats are particularly dangerous as they execute automatically when the corrupted drive is plugged in to a computer, tablet or in this case, an iPhone. Our McAfee Threats Report: Second Quarter 2013 found that this type of attack doubled from 2012 to 2013, and continues to be on the rise—meaning education and caution is key to avoidance.

Thankfully, this particular iPhone threat was staged, created by members of the Georgia Tech Security Information Center, in order to test a suspected weakness in the Apple device. What it demonstrates, however, is a very real weakness ripe for cybercriminal exploitation.

Apple recently bulked up its security offerings with a number of updates, including fingerprint activated locking software. But all the front-end security in place will not protect users from such invasions once their Apple device is unlocked while plugged into these dangerous chargers. To ensure you’re not a victim of an iPhone takeover or any other type of USB malware, I encourage you to abide by the tips below:

• Avoid using public charging stations. Apple has updated its software to warn users when connecting to unfamiliar (or not Apple produced) USB chargers. Ignore this warning, and you may be in trouble. When in a coffee shop, airport, or any other public space, think twice before plugging your device into a public charger.
• Don’t unlock your device while charging. In the event that you’re stuck somewhere with a dead phone and must use a publicly available charger to get some power—be sure to let your phone sit and charge without unlocking it. The action of unlocking an iPhone was key to the dissemination of this particular piece of malware.
• Check your iPhone Settings. If you’ve connected to a public USB cord in the past and want to be sure that your device has not been compromised, go to Settings > General > Profiles on your iPhone. If you see any unfamiliar names in the list, remove them at once.
• Only download apps from trusted sources. While this malicious app was installed through a USB cord, always exercise caution when downloading apps on your own (even over Wi-Fi). Stick to official app stores to avoid falling victim to malware-laden apps.
• Install comprehensive security on all of your devices. To protect your smartphones, tablets, PCs, and Macs from the ever-evolving tactics of cybercriminals, invest in a complete solution like McAfee LiveSafe™ service. This software will keep all of your devices protected from the latest forms of malware, spyware, and other sneaky viruses as well as protect your identity and all your valuable data.