Malicious code can be surreptitiously planted on the Apple App Store and then downloaded by iOS devices, researchers have shown at BlackHat in Las Vegas, where they also showed how a bespoke charger could be used to hack an iPhone.
Like polymorphic malware, the “Jekyll” proof-of-concept code introduces new functionality that is not checked during Apple’s approval process.
“Our research shows that despite running inside the iOS sandbox, a Jekyll-based app can successfully perform many malicious tasks, such as posting tweets, taking photos, sending email and SMS, and even attacking other apps – all without the user’s knowledge.”
But they went one step further in their attempts to hack iOS machines. As reported by TechWeek in June, Billy Lau, another GTISC researcher, created a malicious charger, built with a BeagleBoard, a low-power open-source hardware single-board computer, not too dissimilar from a Raspberry Pi.
The “Mactans” charger was able to install a malicious app on an iPhone in just 60 seconds, requiring neither a jailbreak nor user interaction.
Apple is fixing that flaw in iOS 7, notifying users when they plug their mobile device into any peripheral that attempts to establish a data connection. There is no release date for iOS 7 yet, but it will arrive this autumn. Until then, devices are vulnerable.
But it is continuing to work on the Jekyll flaws. “These results are concerning and challenge previous assumptions of iOS device security,” said GTISC associate director Paul Royal. “However, we’re pleased that Apple has responded to some of these weaknesses and hope that they will address our other concerns in future updates.”
What do you know about Internet security? Find out with our quiz!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…