Malicious code can be surreptitiously planted on the Apple App Store and then downloaded by iOS devices, researchers have shown at BlackHat in Las Vegas, where they also showed how a bespoke charger could be used to hack an iPhone.
Like polymorphic malware, the “Jekyll” proof-of-concept code introduces new functionality that is not checked during Apple’s approval process.
“Our research shows that despite running inside the iOS sandbox, a Jekyll-based app can successfully perform many malicious tasks, such as posting tweets, taking photos, sending email and SMS, and even attacking other apps – all without the user’s knowledge.”
But they went one step further in their attempts to hack iOS machines. As reported by TechWeek in June, Billy Lau, another GTISC researcher, created a malicious charger, built with a BeagleBoard, a low-power open-source hardware single-board computer, not too dissimilar from a Raspberry Pi.
The “Mactans” charger was able to install a malicious app on an iPhone in just 60 seconds, requiring neither a jailbreak nor user interaction.
Apple is fixing that flaw in iOS 7, notifying users when they plug their mobile device into any peripheral that attempts to establish a data connection. There is no release date for iOS 7 yet, but it will arrive this autumn. Until then, devices are vulnerable.
But it is continuing to work on the Jekyll flaws. “These results are concerning and challenge previous assumptions of iOS device security,” said GTISC associate director Paul Royal. “However, we’re pleased that Apple has responded to some of these weaknesses and hope that they will address our other concerns in future updates.”
What do you know about Internet security? Find out with our quiz!
Most people in the United States view TikTok as a Chinese influence tool a poll…
UK regulator confirms it is investigating whether OnlyFans is doing enough to prevent children accessing…
Dismissed staff file complaint with a US labor board, and allege Google unlawfully terminated their…
Elon Musk dismisses two senior Tesla executives, plus the entire division that runs Tesla's Supercharger…
Eight newspaper publishers in the US allege Microsoft and OpenAI used their millions of their…
US judge sentences Binance founder, Changpeng Zhao, to four months in prison for ignoring money…