Apple fixing bug that allows fake charging stations to hack iPhones

LAS VEGAS Wed Jul 31, 2013 9:52pm EDT

An iPhone 5 is pictured on display at an Apple Store in Pasadena, California July 22, 2013. REUTERS/Mario Anzuoni

An iPhone 5 is pictured on display at an Apple Store in Pasadena, California July 22, 2013.

Credit: Reuters/Mario Anzuoni

LAS VEGAS (Reuters) - Apple Inc's next software update for its iPhones and iPads will fix a security flaw that allows hackers to engage in spying and cyber crimes when the victim connects the device to a fake charging station, the company said on Wednesday.

Apple's devices are vulnerable to attacks until the company releases its iOS 7 software update, which is slated for this fall.

Three computer scientists, who alerted Apple to the problem earlier this year, demonstrated the security vulnerability at the Black Hat hacking convention in Las Vegas on Wednesday where some 7,000 security professionals are learning about the latest threats posed by computer hacking.

Apple said the issue had been fixed in the latest beta of iOS 7, which has already been released to software developers.

"We would like to thank the researchers for their valuable input," Apple spokesman Tom Neumayr said.

The work was done by Billy Lau, a research scientist at the Georgia Institute of Technology, and graduate students Yeongjin Jang and Chengyu Song.

In a demonstration at the hacking conference, they plugged an iPhone into a custom-built charger they equipped with a tiny Linux computer that was programmed to attack iOS devices. They said it cost about $45 to buy and a week to design.

It infected the phone with a computer virus designed to dial the phone of one of the researchers, which it did.

They said that real-world cyber criminals might build viruses that would give them remote control of the devices. That would enable them to take screen shots for stealing banking passwords and credit card numbers. They could also access emails, texts and contact information or track the location of the phone's owner, Lau said.

"It can become a spying tool," said Lau.

Lau said they were publicizing the issue in the spirit of "white hat" hacking, which is finding security bugs so that manufacturers can fix them before criminals exploit them.

"Security doesn't work if you bury problems," he told Reuters on the sidelines of the press conference.

Lau said that devices running Google Inc's Android operating system are not vulnerable to the same types of attack because they warn users if they plug devices into a computer, even one posing as a charging station.

After Apple's iOS 7 software update, a message will pop up to alert the user that they are connecting to a computer, not an ordinary charger, he said.

(Reporting by Jim Finkle; Editing by Lisa Shumaker)

FILED UNDER:
We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see http://blogs.reuters.com/fulldisclosure/2010/09/27/toward-a-more-thoughtful-conversation-on-stories/
Comments (4)
RD137 wrote:
Makes one wonder how many phones have been hacked.

Aug 01, 2013 7:32am EDT  --  Report as abuse
mrnulldevice wrote:
Probably not many, since in order to hack it this way, a hacker would need physical access to the phone through a charger. I don’t know of too many smartphone users who don’t use their own chargers. Maybe if someone bought a cheap knockoff charger, but still…as hacks go it’s one of the more difficult ones to pull off.

Aug 01, 2013 10:02am EDT  --  Report as abuse
marbl wrote:
Why would a charger go anywhere except to the battery?

Aug 01, 2013 5:18pm EDT  --  Report as abuse
This discussion is now closed. We welcome comments on our articles for a limited period after their publication.