Researchers Tielei Wang and Billy Lau, of the Georgia Tech Information Security Center (GTISC), recently identified two vulnerabilities in the security of iOS mobile devices within online applications and charging devices.
The two researchers validated these weaknesses through the use of a malicious app called Jekyll and a charger, referred to as a Mactan. When they were applied for testing devices, the iOS system fell victim to the malware.
Wang’s team used a Trojan Horse-styled app that would hide malicious coding during the Apple’s standard review process.
“We created a malicious app, but it looks benign. We submitted it to Apple where they reviewed, but they could not see that it was malicious. Finally, the app appeared in the app store. According to our testing device, we could launch our attack, so that if other users download the app, we can attack them,” Wang said.
Under Billy Lau’s team, Wang and other researchers looked into whether chargers could be created to insert malware into iOS devices. Using Mactans, or chargers with small single-board computers, the team investigated the possibility.
“Our theory was to prove the malicious charger could act like a malicious computer and when you plug your iOS device into the charger, it can change your device into the developer model and inject an inoperable app,” Wang said. “For example, it can replace your Facebook or Angry Birds app with malware and make you think you are still using the same thing.”
After proving the weaknesses in the iOS platform, Wang and Lau informed Apple Inc., and the company reacted by placing appropriate adjustments in iOS 7.
With many Tech students in possession of iOS mobile devices, some students are surprised by the ways in which malware can be overlooked or transferred.
“I guess like anybody I’d be scared because when I bought a Mac, I was against PC because I thought they usually get more viruses than iOS devices,” said Earlvin Solomero, a third-year CE major, “I guess things are catching up to us.”
While some students are not surprised about malware in online apps, many are unaware that malware can be transferred through chargers and interested in such a discovery at Tech.
“The apps online part is not all that surprising, but getting them through a charger is a bit surprising because you don’t think that information could go through your charger port,” said Jordan Hunt, a second-year CE major, “It seems interesting to me that all these things avu wouldn’t see every day and how Tech is a major place for research.”
“I think that any information system can be vulnerable and if you care about security, you should be very cautious and not put one hundred percent confidence in a system,” Wang said.
“For security researchers, we should not believe what the companies or media say because many people believe that some systems are invulnerable and we should challenge that.”