T1458 Exploit via Charging Station or PC
If the mobile device is connected (typically via USB) to a charging station or a PC, for example to charge the device’s battery, then a compromised or malicious charging station or PC could attempt to exploit the mobile device via the connection1.
Previous demonstrations have included:
- Injecting malicious applications into iOS devices2.
- Exploiting a Nexus 6 or 6P device over USB and gaining the ability to perform actions including intercepting phone calls, intercepting network traffic, and obtaining the device physical location3.
- Exploiting Android devices such as the Google Pixel 2 over USB4.
Products from Cellebrite and Grayshift purportedly can use physical access to the data port to unlock the passcode on some iOS devices5.
| Item | Value |
|---|---|
| ID | T1458 |
| Sub-techniques | |
| Tactics | TA0027 |
| Platforms | Android, iOS |
| Version | 1.1 |
| Created | 25 October 2017 |
| Last Modified | 03 February 2019 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0315 | DualToy | DualToy side loads malicious or risky apps to both Android and iOS devices via a USB connection.8 |
| S0312 | WireLurker | WireLurker monitors for iOS devices connected via USB to an infected OSX computer and installs downloaded third-party applications or automatically generated malicious applications onto the device.7 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1012 | Enterprise Policy | Enterprise policies should prevent enabling USB debugging on Android devices unless specifically needed (e.g., if the device is used for application development). |
| M1003 | Lock Bootloader | - |
| M1001 | Security Updates | - |
| M1006 | Use Recent OS Version | Newer OS versions generally will include security patches against discovered vulnerabilities that become known to the vendor. Additionally, iOS 11.4.1 and higher introduce USB Restricted Mode, which under certain conditions disables data access through the device’s charging port (making the port only usable for power), likely preventing this technique from working.6 |
| M1011 | User Guidance | Users should be advised not to use public charging stations or computers to charge their devices. Instead, users should be issued a charger acquired from a trustworthy source. Users should be advised not to click on device prompts to trust attached computers unless absolutely necessary. |
References
-
Brian Krebs. (2011, August 17). Beware of Juice-Jacking. Retrieved December 23, 2016. ↩
-
Lau et al.. (2013). Mactans: Injecting Malware Into iOS Devices Via Malicious Chargers. Retrieved December 23, 2016. ↩
-
Roee Hay. (2017, January 5). Android Vulnerabilities: Attacking Nexus 6 and 6P Custom Boot Modes. Retrieved January 11, 2017. ↩
-
Jann Horn. (2018, September 10). OATmeal on the Universal Cereal Bus: Exploiting Android phones over USB. Retrieved September 18, 2018. ↩
-
Lucas Mearian. (2018, May 9). Two vendors now sell iPhone cracking technology – and police are buying. Retrieved September 21, 2018. ↩
-
Oleg Afonin. (2018, September 20). iOS 12 Enhances USB Restricted Mode. Retrieved September 21, 2018. ↩
-
Claud Xiao. (2014, November 5). WireLurker: A New Era in OS X and iOS Malware. Retrieved January 24, 2017. ↩
-
Claud Xiao. (2016, September 13). DualToy: New Windows Trojan Sideloads Risky Apps to Android and iOS Devices. Retrieved January 24, 2017. ↩