The Wirelurker threat to iOS devices

Scott Matteson
Updated

It's simply a fact of life nowadays that every operating system, application or possibly even hardware component could be subject to vulnerabilities and security threats, whether known or unknown. Apple's turn on the merry-go-round came up last week thanks to an outburst of malware called Wirelurker.

Wirelurker hit hundreds of thousands of iOS devices through a Chinese third-party app provider that was delivering pirated programs. It installed itself as a system component using code obfuscation to make thwart detection, waited for other devices to connect via USB, then grabbed private data such as the device serial number, iTunes information, and phone number and sent it to another server. Often other unwanted apps were installed as well, adding to the mayhem. Apple pulled the plug on the problem by blocking the related applications from launching (revoking related certificates is another mechanism they can use), so at present it appears Wirelurker has been neutralized. However, if you'd like to check to be sure, here is a script provided by GitHub to detect WireLurker malware.

You could argue that this is no big deal since it happened elsewhere in the world, users who install pirated apps get what's coming to them (although to be fair sometimes users don't even know for a fact that the software was pirated), and Apple handled the situation. However, the overall implications of Wirelurker are worth analyzing. As many malicious programs will do, Wirelurker succeeded by taking advantage of something that's supposed to facilitate easy usage: in this case it compromised the iOS pairing mechanism. This is only the second time in history that malware has managed to target iOS devices via USB, and it is the first time malware has been capable of automatically creating malicious iOS applications or to infect existing iOS applications. Perhaps even more significant is the fact this is the first malware to install other applications on iOS devices which have not been jailbroken. In short, expect to see more stuff like this.

What's to be done?

It's not enough to wait for Apple (or some other John Wayne) to ride to the rescue. Standard common-sense security precautions apply here. Keep your iOS device up to date with the latest software releases and use a regularly updated anti-malware product on your devices/computers. Don't download apps from suspicious sources (at the very least research the app and the source to see if it's being negatively reported for malware). It's worth stating that one common security tip is "Don't jailbreak your iOS device" but as I stated these devices didn't have to be jailbroken to be impacted by Wirelurker. If you do jailbreak your device, only use credible sources and don't keep any sensitive personal information on it. And finally, don't pair your device with anything not 100% trustworthy, and don't power it up from an unknown source.

This last might be tricky. I'm sure many of us have taken advantage of free public charging stations; battery requirements such as while on coast-to-coast flights with layovers pretty much demand it. With that in mind, I've been evaluating Charge Defense's Juice-Jack Defender, which I recently purchased.

juice-jack.png
juice-jack.png

 Image: ChargeDefense.com

Juice-Jack defender protects your device from unwanted access while charging, which makes it especially handy in public locations. There is a standard version (charges at 500mA or milliamp) and a turbo version which charges devices faster (up to 1 amp). I purchased the turbo version and can definitely state that it resuscitates my devices more rapidly than a standard power adapter.

I had a chat via email with the President of ChargeDefense, Stuart McCafferty, regarding how Juice-Jack works to protect devices while charging them from unknown sources. He told me:

"The Juice Jack Defender® is engineered to ensure that no data synchronization is possible. It has no memory or processing capabilities, so there is no possibility of infecting the Juice Jack Defender®. It is 100% secure. And, it not only works on WireLurker, but it will protect you from every juice-jack malware that comes along. Guaranteed. We had an extensive beta testing program with 200 testers over an 8 month period. The Juice-Jack Defender® worked on every mobile device tested - smart phones, tablets, phablets . . . Android, iOS, Blackberry . . . everything. The product is being tested by the US government to use throughout government agencies to protect its employees while traveling or charging their devices at their desk. With the trend being more and more mobile charging stations and less and less electrical outlets, having a $15 Juice-Jack Defender in your pocket gives travelers, business people, home users, government, and students a cheap, universal solution that always protects and also speeds up the charge cycle on your mobile devices."

Looking ahead

Wirelurker wasn't necessarily a big surprise to everyone; Mr. McCafferty informed me that "this form of malware and identity theft code was predicted and warnings were placed by Black Hat, an international ethical hacker user group, that this form of attack was inevitable. WireLurker is just the first to go rogue on a global scale and capture the attention of the media." To paraphrase the old saying, when one door closes a window opens. As we wait for the next Wirelurker to float down the river I recommend keeping current with security advisories and exploit news - sites I myself rely on (besides Tech Republic, of course) are Security Week, Dark Reading, and the CIO Security page. Until then, as they said in the 1951 film "The Thing from Another World," keep watching the skies.