cross pond high tech

Tens, if not hundreds of thousands of non-jailbroken devices are believed infected after a Trojan compiler malware struck in China.

It involves a maliciously modified version of the XCode integrated development environment (IDE) -- a nasty trick that places it among a family of malware known as "compiler malware".  While not a wholly new strategy, this is the first time that we've seen proof of such a strategy being used to target the iOS crowd.  It's also remarkable in its ability not only to threaten users of non-jailbroken devices but every version of iOS, as well.

And by the looks of it, it's a very succesful indeed as it in effect transforms Apple's walled garden and singular source -- an approach that for so long helped to secure Apple's userbase -- into a digital weapon to attack users.  After all developers trust XCode -- they have to because they have no other choice.  But if they get their copy of Apple's software from a third party (as many even in the U.S. do) they may find their apps secretly Trojanized.

And to make matters worst, in this case Apple is the Trojan dealer, not some sketchy piracy site.  iOS users trust the App Store -- because they have to.  Officially, Apple contends any other source of apps for the iPhone is illegal.  But in this recent breach Apple was very cleverly -- and some would say alarmingly easily -- tricked into distributing malware to 25,000+ iPhone owners.

In July, researchers Karsten Nohl and Jakob Lell announced that they'd found a critical security flaw they called BadUSB, allowing attackers to smuggle malware on the devices effectively undetected. Even worse, there didn't seem to be a clear fix for the attack. Anyone who plugged in a USB stick was opening themselves up to the attack, and because the bad code was residing in USB firmware, it was hard to protect against it without completely redesigning the system. The only good news was that Nohl and Lell didn't publish the code, so the industry had some time to prepare for a world without USB.

"YOU HAVE TO PROVE TO THE WORLD THAT IT'S PRACTICAL."

As of this week, that's no longer true. In a joint talk at DerbyCon, Adam Caudill and Brandon Wilson announced they had successfully reverse-engineered BadUSB, and they didn't share Nohl and Lell's concerns about publishing the code. The pair has published the code on GitHub, and demonstrated various uses for it, including an attack that takes over a user's keyboard input and turns control over to the attacker. According to Caudill, the motive for the release was to put pressure on manufacturers. "If the only people who can do this are those with significant budgets, the manufacturers will never do anything about it," he told Wired's Andy Greenberg. "You have to prove to the world that it’s practical, that anyone can do it."