or Connect
AppleInsider › Forums › Mobile › iPhone › iOS vulnerability uses 'mobileconfig' files to steal data
New Posts  All Forums:Forum Nav:

iOS vulnerability uses 'mobileconfig' files to steal data

post #1 of 15
Thread Starter 
Security on Apple's iOS is notably tight, but an Israeli firm has pointed out that the profile system for iPads and iPhones could leave users open to remote attacks resulting in data theft.

sandboxing


Israeli firm Skycure Security on Wednesday published a proof-of-concept vulnerability report on the company blog (via InformationWeek). Skycure's report shows how malicious users could leverage iOS profiles, also known as mobileconfig files, in order to circumvent Apple's malware protections.

Malicious apps are filtered in the App Store approval process, making it more difficult than on other platforms for them to get onto iDevice users' machines in the first place. Furthermore, iOS' sandboxing structure makes it difficult for apps to access anything outside of their set permissions. Mobileconfig files, though, are used by cellular carriers, Mobile Device Management solutions, and some mobile applications to configure certain system-level settings for iOS devices, including Wi-Fi, VPN, email, and APN settings.

Skycure claims that, with a bit of social engineering, an attacker could get victims to download a malicious iOS profile. The attacker could do so by, for example, promising a user access to popular movies and TV shows on an attacker-controlled website. The user would install an iOS profile to "configure" their devices accordingly, and the attacker would then have access.

With access to the user's device, an attacker could route all of the victim's traffic through the attacker's server or install root certificates on the victim's device, allowing for interception and decryption of SSL/TLS secure connections.

Skycure also notes that some AT&T stores, in signing up customers for pay-as-you-go accounts, were directing those customers to download and install a profile from unlockit.co.nz on an unencrypted channel. The installation of that mobile configuration is necessary to get access to AT&T's data network, but downloading a mobileconfig file in such a manner, Skycure says, leaves users wide open to man in the middle attacks, especially when performed over a public Wi-Fi network.

Skycure recommends that iDevice users only install profiles from trusted websites and applications and do so only through a secure channel, indicated by an address beginning with https. The firm also recommends wariness when faced with a non-verified mobileconfigs, calling them cause for suspicion.
post #2 of 15
The part about AT&T is strange indeed. I had to do exactly that to get data working on my pay-as-you-go account.

It sucks that they won't officially support iPhones unless they're on an expensive post-paid plan.
post #3 of 15
Quote:
Originally Posted by AppleInsider View Post

Skycure claims that, with a bit of social engineering, an attacker could get victims to download a malicious iOS profile. The attacker could do so by, for example, promising a user access to popular movies and TV shows on an attacker-controlled website. The user would install an iOS profile to "configure" their devices accordingly, and the attacker would then have access.

 

Yet another fallacious vulnerability report.  This non-issue vulnerability needed the users intervention for downloading the profile and accept to install it on his device.  I don't think sane people will fail in this trap, there is nothing new here and I don't see how the mobileconfig features can be view as vulnerability as long you need the user consent to proceed.  

 

You always can do whatever hack you want thru social engineering with idiot...

post #4 of 15
So an app, that isn't likely to make it into the store in the first place, could be used perhaps to do nasty things to a device and its data.

But no such app has been found to be in the store so at the moment the only possible threat might be to those that jailbreak and install apps via Cydia etc who don't vet to any degree.

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply

A non tech's thoughts on Apple stuff 

(She's family so I'm a little biased)

Reply
post #5 of 15
Meanwhile there's a HUGE security hole on iOS that remains unpatched:

With a little simple social engineering, an attacker can persuade a user to turn off their passcode, mail the attacker their phone and house key, tell the attacker all their passwords, and go to work in a third-world copper mine with all paychecks forwarded to the attacker.
post #6 of 15

I'm puzzled, does anyone can find out what the picture about sandbox principles got anything to do with the article?

post #7 of 15
Quote:
Originally Posted by BigMac2 View Post

 

Yet another fallacious vulnerability report.  This non-issue vulnerability needed the users intervention for downloading the profile and accept to install it on his device.  I don't think sane people will fail in this trap, there is nothing new here and I don't see how the mobileconfig features can be view as vulnerability as long you need the user consent to proceed.  

 

You always can do whatever hack you want thru social engineering with idiot...

 

 

I don't know if I would go as far as calling it completely fallacious. 

 

For example, most malware out there that relies on at least some bit of social engineering (think: phishing sites, or malware that parades as a free program for editing PDF’s).  That doesn’t mean that the browser is absolved of not blocking such phishing sites.  Or the OS from blocking known malware.

 

That said, in this particular case, I agree that this is a pretty edge-case scenario; unlikely to become a real issue.


Edited by _Rick_V_ - 3/13/13 at 12:22pm
post #8 of 15
Quote:
Originally Posted by nagromme View Post

Meanwhile there's a HUGE security hole on iOS that remains unpatched:

With a little simple social engineering, an attacker can persuade a user to turn off their passcode, mail the attacker their phone and house key, tell the attacker all their passwords, and go to work in a third-world copper mine with all paychecks forwarded to the attacker.

 

 

My mother-in-law would fall for this scam.

post #9 of 15

This is news?

 

http://forums.appleinsider.com/t/156409/app-hides-pre-installed-ios-titles-disables-iads-without-jailbreak-u#post_2291646

 

Yes, if you can convince people to use specially crafted network settings, you can eaves-drop on their network communications.

 

I always did think Apple should splash a better warning when trying to install a profile, though.

post #10 of 15
Quote:
Originally Posted by _Rick_V_ View Post

 

 

I don't know if I would go as far as calling it completely fallacious. 

 

For example, most malware out there that relies on at least some bit of social engineering (think: phishing sites, or malware that parades as a free program for editing PDF’s).  That doesn’t mean that the browser is absolved of not blocking such phishing sites.  Or the OS from blocking known malware.

 

That said, in this particular case, I agree that this is a pretty edge-case scenario; unlikely to become a real issue.

I call it fallacious because the so-called vulnerability described in this article is made up, they basically setup a VPN or a proxy thru made for enterprise mobileconfig. I don't consider most of malware like adware or spyware an OS vulnerability, unlike virus who exploit OS bugs  to hide themselves from the users, they are legitimate apps that run and being installed with users consent.  No one was finger pointing Microsoft or Windows when last year Windows Support phone call scam happen, which is pretty much the same type of hack as describe in this article.  

 

In my books, devices vulnerability comes when the users is unaware of the hack, social engineering got nothing to do with OS vulnerability, it only expose peoples vulnerability. 


Edited by BigMac2 - 3/13/13 at 1:41pm
post #11 of 15
People who have their kids create huge bills through in app purchases would be a promising target group for this. I guess. ;-)
Yeah, well, you know, that's just, like, my opinion, man.
Reply
Yeah, well, you know, that's just, like, my opinion, man.
Reply
post #12 of 15

OpenDNS uses an "Updater" to handle flexible ISP changes. This "Updater" is not available via the App Store, and the developer is not recognized as an Apple developer. Does this article above at all pertain to OpenDNS as an organization?

 

I've made inquiries somewhat relevant to this matter but OpenDNS has yet to respond.

 

The OpenDNS web site is definitely inspiring should that be anything at all related to social engineering.

post #13 of 15
Quote:
Originally Posted by charlituna View Post

So an app, that isn't likely to make it into the store in the first place, could be used perhaps to do nasty things to a device and its data.

But no such app has been found to be in the store so at the moment the only possible threat might be to those that jailbreak and install apps via Cydia etc who don't vet to any degree.

On Monday's article on "hiddenApps" I found this comment:
Quote:
Originally Posted by bandino View Post

This App installs a custom profile on your iOS device. I would be very wary of installing it on devices with your personal data attached. This App will be pulled very quickly and for excellent reasons. SERIOUSLY, DO NOT INSTALL THIS APP!!

If true, then it does happen.
Yeah, well, you know, that's just, like, my opinion, man.
Reply
Yeah, well, you know, that's just, like, my opinion, man.
Reply
post #14 of 15
Quote:
Originally Posted by BigMac2 View Post

I call it fallacious because the so-called vulnerability described in this article is made up, they basically setup a VPN or a proxy thru made for enterprise mobileconfig. I don't consider most of malware like adware or spyware an OS vulnerability, unlike virus who exploit OS bugs  to hide themselves from the users, they are legitimate apps that run and being installed with users consent.  No one was finger pointing Microsoft or Windows when last year Windows Support phone call scam happen, which is pretty much the same type of hack as describe in this article.  

 

In my books, devices vulnerability comes when the users is unaware of the hack, social engineering got nothing to do with OS vulnerability, it only expose peoples vulnerability. 

 

 

As I mentioned originally, I pretty much agree with you.  

 

I was only trying to point out that Apple and Microsoft and others aren't so cavalier about social engineering hacks (and that's a good thing). Take for example:

 

  • Every major browser will attempt to block phishing sites automatically via a daily downloaded blacklist, despite the fact that phishing is a classic pure example of social engineering.
  • Apple's Xprotect system will block known trojans found in pirated modified copies of, say, Adobe Photoshop; despite the fact that the user should know better than to download software from untrusted sources and it's clearly not Apple's fault if you screw up your computer by doing so.

 

That's just two quick examples I came up with off the top of my head...

post #15 of 15
Quote:
Originally Posted by _Rick_V_ View Post

 

 

As I mentioned originally, I pretty much agree with you.  

 

I was only trying to point out that Apple and Microsoft and others aren't so cavalier about social engineering hacks (and that's a good thing). Take for example:

 

  • Every major browser will attempt to block phishing sites automatically via a daily downloaded blacklist, despite the fact that phishing is a classic pure example of social engineering.
  • Apple's Xprotect system will block known trojans found in pirated modified copies of, say, Adobe Photoshop; despite the fact that the user should know better than to download software from untrusted sources and it's clearly not Apple's fault if you screw up your computer by doing so.

 

That's just two quick examples I came up with off the top of my head...

 

We are in an era were everything is made to protect the users from themselves and every security measure lower the usability.  I think the current state of desktop computer is unsalvageable to become a trusted and safe playground like mobile and console devices, beside many apps and tools I use for decades won't ever play well with sandboxed or walled garden environment.  Most of us has totally lost control of what is install on their system and doesn't understand for the most part how their OS works, this why it's so easy to hack peoples brain thru social engineering. 

New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: iPhone
AppleInsider › Forums › Mobile › iPhone › iOS vulnerability uses 'mobileconfig' files to steal data