iOS vulnerability uses 'mobileconfig' files to steal data
Security on Apple's iOS is notably tight, but an Israeli firm has pointed out that the profile system for iPads and iPhones could leave users open to remote attacks resulting in data theft.
Israeli firm Skycure Security on Wednesday published a proof-of-concept vulnerability report on the company blog (via InformationWeek). Skycure's report shows how malicious users could leverage iOS profiles, also known as mobileconfig files, in order to circumvent Apple's malware protections.
Malicious apps are filtered in the App Store approval process, making it more difficult than on other platforms for them to get onto iDevice users' machines in the first place. Furthermore, iOS' sandboxing structure makes it difficult for apps to access anything outside of their set permissions. Mobileconfig files, though, are used by cellular carriers, Mobile Device Management solutions, and some mobile applications to configure certain system-level settings for iOS devices, including Wi-Fi, VPN, email, and APN settings.
Skycure claims that, with a bit of social engineering, an attacker could get victims to download a malicious iOS profile. The attacker could do so by, for example, promising a user access to popular movies and TV shows on an attacker-controlled website. The user would install an iOS profile to "configure" their devices accordingly, and the attacker would then have access.
With access to the user's device, an attacker could route all of the victim's traffic through the attacker's server or install root certificates on the victim's device, allowing for interception and decryption of SSL/TLS secure connections.
Skycure also notes that some AT&T stores, in signing up customers for pay-as-you-go accounts, were directing those customers to download and install a profile from unlockit.co.nz on an unencrypted channel. The installation of that mobile configuration is necessary to get access to AT&T's data network, but downloading a mobileconfig file in such a manner, Skycure says, leaves users wide open to man in the middle attacks, especially when performed over a public Wi-Fi network.
Skycure recommends that iDevice users only install profiles from trusted websites and applications and do so only through a secure channel, indicated by an address beginning with https. The firm also recommends wariness when faced with a non-verified mobileconfigs, calling them cause for suspicion.
Israeli firm Skycure Security on Wednesday published a proof-of-concept vulnerability report on the company blog (via InformationWeek). Skycure's report shows how malicious users could leverage iOS profiles, also known as mobileconfig files, in order to circumvent Apple's malware protections.
Malicious apps are filtered in the App Store approval process, making it more difficult than on other platforms for them to get onto iDevice users' machines in the first place. Furthermore, iOS' sandboxing structure makes it difficult for apps to access anything outside of their set permissions. Mobileconfig files, though, are used by cellular carriers, Mobile Device Management solutions, and some mobile applications to configure certain system-level settings for iOS devices, including Wi-Fi, VPN, email, and APN settings.
Skycure claims that, with a bit of social engineering, an attacker could get victims to download a malicious iOS profile. The attacker could do so by, for example, promising a user access to popular movies and TV shows on an attacker-controlled website. The user would install an iOS profile to "configure" their devices accordingly, and the attacker would then have access.
With access to the user's device, an attacker could route all of the victim's traffic through the attacker's server or install root certificates on the victim's device, allowing for interception and decryption of SSL/TLS secure connections.
Skycure also notes that some AT&T stores, in signing up customers for pay-as-you-go accounts, were directing those customers to download and install a profile from unlockit.co.nz on an unencrypted channel. The installation of that mobile configuration is necessary to get access to AT&T's data network, but downloading a mobileconfig file in such a manner, Skycure says, leaves users wide open to man in the middle attacks, especially when performed over a public Wi-Fi network.
Skycure recommends that iDevice users only install profiles from trusted websites and applications and do so only through a secure channel, indicated by an address beginning with https. The firm also recommends wariness when faced with a non-verified mobileconfigs, calling them cause for suspicion.
Comments
Apple winning
It sucks that they won't officially support iPhones unless they're on an expensive post-paid plan.
Quote:
Originally Posted by AppleInsider
Skycure claims that, with a bit of social engineering, an attacker could get victims to download a malicious iOS profile. The attacker could do so by, for example, promising a user access to popular movies and TV shows on an attacker-controlled website. The user would install an iOS profile to "configure" their devices accordingly, and the attacker would then have access.
Yet another fallacious vulnerability report. This non-issue vulnerability needed the users intervention for downloading the profile and accept to install it on his device. I don't think sane people will fail in this trap, there is nothing new here and I don't see how the mobileconfig features can be view as vulnerability as long you need the user consent to proceed.
You always can do whatever hack you want thru social engineering with idiot...
But no such app has been found to be in the store so at the moment the only possible threat might be to those that jailbreak and install apps via Cydia etc who don't vet to any degree.
With a little simple social engineering, an attacker can persuade a user to turn off their passcode, mail the attacker their phone and house key, tell the attacker all their passwords, and go to work in a third-world copper mine with all paychecks forwarded to the attacker.
I'm puzzled, does anyone can find out what the picture about sandbox principles got anything to do with the article?
Quote:
Originally Posted by BigMac2
Yet another fallacious vulnerability report. This non-issue vulnerability needed the users intervention for downloading the profile and accept to install it on his device. I don't think sane people will fail in this trap, there is nothing new here and I don't see how the mobileconfig features can be view as vulnerability as long you need the user consent to proceed.
You always can do whatever hack you want thru social engineering with idiot...
I don't know if I would go as far as calling it completely fallacious.
For example, most malware out there that relies on at least some bit of social engineering (think: phishing sites, or malware that parades as a free program for editing PDF’s). That doesn’t mean that the browser is absolved of not blocking such phishing sites. Or the OS from blocking known malware.
That said, in this particular case, I agree that this is a pretty edge-case scenario; unlikely to become a real issue.
Quote:
Originally Posted by nagromme
Meanwhile there's a HUGE security hole on iOS that remains unpatched:
With a little simple social engineering, an attacker can persuade a user to turn off their passcode, mail the attacker their phone and house key, tell the attacker all their passwords, and go to work in a third-world copper mine with all paychecks forwarded to the attacker.
My mother-in-law would fall for this scam.
This is news?
http://forums.appleinsider.com/t/156409/app-hides-pre-installed-ios-titles-disables-iads-without-jailbreak-u#post_2291646
Yes, if you can convince people to use specially crafted network settings, you can eaves-drop on their network communications.
I always did think Apple should splash a better warning when trying to install a profile, though.
Quote:
Originally Posted by _Rick_V_
I don't know if I would go as far as calling it completely fallacious.
For example, most malware out there that relies on at least some bit of social engineering (think: phishing sites, or malware that parades as a free program for editing PDF’s). That doesn’t mean that the browser is absolved of not blocking such phishing sites. Or the OS from blocking known malware.
That said, in this particular case, I agree that this is a pretty edge-case scenario; unlikely to become a real issue.
I call it fallacious because the so-called vulnerability described in this article is made up, they basically setup a VPN or a proxy thru made for enterprise mobileconfig. I don't consider most of malware like adware or spyware an OS vulnerability, unlike virus who exploit OS bugs to hide themselves from the users, they are legitimate apps that run and being installed with users consent. No one was finger pointing Microsoft or Windows when last year Windows Support phone call scam happen, which is pretty much the same type of hack as describe in this article.
In my books, devices vulnerability comes when the users is unaware of the hack, social engineering got nothing to do with OS vulnerability, it only expose peoples vulnerability.
OpenDNS uses an "Updater" to handle flexible ISP changes. This "Updater" is not available via the App Store, and the developer is not recognized as an Apple developer. Does this article above at all pertain to OpenDNS as an organization?
I've made inquiries somewhat relevant to this matter but OpenDNS has yet to respond.
The OpenDNS web site is definitely inspiring should that be anything at all related to social engineering.
On Monday's article on "hiddenApps" I found this comment:
If true, then it does happen.
Quote:
Originally Posted by BigMac2
I call it fallacious because the so-called vulnerability described in this article is made up, they basically setup a VPN or a proxy thru made for enterprise mobileconfig. I don't consider most of malware like adware or spyware an OS vulnerability, unlike virus who exploit OS bugs to hide themselves from the users, they are legitimate apps that run and being installed with users consent. No one was finger pointing Microsoft or Windows when last year Windows Support phone call scam happen, which is pretty much the same type of hack as describe in this article.
In my books, devices vulnerability comes when the users is unaware of the hack, social engineering got nothing to do with OS vulnerability, it only expose peoples vulnerability.
As I mentioned originally, I pretty much agree with you.
I was only trying to point out that Apple and Microsoft and others aren't so cavalier about social engineering hacks (and that's a good thing). Take for example:
Every major browser will attempt to block phishing sites automatically via a daily downloaded blacklist, despite the fact that phishing is a classic pure example of social engineering.
Apple's Xprotect system will block known trojans found in pirated modified copies of, say, Adobe Photoshop; despite the fact that the user should know better than to download software from untrusted sources and it's clearly not Apple's fault if you screw up your computer by doing so.
That's just two quick examples I came up with off the top of my head...
Quote:
Originally Posted by _Rick_V_
As I mentioned originally, I pretty much agree with you.
I was only trying to point out that Apple and Microsoft and others aren't so cavalier about social engineering hacks (and that's a good thing). Take for example:
Every major browser will attempt to block phishing sites automatically via a daily downloaded blacklist, despite the fact that phishing is a classic pure example of social engineering.
Apple's Xprotect system will block known trojans found in pirated modified copies of, say, Adobe Photoshop; despite the fact that the user should know better than to download software from untrusted sources and it's clearly not Apple's fault if you screw up your computer by doing so.
That's just two quick examples I came up with off the top of my head...
We are in an era were everything is made to protect the users from themselves and every security measure lower the usability. I think the current state of desktop computer is unsalvageable to become a trusted and safe playground like mobile and console devices, beside many apps and tools I use for decades won't ever play well with sandboxed or walled garden environment. Most of us has totally lost control of what is install on their system and doesn't understand for the most part how their OS works, this why it's so easy to hack peoples brain thru social engineering.
www.unlockit.co.nz has been around for 5 years supplying Profiles for around 1000 carriers around the world. We have installed over 50 million profiles to iPhone users over this time and is trusted from these users and many carriers and MVNO's (Virtual Carriers) trust us to give the profiles for their users to they can do data on the iPhone.
Apple can supply a windows/mac program to set profiles but it can be hard to use and without know the APN settings the program becomes useless.
Yes it is true that profiles can proxy data to third party services that not so trusty-worthy people can look at your data so people have to be careful from who they download the profiles from.
The Profiles are crypto signed on www.unlockit.co.nz so if any MITM (Man in the middle Attack) occurs between the iPhone and my website then the profile will become invalid and won't be able to be installed. There are a few other websites (I think www.unlockit.co.nz is the only one which signs its profiles) which send unsigned profiles and yes the MITM problem could be an issue.
Anyone can audit/look at the profiles I set on the iPhone and with over 50 millions installed profiles form my website I've had no complaints regarding security at all with them.
Similar security problem can be said on the Android as there are 100's of Android Applications which set APN details on the Android based phones. Any of them could set invalid details on the Android. There are a couple of Apps on the Apple webstore which set APN's as well (very limited number of carriers). Are these "trusted" apps? as they use 100% the method I use to make the profiles ?
What do people (skycure?) consider a "trusted" website???