Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Biggest iPhone Security Risk Could Be Connecting One To a Computer

Posted by timothy on from the seems-an-obvious-hole dept.

angry tapir (1463043) writes Apple has done well to insulate its iOS mobile operating system from many security issues, but a forthcoming demonstration shows it's far from perfect. Next Wednesday at the Usenix Security Symposium in San Diego, researchers with the Georgia Institute of Technology will show how iOS's Achilles' heel is exposed when devices are connected over USB to a computer or have Wi-Fi synching enabled. The beauty of their attack is that it doesn't rely on iOS software vulnerabilities, the customary way that hackers commandeer computers. It simply takes advantage of design issues in iOS, working around Apple's layered protections to accomplish a sinister goal.

19 of 72 comments (clear)

  1. Pray BlackBerry sticks around by Rigel47 · · Score: 2, Insightful

    Otherwise there is literally no secure mobile phone platform out there for the masses.

    1. Re:Pray BlackBerry sticks around by AlecDalek · · Score: 2

      Didn't Angela Merkel's Blackberry get hacked by the NSA?

    2. Re:Pray BlackBerry sticks around by sasparillascott · · Score: 4, Informative

      Not really (at this point), at the recent BlackHat some researchers demonstrated how they could remotely compromise a Blackberry.

      http://www.accuvant.com/about-...

      Another great article that talks a little about that instance with Blackberry and another smartphone platform designed for security as well:

      http://arstechnica.com/securit...

    3. Re:Pray BlackBerry sticks around by Anonymous Coward · · Score: 2, Funny

      Blackberry has since acquired Secusmart & Germany

      My hobby: terminating sentences prematurely

  2. Minor detail glossed over in the headline by Anonymous Coward · · Score: 5, Insightful

    Stopped reading at "Their attack requires the victim's computer to have malware installed".

    If you create a trusted connection between your computer and your iPhone, it's a trusted connection. If you don't trust your computer, you shouldn't use it to make a trusted connection to other devices. It's really just that simple.

    1. Re:Minor detail glossed over in the headline by Anonymous Coward · · Score: 4, Interesting

      No. The phone should display a notification if an application is side loaded over USB. It shouldn't be possible to install an application without the user's knowledge. Trusting the connection should merely allow the phone and the computer to communicate. It should not allow remote control of the device.

    2. Re:Minor detail glossed over in the headline by tlhIngan · · Score: 5, Informative

      No. The phone should display a notification if an application is side loaded over USB. It shouldn't be possible to install an application without the user's knowledge. Trusting the connection should merely allow the phone and the computer to communicate. It should not allow remote control of the device.

      Technically, the application is signed by Apple still. Or it's self-signed using a developer certificate (which only gives you 100 devices once a year - you can freely add devices up to that 100 limit, but after that, you can only change their device IDs once a year.).

      The hack is effectively being able to install a provisioning profile to allow an unsigned app to run. The provisioning profile is signed by Apple, so it's either an enterprise or developer profile.

      At the same time, it works by hijacking the iTunes connection to do so.

      In other words, all that's going ot happen is Apple is going to ask for confirmation to install new provisioning profiles. Doesn't matter when you ask since the profile is required to run the unsigned app - you can ask at the beginning, at the end, in the middle, or when the app is attempted to be run.

      (Provisioning profiles also expire after a certain amount of time - after which the app will NOT run. And the user is free to remove them at any time. None of this is any protection though).

      Though, provisioning profiles are tracable to the original account that had them made, and since they cost $99, that makes the attack far less easy than it appears because if you do this, it's traceable to the person who paid for it.

      Granted, developers have been warned to keep their provisioning certificates safe because a fair bit of malware does target ripping them off.

    3. Re:Minor detail glossed over in the headline by Darinbob · · Score: 2

      What's scary to me is that a "trusted connection" is pre-installed! I was amazed that I could plug my phone into a Windows computer and it would automatically mount it and install drivers. Every other thing in the world I plug in would have Windows ask me first if I wanted to install, and I have all auto-play turned off. But because there was a signed driver Windows decides against my will to install it. I don't care if Microsoft thinks the certificate chain is safe, I do NOT want Windows to install anything without my permission!

      In the Mac, every single time I plug in the phone to charge it it mounts a disk and pops up a window asking me to install. And every single time I cancel it and manually eject the volume. Annoying as hell (but at least it asks). That's how malware shows up, eventually someone clicks "yes".

    4. Re:Minor detail glossed over in the headline by maccodemonkey · · Score: 2

      No. The phone should display a notification if an application is side loaded over USB. It shouldn't be possible to install an application without the user's knowledge. Trusting the connection should merely allow the phone and the computer to communicate. It should not allow remote control of the device.

      It DOES display a notification when a computer attempts to establish a link, along with requiring user confirmation.

  3. Developer Access? by Ronin+Developer · · Score: 3, Interesting

    To my knowledge, to utilize an iOS device with developer provisioning profiles, you have to enable the device for development access via XCode.

    Even with an ad-hoc distribution, the device must be listed in the provisioning profile with the exceptions being enterprise and app-store apps.

    Did this attack vector circumvent these protections? Or, was he using iOS devices configured for development and, thus, not a real-world attack?

  4. Another "no shit" security "hole" by Anonymous Coward · · Score: 5, Insightful

    if you connect you iDevice to a computer, unlock your device, and explicitly tell your device that the computer is trustworthy... The computer is able to install apps and interact with the filesystem on your device! Who would have thought?

  5. Charging-only cable adapters by davidwr · · Score: 3, Interesting

    This is one reason why charging-only cables or cable adapters which do not carry the "data lines" should be cheap and just as widely-available and widely-marketed as other USB cables.

    Bonus points if they are transparent so the end user can visually verify that the only connected lines are the power and ground lines.

    OBDIYHACK: http://www.instructables.com/i...

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  6. Re:Well insulated? That's debatable... by Ronin+Developer · · Score: 2

    What a crock comment. Clearly an Apple Hater.

    if someone, with the necessary skills, wants to expend sufficient time and effort to decompile the OS looking for a way to get in and/or alter the image, they will eventually succeed.

    Given that the OS is downloadable AND the fact that it still took 4-5 months to jailbreak it I think, in and of itself, is pretty amazing. Jailbreaking a device requires someone determined to do it - it's not done over the air by somebody without physical access to the device.

  7. um no by Charliemopps · · Score: 4, Insightful

    The IPhones biggest security threat is the US Federal Government.
    http://www.washingtonpost.com/...

  8. Re:Well insulated? That's debatable... by BaronM · · Score: 2

    Once you intentionally circumvent the security of the 'walled garden', I don't think you get to complain about vulnerabilities anymore.

    To go with the ever-popular car analogy:

    If a guy with a screwdriver is able to start my unmodified car without the smart-key being present, that is a security flaw.

    If I modify my car to bypass the 'smart-key is present' requirement to start it, I don't get to complain when my car is stolen by some guy with a screwdriver.

  9. Re:Well insulated? That's debatable... by Tangential · · Score: 2

    Its also very hard to remotely jailbreak the phone of another user that you don't have physical access to and expose vulnerabilities such as ssh login.

    --
    Suppose you were an idiot. And suppose you were a member of congress. But then I repeat myself. -- Mark Twain
  10. Re:Or dumbphones by pak9rabid · · Score: 2

    Who's given enough shit about them to discover and publish them?

  11. Re:Or dumbphones by Bugamn · · Score: 2

    It doesn't help to have no security vulnerabilities if it also doesn't have the desired functionalities. Why don't we all go back to talking only face to face? It's not practical.

    By the way, someone down said that Merkel's 6210 was hacked. Isn't this one a dumbphone?

  12. Droid does what iDon't by tepples · · Score: 4, Insightful

    Then buy a car of a different make that is less hostile to third-party radios or third-party oil changes.