A hacker's entry point to your network is called a vector. There are many vectors available to hackers these days. Gone are the days of brute force hacking a firewall. Modern vectors usually incorporate an attack originating behind the firewall, where traffic is implicitly trusted. Such is the case with this IOS based attack.
An iOS feature called iTunes Wi-Fi sync, which allows a user to manage their iOS device without physically connecting it to their computer, can be exploited by attackers to gain lasting control over the device and extract sensitive information from it.
The vulnerability was discovered by Symantec researchers, disclosed to Apple and now to the RSA Conference 2018 attendees and the wider public.
Apple has implemented a mechanism that should prevent easy exploitation of the feature, but the researchers say that it doesn’t address the “Trustjacking” problem in an holistic manner.
When users connect their iOS device to a computer or, for example, a free charger at an airport, they are asked whether they will trust the computer (meaning, that its settings and data will be accessible from it when connected).
Most users believe that they have to trust the computer to get their device charged and believe the trust/access works only as long as the device is physically connected to the computer.
But if the “Sync with this iPhone/iPad over Wi-Fi” feature is enabled, the connection will last and the synching will happen as long as the user doesn’t revoke the trust.
“Choosing to trust the computer allows it to communicate with the iOS device via the standard iTunes APIs,” the researchers explained.
“This allows the computer to access the photos on the device, perform backup, install applications and much more, without requiring another confirmation from the user and without any noticeable indication. Furthermore, this allows activating the ‘iTunes Wi-Fi sync’ feature [from the computer side and without the victim’s approval], which makes it possible to continue this kind of communication with the device even after it has been disconnected from the computer, as long as the computer and the iOS device are connected to the same network.”
(The connection between the mobile device and the computer persists because the access credentials provided by the former to the latter when physically connected are saved by the computer and automatically reused when the mobile device pops up on the same network.)
The two steps for the attack – allowing the device to connect to iTunes and enabling the iTunes Wi-Fi sync feature while the device is physically connected – can be automated and quickly executed by malicious software. Once that’s done, the attacker can repeatedly sync the device while the computer and mobile device are one the same network.
The Wi-Fi connection can also be used to install a developer image. Such access would allow the attacker to see everything the user is doing, and to see and harvest sensitive information such as passwords as the user enters them. Also, he or she could leverage the remote iTunes backup option to harvest various data and files (photos, message history, etc.) or the access to the device to install malicious apps or create a malicious profile.
Next-Generation Firewalls not only block malicious traffic from outside the network, but also inspect and block bad actors behind the firewall, effectively minimizing the threats presented by modern attack vectors such as this IOS based attack. Contact FIREFX today to see how we can secure your networks with our Next-Generation Firewall, the Network Guardian.