In my recent post titled Poisoned Apple, I talked about intentional security vulnerabilities in the iPhone/iPad operating system that were brought to light by a security researcher named Jonathon Zdziarski in a paper titled Identifying Back Doors, Attack Points, and Surveillance Mechanisms in iOS Devices. But that’s not the only bad news (security-wise) for iOS users that’s been making headlines over the past couple of weeks.
At Black Hat USA 2014, the annual cybersecurity conference held in Las Vegas every year that brings together the IT industry, law enforcement and white hat hackers to share information on the state of IT security, researchers presented new ways to “exploit unpatched iOS vulnerabilities for fun and profit” (the title of the talk and demonstration by Yeongiin Jang, Tielei Wang, Billy Lau and Byoungyoung Lee at the Georgia Institute of Technology).
The Georgia Tech Information Security Center researchers covered multiple vulnerabilities in their presentation. This included a method for circumventing the Apple App Store’s review process to hide malicious code within seemingly safe apps so that the malware isn’t detected and gets approved and published. Wang said they successfully published such an app and used it to launch attacks remotely on test devices, even though their app was running inside the iOS sandbox.
Another researcher, Lau, approached it from a different direction, using a hardware peripheral that absolutely everyone attaches to his/her phone: a charger. His team designed a charger that could be made to look like a standard iPhone or iPad charger, but it installs a malware app when you plug it into the device. When you think about how many people lose their chargers and replace them with cheaper third-party models, you can see the potential for doing a lot of damage this way. The exploit isn’t just something that affects users of old devices, either. It worked with the latest Apple products running their most up to date software.
Apple did respond with a fix for the malicious charger problem, by sending a notification to the user if the charger (or other peripheral) to which they connect their device attempts to establish a data connection. The problem is to educate users as to what that means, since many are used to getting (and ignoring) all kinds of notifications all the time. The other exploit, using the software that Wang calls Jekyll to get around the approval process and get malicious apps into the App Store, hasn’t been addressed yet but the company says they’re working on it.
Another topic of discussion was the vulnerability of iOS devices when they connect to Windows PCs. Many iPhone and iPad users also have Windows computers to which they may connect to transfer files or get updates through iTunes. This can open them up to compromise by attackers who make them part of a botnet and participate in attacking other parties or sending spam. The exploit is based on chaining together a number of small vulnerabilities in the iOS operating system. The researchers reported the flaws to Apple but according to the article Mass Hacking of iOS Devices Possible, Researchers Say as of August 1 they hadn’t been patched.
According to Apple’s own security updates web site, the company has released no patches since June 30th. It will be interesting to see if new updates come out this month to address any of these vulnerabilities.
Meanwhile, the takeaway here is the same as before: iPhone/iPad users shouldn’t make the common assumption that iOS is secure so they don’t have to worry about attacks like all those Android and Windows users. No device that connects to the Internet is ever 100 percent secure, and it’s important to be aware of the risks and especially to exercise caution when using third party apps or peripherals.