Hackers found a new method to infect iOS devices. They take control of users’ iPhones and iPads via the so-called “Trustjacking” attack.
Trustjacking is a feature allowing users to wirelessly sync their iPhones and iPads with iTunes. The user is asked to confirm that the computer is trusted when the mobile device is first connected to it, however, no other approval is required to enable the syncing feature or to access the device over Wi-Fi after that.
Security experts at Symantec have found a way to abuse the iTunes Wi-Fi sync feature. According to the researchers, if a hacker can convince the targeted user to connect their iPhone/iPad via a cable to a malicious or compromised device, the attacker takes persistent control over the iOS device as long as they are on one and the same wireless network with the user.
The researchers described an attack scenario where the Trustjacking attack features a malicious charger at an airport. When the user connects a device to the charger, they are prompted to confirm that the computer they have connected to is trusted. Users usually do it, thinking that the trust will be revoked once the phone/tablet is disconnected, and the hacker enables the Wi-Fi sync option in iTunes in a process which can be automated.
However, what the victim does not know is that even when they disconnect the iPhone/iPad from the charger, the hacker will continue to have control over the device, letting them conduct a number of malicious activities.
For instance, the hacker can install a developer image corresponding to the iOS version running on the victim’s system, giving them access to the device’s screen. Then, repeatedly capturing screenshots let the attacker view and record every action of the victim.
As the sync feature provides access to the iTunes backup, the hacker can also obtain the user’s photos, SMS and iMessage chats, and application data. In addition, the attacker can install malicious applications or replace existing apps with a modified version.
The attack can also be conducted by hijacking the targeted user’s computer, making it easier to conduct unauthorized activities given that the computer and the mobile device are more likely to be on the same network for extended periods of time.
According to Symantec experts, being on the same Wi-Fi network as the victim can be bypassed via the so-called “malicious profile attack”.
The malicious profile attack has been known since 2013 and it involves convincing the victim to install a malicious configuration file, or iOS profile, on their iPhone or iPad. These profiles allow cellular carriers, MDM solutions, and applications to configure system-level settings, however, they can also be abused to remotely hijack devices.
The Symantec researchers claim that this method can be used to conduct Trustjacking attacks over the Internet by connecting the device to a VPN server and creating a continuous connection between them.
The security experts have informed Apple about the vulnerability and the company has attempted to address it by adding an extra layer of protection in iOS 11. The new protection layer asks all iOS users to enter their passcode when trusting a computer.
