March 14, 2013
A new potential iOS vulnerability has been uncovered that could give malicious users access to your device. Skycure Security reports that the problem has to do with profile files in iOS. One of the key advantages of Apple’s app review process is its ability to filter malicious software. In addition, iOS’ sandboxing structure adds even more security since it prevents apps from accessing anything outside of their predetermined permissions. The vulnerability affects what are known as mobileconf files, which are used by cell phone carriers to configure system-level settings. These can include Wi-Fi, VPN, email, and APN settings. Skycure says that were thieves able to convince users to download a malicious iOS profile, Apple’s security controls would be broken. From there, these folks would be able to take control of the device, and wreak havoc. The organization’s biggest concern is that these malicious profiles could be shopped to unsuspecting victims via email or through a mobile browser. For example:
Skycure concludes with a warning for AT&T and their customers. Current pay-as-you-go clients are asked to download and install profile updates via an unencrypted channel located in New Zealand. This is necessary for these users to access AT&T’s network. More troublesome: It appears than AT&T salespeople sometimes perform this step via a public Wi-Fi network. They state:
- Victims browse to an attacker-controlled website, which promises them free access to popular movies and TV-shows. In order to get the free access, “all they have to do” is to install an iOS profile that will “configure” their devices accordingly.
- Victims receive a mail that promises them a “better battery performance” or just “something cool to watch” upon installation.
During our discussion with AT&T’s security team on that matter, they expressed that AT&T’s formal policy does not allow prepaid iOS devices offerings. However, given the fact the AT&T stores we visited didn’t seem to follow this policy, we believe AT&T will strive to better enforce it in its stores going forward. We would like to thank AT&T’s security team for their cooperation and commitment to the security of AT&T’s customers.So what can users do? For one, only install profiles from trusted sites or applications. When you do have to install a profile, make sure that it is done via a secure channel. These are noted with profile links that begin with “https” not “http.” Finally, when installing a profile, make sure that it is verified. Keep in mind that Skycure has only confirmed that this type of vulnerability exists in iOS. As such, there have been no reported cases that someone has actually used it to control someone's device. Going forward, Apple should do something about this as should AT&T. We'll keep you updated.