Apple malware 'mobileconfig' allows remote hijacking of iPhones, iPads

Still think your iPhone and iPad are safer than their Android counterparts? Don't get too smug just yet.

 

Malicious profiles, or so-called "mobileconfigs," may yet show hackers the way into your Apple devices running iOS, security firm Skycure warned.

 

"A malicious profile could be used to remote control mobile devices, monitor and manipulate user activity and hijack user sessions," it said in a blog post.

 

Thus, it said an attacker who gains control of an iOS device can route the victim’s traffic through the attacker’s server.

 

Also, the attacker can install root certificates on victims’ devices, allowing the attacker to intercept even secure connections that apps use to exchange sensitive data.

 

In short: an attacker can potentially steal a victim's identities on networking sites like Facebook and LinkedIn, as well as email and even bank identities.

 

Provisioning profile

 

The provisioning profiles, or "mobileconfig," is a small file that can be installed with a single tap. They contain instructions for many settings such as network configurations.

 

Many cell carriers use mobileconfig files to configure settings such as those for Wi-Fi, VPN, Email and APN, Skycure said.

 

But while there has been no recent major attack on iOS devices so far due to Apple's strict app review and sandboxing measures, it said the mobileconfigs can be used to circumvent Apple’s security.

 

Attack scenarios

 

Skycure said iOS device owners can fall prey to this technique if they browse a website controlled by an attacker who is savvy with social engineering.

 

It said that if the attacker offers freebies in exchange for installing an iOS profile, and the owner falls for it, the device can be broken into.

 

Another scenario may involve an email promising “better battery performance” or “something cool to watch” —again, upon installation of a profile.

 

"Not surprisingly, the aforementioned is very similar to the way viruses have been circulating in the Internet for many years now," Skycure said.

 

Security of mobile carriers

 

Skycure also said mobile carriers will have to be more secure in their iOS profile installation processes —such as not downloading the profile from a public wifi network.

 

"Man-in-the-middle attacks could be used to alter the mobileconfig downloaded to the phone, allowing the attacker to install a malicious mobileconfig on the user’s device without his/her consent or knowledge," it warned.

 

Thumb rules

 

Skycure suggested that users "only install profiles from trusted websites or applications," downloading profiles via a secure channel such as https instead of http.

 

It also warned them against non-verified mobileconfigs, even as a verified profile "isn’t necessarily a safe one."

 

Also, it urged users to send it details of a profile they may find suspicious, to security@skycure.com.

 

A separate article on The Next Web pointed out this is not a vulnerability within iOS, but uses social techniques "to deliver a profile that has malicious intent."

 

"As of now, no evidence has been found of a Provisioning Profile attack in the wild. And, to be extremely blunt once again, you are not at risk at all if you don’t install any profiles to your device, period. And if you have to, make sure that those profiles are from a trusted source and are verified. You should also only download and install profiles from ‘secure’ HTTPS links," it said. — TJD, GMA News