Filtered By: Scitech
Owners of iPhones or iPads who connect to a Windows PC may risk losing their data to a botnet, according to a team of researchers.
A team from Georgia Institute of Technology detailed the issue at the 23rd USENIX Security Symposium last week, PC World reported.
The team led by Tielei Wang indicated attackers can get to the iDevices via the iTunes software installed on the Windows computers, if the Windows PCs are infected into joining a botnet.
Once connected to the infected PCs, iPhones and iPads are vulnerable to malicious apps that can steal passwords and other personal information.
When an iOS device is attached to the bot computer, the bot would download the malicious app, and the iDevices would accept the apps from the bot because iTunes on the bot would be allowed to make the transfer, PC World quoted the researchers as saying.
They added that even if Apple removed a malicious app from the App Store, "attackers can leverage [man-in-the-middle attacks] to build a covert distribution channel of iOS apps.”
“Specifically, when an iOS device with Apple ID B is connected to iTunes with Apple ID A, iTunes can still sync apps purchased by Apple ID A to the iOS device, and authorize the device to run the apps,” the researchers said.
Another way the attackers can get to the iDevices is to use permissions granted to developers for testing apps on devices - or for enterprises to distribute in-house apps.
"With enough developer credentials, attackers could distribute malicious applications by getting around the protections put in place for Apps Store applications," PC World said.
The researchers said they had told Apple about the issue.
“We have made a full disclosure to Apple and notified Facebook and Google about the insecure storage of cookies in their apps,” they said.
Also, they said Apple acknowledged "that, based on our report, they have identified several areas of iOS and iTunes that can benefit from security hardening.” — Joel Locsin/TJD, GMA News