Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Apple iOS Vulnerable To Hidden Profile Attacks

Unpatched flaw in iOS enables malicious profile users to secretly control devices and intercept data.

Apple iOS users: Beware malicious profiles that can be hidden by attackers, thus making them extremely difficult to eradicate.

Yair Amit, CTO of Skycure, sounded that warning last week at the RSA conference in San Francisco. Amit delivered a presentation focusing on how an attacker could create a malicious access point name (APN) and cellular data settings file -- stored as a "profile" in the "general" iOS settings menu -- to control devices and intercept data.

These profiles, also known as mobileconfig files, are XML-based files used by telcos, mobile device management (MDM) providers, and some mobile applications to configure everything from WiFi and VPN to email and cellular settings. "When used by mobile device manufacturers and carriers, this is actually a great feature," Amit said in a phone interview.

For example, the APN Changer site allows iPhone and iPad users to load APN -- carrier settings -- profiles that allow them to use unofficial carrier SIMs with their devices. Numerous anecdotal reports have said that AT&T retail store staff members regularly download profiles from the APN Changer website when configuring devices for "pay as you go" iPhone customers.

[Looking to keep spying eyes out of your messages? See Cryptocat Wins Apple Approval.]

Using a VPN connection to a reporter's iPhone, however, Amit demonstrated how -- after an iPhone user loaded a malicious profile -- an attacker could open arbitrary applications, make the browser load arbitrary URLs, or run search queries, and how all traffic flowing to or from the device could be sniffed, no matter whether the individual apps were using SSL/TLS or browsing HTTPS sites. As a result, everything from Facebook to banking sessions could be monitored. Furthermore, if combined with known vulnerabilities in various MDM products, Amit said an attacker could not only subvert an iOS device, but also MDM controls.

"We see a bigger picture, of an attack that can access all of the stuff on your device -- both personal and for business -- and remain undetectable, and for that reason, we find it very important to remind people about these problems, and to be sure they update their operating systems," Amit said.

While the threat of malicious profiles has been known for some time, the vulnerability recently detailed by Skycure would enable an attacker to hide their profile after a user was tricked into installing it. "We recently found a vulnerability on iOS that allows [someone] to make these profiles, once installed, completely hidden, which means that not you or your admin can know that such a profile runs on your device," Amit said.

He declined to demonstrate that vulnerability on the reporter's iPhone -- saying that once the profile was loaded and hidden, it became quite difficult to remove -- and noted that Apple plans to patch the flaw with the release of iOS 7.1. "We will not disclose technical details until iOS 7.1 is released," he said.

Apple Insider reported this week that Apple will likely release iOS 7.1 later this month, which includes a number of features designed to make it easier for IT administrators to automate MDM setup for wireless devices. That feature could be used to configure thousands of devices rapidly, for example in enterprise or educational settings.

But like recent versions of iOS, the update will likely patch not just the hidden-profile vulnerability but also other flaws that might be exploited by attackers, including a background monitoring vulnerability disclosed last month by FireEye, which affects iOS 6 and iOS 7.

Apple released an emergency fix for a "goto fail" SSL/TLS flaw (also known as CVE-2014-1266) on February 25, in the form of iOS 7.0.6. (Apple also fixed the flaw in OS X Mavericks by releasing OS X Mavericks 10.9.2.)

Attackers could exploit the flaw to eavesdrop on the communications of any vulnerable device, provided that the attacker was on the same network or WiFi hotspot as the target.

"To mitigate the risk of this vulnerability it's crucial to notify employees using vulnerable devices that they shouldn't connect to public WiFi access points," said Dirk Sigurdson, director of engineering for Rapid7's Mobilisafe, in a blog post. "It's nearly impossible to discern legitimate public access points from those setup to steal data, and so devices that are vulnerable to this attack should stay on private ones."

Fewer than half of iOS devices are running the latest software update.
Fewer than half of iOS devices are running the latest software update.

The best fix for the flaw is simply to update vulnerable devices to iOS 7.0.6, which runs on the iPhone 4 (and newer devices), iPod Touch (5th generation), and iPad 2 and newer devices. "Don't make the assumption that employees will automatically update their devices to address this issue," Sigurdson said.

According to a survey of millions of iOS devices in the United States and Canada that are using the web, as of Tuesday, 45% of all iOS users were employing version 7.0.6, Andrew Waber, a market analyst at online advertising network Chitika, said via email. That's a noticeable jump in iOS 7.0.6 from one week ago, when just 20% of users had adopted the latest version of the operating system.

But as of Tuesday, 36% of iPhone and iPad users were still running a version of iOS 7 that was vulnerable to the SSL/TLS goto-fail flaw.

IT is turbocharging BYOD, but mobile security practices lag behind the growing risk. Also in the Mobile Security issue of InformationWeek: These seven factors are shaping the future of identity as we transition to a digital world. (Free registration required.)

Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...