RSA 2018: Attackers can steal data from iPhones over Wi-Fi by abusing a sync feature built into iTunes
Security researchers have demonstrated a vulnerability in Apple’s iOS software that could allow attackers broad access to devices such as iPhones via a Wi-Fi connection.
Symantec said the issue, which it called “trustjacking”, takes advantage of a Wi-Fi sync feature that allows users to control their iOS device from a computer.
The issue means an attacker could set up a seemingly harmless connection point, such as a public charging station, and gain persistent access to devices, Symantec researchers said at the RSA 2018 conference in San Francisco.
Roy Iarchy, the firm’s head of modern OS security research, said he discovered the issue by accident last year while debugging iOS devices for another project.
The problem is, in part, due to design flaws in the way iOS links users to iTunes running on a computer, he said.
When linking to iTunes over a USB connection, users are asked whether they trust the computer or not.
If they confirm that they do, the “trusted” computer has the right to set up a feature called iTunes Wi-Fi sync, which allows it to control the iOS device. That step can be carried out without further approval from the device, or even any indication on the device that the feature has been enabled.
Once the Wi-Fi sync feature is set up, its ability to control the device persists indefinitely, and can still access the device weeks or months later.
But the initial “trust” prompt indicates none of this, Iarchy said, stating control will only take place “when connected”.
‘An iPhone user’s worst nightmare’
He said the process of gaining persistent access by setting up Wi-Fi sync could be automated on a malicious terminal.
Once the feature is set up, the “trusted” machine can access the device’s photos, perform backups, install or remove applications and more, all with no indication on the device that anything is taking place.
“Getting a live stream of the device’s screen can be done easily by repeatedly asking for screenshots and displaying or recording them remotely,” Iarchy wrote.
These actions can normally take place while both the computer and the device are connected to the same Wi-Fi network, but Iarchy said Symantec had been able to do away with that restriction by using a malicious profile attack to connect the device to a VPN server.
“An iPhone user’s worst nightmare is to have someone gain persistent control over his/her device, including the ability to record and control all activity without even needing to be in the same room,” Iarchy wrote in a blog post following the presentation.
After Symantec notified Apple, the company made changes in iOS requiring the user to enter their passcode when approving a trusted computer.
But the new step still indicates the computer can only access the device’s data “when connected”, which would lead a user to believe disconnecting the device guarantees the data is protected.
“While we appreciate the mitigation that Apple has taken, we’d like to highlight that it does not address Trustjacking in an holistic manner,” Iarchy wrote.
He recommended users take their own steps to mitigate the problem, such as encrypting backups, manually deleting old trusted machines and not saving sensitive data on the device.
Do you know all about security? Try our quiz!