Feeds

iPhone vulnerable to remote attack on SSL

Beware of rogue config files

Top 5 reasons to deploy VMware with Tegile

Apple's iPhone is vulnerable to exploits that allow an attacker to spoof web pages even when they're protected by the SSL, or secure sockets layer, protocol, a security researcher said.

The fault lies in a feature that makes it easy to configure large numbers of iPhones so they meet an organization's IT policies, said Charlie Miller, a researcher at Independent Security Evaluators. Not only does the provisioning feature work over the internet, it can be tricked into accepting malicious configuration files.

"If the user accepts, the attacker can make changes to the phone's configuration which can cause harm," Miller wrote in an email to The Reg.

The revelation comes after the hack was discussed in an anonymous blog post over the weekend. It explained how it was possible to sign an XML-based configuration file using a SSL certificate registered to a fictitious company called Apple Computer. Because the iPhone checks only that the certificate was signed by a trusted CA, or certificate authority, the author's rogue update.mobilconfig file was accepted and executed.

The author claimed the hack could be used to change an iPhone's proxy settings, a change that would allow attackers to do much more nefarious deeds such as funnel traffic to servers under their control. Miller said he wasn't sure such an attack was possible, but he didn't rule it out, either.

"It definitely allows them to change the trusted certs which means that you can't trust SSL anymore," Miller wrote. "I don't have the cert the guy generated to really confirm things on my own. I'm very confident that it can do a lot though."

In addition to changing trusted certificates, Miller said, a rogue configuration file could be used to disable Safari or other iPhone apps or block access to particular websites that can be accessed.

For an exploit to work, an attacker would have to apply a fair amount of social engineering. First, a user would have to be tricked into clicking on an email attachment or visiting a website hosting the configuration file. The user would then be presented with a window saying the update has been "verified" and would have to click OK to install it.

The most serious consequence Miller could confirm was the ability to spoof SSL-protected pages, but given the difficulty of the attack, he wasn't sure how useful that would be.

"If you can get someone to install this thing AND go to your phishing site, the guy probably would have fallen for it without SSL," he said. ®

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
Oi, Tim Cook. Apple Watch. I DARE you to tell me, IN PERSON, that it's secure
State attorney demands Apple CEO bows the knee to him
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
Will BlackBerry make a comeback with its SQUARE smartphones?
Plus PC PIMs from company formerly known as RIM
Apple's iPhone 6 first-day sales are MEANINGLESS, mutters analyst
Big weekend queues only represent fruity firm's supply
Hey, Mac fanbois. HGST wants you drooling over its HUGE desktop RACK
What vast digital media repository could possibly need 64 TERABYTES?
Soundbites: News in brief from the Wi-Fi audiophile files
DTS and Sonos sing out but not off the same hymnsheet
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.