Feeds

iPhone vulnerable to remote attack on SSL

Beware of rogue config files

Business security measures using SSL

Apple's iPhone is vulnerable to exploits that allow an attacker to spoof web pages even when they're protected by the SSL, or secure sockets layer, protocol, a security researcher said.

The fault lies in a feature that makes it easy to configure large numbers of iPhones so they meet an organization's IT policies, said Charlie Miller, a researcher at Independent Security Evaluators. Not only does the provisioning feature work over the internet, it can be tricked into accepting malicious configuration files.

"If the user accepts, the attacker can make changes to the phone's configuration which can cause harm," Miller wrote in an email to The Reg.

The revelation comes after the hack was discussed in an anonymous blog post over the weekend. It explained how it was possible to sign an XML-based configuration file using a SSL certificate registered to a fictitious company called Apple Computer. Because the iPhone checks only that the certificate was signed by a trusted CA, or certificate authority, the author's rogue update.mobilconfig file was accepted and executed.

The author claimed the hack could be used to change an iPhone's proxy settings, a change that would allow attackers to do much more nefarious deeds such as funnel traffic to servers under their control. Miller said he wasn't sure such an attack was possible, but he didn't rule it out, either.

"It definitely allows them to change the trusted certs which means that you can't trust SSL anymore," Miller wrote. "I don't have the cert the guy generated to really confirm things on my own. I'm very confident that it can do a lot though."

In addition to changing trusted certificates, Miller said, a rogue configuration file could be used to disable Safari or other iPhone apps or block access to particular websites that can be accessed.

For an exploit to work, an attacker would have to apply a fair amount of social engineering. First, a user would have to be tricked into clicking on an email attachment or visiting a website hosting the configuration file. The user would then be presented with a window saying the update has been "verified" and would have to click OK to install it.

The most serious consequence Miller could confirm was the ability to spoof SSL-protected pages, but given the difficulty of the attack, he wasn't sure how useful that would be.

"If you can get someone to install this thing AND go to your phishing site, the guy probably would have fallen for it without SSL," he said. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
Oi, Tim Cook. Apple Watch. I DARE you to tell me, IN PERSON, that it's secure
State attorney demands Apple CEO bows the knee to him
4K-ing excellent TV is on its way ... in its own sweet time, natch
For decades Hollywood actually binned its 4K files. Doh!
Phones 4u website DIES as wounded mobe retailer struggles to stay above water
Founder blames 'ruthless network partners' for implosion
DARPA-backed jetpack prototype built to make soldiers run faster
4 Minute Mile project hatched to speed up tired troops
Hey, Mac fanbois. HGST wants you drooling over its HUGE desktop RACK
What vast digital media repository could possibly need 64 TERABYTES?
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Apple's ONE LESS THING: the iPod Classic disappears
RIP 2001 – 2014. MP3 player beloved of millions. Killed by cloud
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.