Feeds

Don't think you're SAFE from Windows zombies just 'cos you have an iPhone - research

Malware can be pushed across the species gap

Beginner's guide to SSL certificates

Fanbois aren't safe from Windows malware - and it's all down to iTunes syncing.

The music software's sync is the Achilles' heel that could expose otherwise secure iOS devices to malware, security researchers warn. Simply connecting an iPhone or iPad to an infected Windows machine through a USB cable leaves it vulnerable to custom iOS malware.

Researchers from the Georgia Institute of Technology are due to demonstrate next week how syncing songs, pictures and other content between a computer and an iPhone or iPad creates a way to circumvent Apple's security controls.

The demo – due to take place next Wednesday (20 August) at the Usenix Security Symposium in San Diego – relies on the trust model of paired devices rather than any software vulnerabilities as such. The trick relies on first compromising a connected computer before using this hacker-controlled machine to push attacker-signed malicious apps onto an iPhone or fondleslab before siphoning off confidential data, as an abstract for the talk explains.

While Apple iOS has gained increasing attention from attackers due to its rising popularity, very few large scale infections of iOS devices have been discovered because of iOS’s advanced security architecture.

In this paper, we show that infecting a large number of iOS devices through botnets is feasible. By exploiting design flaws and weaknesses in the iTunes syncing process, the device provisioning process, and in file storage, we demonstrate that a compromised computer can be instructed to install Apple-signed malicious apps on a connected iOS device, replace existing apps with attacker-signed malicious apps, and steal private data (eg, Facebook and Gmail app cookies) from an iOS device.

The Georgia Institute of Technology team – Tielei Wang,Yeongjin Jang, Yizheng Chen, Simon Chung, Billy Lau and Wenke Lee – point out that many iOS devices are paired with Windows PCs, whose susceptibility to malware is well known by long-suffering Reg readers.

There are tens of millions of malware strains that affect Windows PCs, so many in fact that most-antivirus vendors have stopped counting. iOS nasties, in extreme contrast, number less than 10 (and that's including proof-of-concept nasties from celebrated hacker Charlie Miller).

Apple's strict mobile app vetting procedure is the biggest contributor to this low number, but Apple's layered protections also make a contribution. Both iTunes syncing and simple connection using a USB cable to a compromised host machine represents a way to circumvent these tight controls, according to the researchers.

The Apple File Connection protocol used for communication between a host and iThing gives access to files within iOS's application directories, such as cookies. Stolen cookies can, in turn, be used by hackers to hijack the corresponding webmail, social networking or other online accounts.

"We believe that Apple kind of over-trusted the USB connection," Tielei Wang, a co-author of the study and research scientist at GT, told Computerworld.

Apple issues developer certificates and these can be used to self-sign an application prior to distribution. The Georgia team found it was possible to smuggle a developer provisioning file onto an iOS device during the iTunes syncing process, a tactic that paves the way for a self-signed malicious application to be installed or for legitimate apps to get replaced by doctored versions. "The whole process can be done without the user's knowledge," Wang explained.

The researchers also developed an attack capable of tricking an Apple device into authorising the download of an application using someone else's Apple ID, a tactic that gets around Apple's requirement that someone needs to be logged into their account to download content from its App Store.

The latest research focuses on potential delivery mechanisms of future iOS malware.

Last year, the same GT team developed Jekyll, an iPhone application with malicious functions that passed Apple's inspection and was briefly available from its App Store. The latest research shows how it might be able to push apps like Jekyll onto iThings without tricking users into requesting them, one of the main barriers against anything beyond a small scale outbreak.

The research is designed to act as a wake-up call to Apple and others on potential security problems with iOS devices before trouble hits, allowing security to be tightened up and potential attacks thwarted.

Wang told Computerworld that although the Georgia team's research focused on the possibility of using Windows botnets to push malware onto connected iOS devices, much the same attack method also apply to OS X zombie networks.

Although the Georgia team talks about the possibility of large scale attacks, this type of approach might be applied by determined and well-resourced hackers in targeted attacks.

Apple can remove applications from the App Store, remotely disable applications and revoke developer certificates – all tactics that might be brought into play to quell a large scale attack – but smaller scale attacks are much more likely to escape notice and therefore arguably present the biggest concern, especially in the post-Snowden era of widespread concern about state-sponsored industrial espionage and surveillance.

But that's not the only risk in this area. Earlier this week we reported that Chinese malware had infected more than 75,000 iPhones as part of a click fraud scam.

The AdThief malware relied on the Cydia Substrate extension present only on jailbroken Apple devices to hijack advertising. Unmodified iThings are immune. And the same thing applied to a worm that infected jailbroken iPhones and targeted customers of Dutch online bank ING Direct way back in 2009. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Hackers thrash Bash Shellshock bug: World races to cover hole
Update your gear now to avoid early attacks hitting the web
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
Ello? ello? ello?: Facebook challenger in DDoS KNOCKOUT
Gets back up again after half an hour though
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.