Feeds

Don't think you're SAFE from Windows zombies just 'cos you have an iPhone - research

Malware can be pushed across the species gap

Remote control for virtualized desktops

Fanbois aren't safe from Windows malware - and it's all down to iTunes syncing.

The music software's sync is the Achilles' heel that could expose otherwise secure iOS devices to malware, security researchers warn. Simply connecting an iPhone or iPad to an infected Windows machine through a USB cable leaves it vulnerable to custom iOS malware.

Researchers from the Georgia Institute of Technology are due to demonstrate next week how syncing songs, pictures and other content between a computer and an iPhone or iPad creates a way to circumvent Apple's security controls.

The demo – due to take place next Wednesday (20 August) at the Usenix Security Symposium in San Diego – relies on the trust model of paired devices rather than any software vulnerabilities as such. The trick relies on first compromising a connected computer before using this hacker-controlled machine to push attacker-signed malicious apps onto an iPhone or fondleslab before siphoning off confidential data, as an abstract for the talk explains.

While Apple iOS has gained increasing attention from attackers due to its rising popularity, very few large scale infections of iOS devices have been discovered because of iOS’s advanced security architecture.

In this paper, we show that infecting a large number of iOS devices through botnets is feasible. By exploiting design flaws and weaknesses in the iTunes syncing process, the device provisioning process, and in file storage, we demonstrate that a compromised computer can be instructed to install Apple-signed malicious apps on a connected iOS device, replace existing apps with attacker-signed malicious apps, and steal private data (eg, Facebook and Gmail app cookies) from an iOS device.

The Georgia Institute of Technology team – Tielei Wang,Yeongjin Jang, Yizheng Chen, Simon Chung, Billy Lau and Wenke Lee – point out that many iOS devices are paired with Windows PCs, whose susceptibility to malware is well known by long-suffering Reg readers.

There are tens of millions of malware strains that affect Windows PCs, so many in fact that most-antivirus vendors have stopped counting. iOS nasties, in extreme contrast, number less than 10 (and that's including proof-of-concept nasties from celebrated hacker Charlie Miller).

Apple's strict mobile app vetting procedure is the biggest contributor to this low number, but Apple's layered protections also make a contribution. Both iTunes syncing and simple connection using a USB cable to a compromised host machine represents a way to circumvent these tight controls, according to the researchers.

The Apple File Connection protocol used for communication between a host and iThing gives access to files within iOS's application directories, such as cookies. Stolen cookies can, in turn, be used by hackers to hijack the corresponding webmail, social networking or other online accounts.

"We believe that Apple kind of over-trusted the USB connection," Tielei Wang, a co-author of the study and research scientist at GT, told Computerworld.

Apple issues developer certificates and these can be used to self-sign an application prior to distribution. The Georgia team found it was possible to smuggle a developer provisioning file onto an iOS device during the iTunes syncing process, a tactic that paves the way for a self-signed malicious application to be installed or for legitimate apps to get replaced by doctored versions. "The whole process can be done without the user's knowledge," Wang explained.

The researchers also developed an attack capable of tricking an Apple device into authorising the download of an application using someone else's Apple ID, a tactic that gets around Apple's requirement that someone needs to be logged into their account to download content from its App Store.

The latest research focuses on potential delivery mechanisms of future iOS malware.

Last year, the same GT team developed Jekyll, an iPhone application with malicious functions that passed Apple's inspection and was briefly available from its App Store. The latest research shows how it might be able to push apps like Jekyll onto iThings without tricking users into requesting them, one of the main barriers against anything beyond a small scale outbreak.

The research is designed to act as a wake-up call to Apple and others on potential security problems with iOS devices before trouble hits, allowing security to be tightened up and potential attacks thwarted.

Wang told Computerworld that although the Georgia team's research focused on the possibility of using Windows botnets to push malware onto connected iOS devices, much the same attack method also apply to OS X zombie networks.

Although the Georgia team talks about the possibility of large scale attacks, this type of approach might be applied by determined and well-resourced hackers in targeted attacks.

Apple can remove applications from the App Store, remotely disable applications and revoke developer certificates – all tactics that might be brought into play to quell a large scale attack – but smaller scale attacks are much more likely to escape notice and therefore arguably present the biggest concern, especially in the post-Snowden era of widespread concern about state-sponsored industrial espionage and surveillance.

But that's not the only risk in this area. Earlier this week we reported that Chinese malware had infected more than 75,000 iPhones as part of a click fraud scam.

The AdThief malware relied on the Cydia Substrate extension present only on jailbroken Apple devices to hijack advertising. Unmodified iThings are immune. And the same thing applied to a worm that infected jailbroken iPhones and targeted customers of Dutch online bank ING Direct way back in 2009. ®

Remote control for virtualized desktops

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Home Office: Fancy flogging us some SECRET SPY GEAR?
If you do, tell NOBODY what it's for or how it works
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Syrian Electronic Army in news site 'hack' POP-UP MAYHEM
Gigya redirect exploit blamed for pop-rageous ploy
prev story

Whitepapers

Designing and building an open ITOA architecture
Learn about a new IT data taxonomy defined by the four data sources of IT visibility: wire, machine, agent, and synthetic data sets.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
10 threats to successful enterprise endpoint backup
10 threats to a successful backup including issues with BYOD, slow backups and ineffective security.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
10 ways wire data helps conquer IT complexity
IT teams can automatically detect problems across the IT environment, spot data theft, select unique pieces of transaction payloads to send to a data source, and more.