RSA 2018 The iTunes Wi-Fi sync feature in Apple’s iOS can be potentially abused by cops, snoops, and hackers to remotely extract information from, and control, iPhones and iPads.
This is according to researchers at Symantec, who discovered that, once an iOS device trusts a physically connected computer, the device can, in certain circumstances, be accessed by miscreants sharing the same Wi-Fi network as the device and the computer.
Said miscreants can make backups of the iPhone or iPad’s documents, extract screenshots, and even add and remove applications without the iThing owner’s knowledge.
Speaking at the 2018 RSA Conference today in San Francisco, Symantec operating system research team leader Roy Iarchi and senior veep Adi Sharabani said it’s all because the cryptographic keys generated for accessing devices via USB are also used when authenticating access via Wi-Fi.
Thus if an iThing trusts a computer, or some other terminal, hands over its keys, and those keys land in the hands of scumbags, they can be used to hijack the handheld or fondleslab over the shared wireless network. The iOS gadget must also have iTunes Wi-Fi sync enabled, which can be turned on via social engineering or some tricky app on the device.
It sounds like a bit of a long shot – but could be pretty useful for determined snoops, crime investigators, and so on.
Pro tip: You can log into macOS High Sierra as root with no password
Once an iOS device is plugged into a PC or Mac, and the user has opted to trust the machine, those aforementioned access credentials can be used via Wi-Fi to perform the same tasks possible if the device were connected with a USB-Lightning cable.
What’s worse, said the eggheads, those credentials are permanently saved by the computer, meaning they can be used to get into the smartphone weeks or months after it was paired. An attacker could infect the PC – or just buy a used machine that wasn’t wiped – and reuse those credentials on a targeted victim. Or an airport charger station could ask to be trusted when plugged in, and later pwn devices via shared Wi-Fi. Just your imagination.
Additionally, the duo noted, the technique could be paired with malicious profile attacks to route the device’s network traffic via a VPN, and exploit the vulnerability when the device is not on the Wi-Fi network.
Iarchi said the issue was discovered by accident in 2017 when, while debugging several iOS devices for a different project, he noticed a strange set of logs showing up in his terminal window.
“The problem is those logs didn’t collate to what I did on the devices,” he explained. “It was the logs of another device of one of my team members that wasn’t in the same room with me.”
From there, Iarchi was able to determine that, with a bit of digging, he could use developer tools to access backups, stream screens, and covertly remove and install the apps on any iOS device that had previously been connected to his machine.
Symantec said it had notified Apple of the issue, and though iOS 11 now requires a passcode to trust a computer, the so-called “trustjacking” design flaw they found is still present and open to abuse.
Until Cupertino decides to permanently fix the problem, Iarchi and Sharabani recommend users take some basic steps to limit trusted machine access, including encrypting their backups and deleting their list of old trusted machines (this can be done via Settings> General> Reset> Reset Location and Privacy).
Developers can also help to protect their apps from data harvesting by not saving sensitive info to the device nor including it in backup data. ®