Apple Fixes Proxy Manipulating Phantom Attack in iOS 8.3

If left unpatched and exploited one of the vulnerabilities fixed in this week’s iOS update could’ve rendered an iPhone near useless.

If left unpatched, one of the vulnerabilities fixed in this week’s iOS update could render an iPhone near useless. If triggered, it could cause networking apps to quit, the system to grind to a halt. In some cases, the device wouldn’t even be able to be rebooted.

The vulnerability, nicknamed Phantom by researchers at FireEye, stems from a misconfiguration in iOS’ HTTP proxy settings. If an attacker tweaked a device’s proxy values accordingly, they could cause several use-after-free vulnerabilities in libsystem_network.dylib, a dynamic library on the phone.

Calling the issue a memory corruption issue in libnetcore, Apple addressed the vulnerability (CVE-2015-1118) in its iOS 8.3 update on Wednesday.

FireEye notes that if left unpatched there are actually a few ways an attacker could trick an unsuspecting user into configuring their phone’s proxy to make it vulnerable.

While iOS warns users changing their proxy via profile, an attacker could theoretically send the victim a profile containing proxy settings, over WiFi. The attacker could then have free rein to tweak the user’s proxy settings.

“If the attacker has convincing social engineering skills, a user who doesn’t understand the security risks might proceed to install a malicious profile,” Zhaofeng Chen, Hui Xue, Tao Wei, Yulong Zhang, the researchers who dug up the vulnerability, wrote yesterday.

An attacker could also hijack HTTP traffic to modify a Proxy Auto Configuration (PAC) file. An attacker could trick a user to erroneously set the PAC, leaving anyone that uses it susceptible. After the attack the phone basically enters what FireEye calls a “coma state,” meaning it will crash repeatedly. While the device will go on to generate crash information, it won’t respond to user inputs.

In a video demonstrating the attack, a user sets up a proxy with a URL listed on a fake library website. Some public WiFi providers, like school libraries, allow users to configure their device’s proxies to use their resources. From there an attacker hijacks the HTTP traffic and modifies the PAC. In the video it’s pretty clear that after the attack is leveraged, no network apps work. Even after the user resets the iPhone, the screen doesn’t light up right away. The user can’t even unlock the device when it does finally boot up because all of its services are crashing at once.

FireEye encourages users to update at their earliest convenience and as should be expected, to exercise caution when it comes to connecting their iPhones to public WiFi.

“Since auto proxy settings have important security impacts for users not limited to Phantom attacks, public WIFI providers should take additional measures to protect vulnerable devices by enforcing secure deployment of PAC files through HTTPS,” the researchers warn.

Suggested articles