SAN FRANCISCO – Researchers have identified a new iOS vulnerability called “trustjacking,” which exploits a feature called iTunes Wi-Fi Sync to give attackers persistent control over victims’ devices.
Symantec researchers presented the vulnerability during a session at RSAC this week and said the vulnerability gives attackers the ability to record and control all activity on a device without being in the same room. Researchers disclosed the vulnerability to Apple, who has released a mechanism to safeguard devices from the vulnerability, they said.
All victims need to do to fall victim to this attack is approve their device’s connection to a malicious computer when syncing with iTunes, they said.
“The user connects to a malicious computer one time – and chooses to trust the computer. That’s the only experience from the end user that you see in this attack. From now on that malicious computer can still communicate with the device via Wi-Fi – and there is no indication of this for the end user,” Adi Sharabani, SVP of modern OS security at Symantec, said at RSAC.
The vulnerability exploits an iOS feature called iTunes Wi-Fi sync, which allows users to manage their iOS devices without physically connecting them to their computer, said Sharabani. Enabling this feature requires users to sync their iOS devices with iTunes by connecting to their computer via a cable.
“A single tap by the iOS device owner when the two are connected to the same network allows an attacker to gain permanent control over the device,” according to a Symantec report on the vulnerability.
When connecting their iOS device to a new computer, users are asked whether they trust the computer or not. If they say yes, the computer can communicate with the device through standard iTunes APIs, activating the iTunes Wi-Fi sync feature.
That means that even after it was disconnected to the computer communication could continue, said Sharabani. So if a victim allows his device to connect to iTunes on a malicious computer, enabling iTunes Wi-Fi sync, hackers can control devices remotely.
“It is important to note that other than the initial single point of failure, authorizing the malicious computer, there is no other mechanism that prevents this continued access. In addition, there is nothing that notifies the users that by authorizing the computer they allow access to their device even after disconnecting the USB cable,” according to Symantec’s report.
Once Wi-Fi sync has been enabled, the attacker can view the victim’s device screen by installing the developer image that is suitable to the victims’ device iOS version via Wi-Fi, said Symantec. From there, attackers can take screenshots repeatedly and view the device’s screen in real time.
Attackers can also access private data such as photos, SMS and iMessage chats history, and app data. An attacker can also use the access to the device to install malicious apps and replace existing apps with modified versions that look like the original app but that can spy on the users, said Sharabani.
“These apps aren’t on the app store, so the reality is that they [attackers] can use private APIs, expanding the impact,” said Sharabani.
One drawback for attackers is that the attack requires the device and computer to be connected to the same network – meaning that the attacker needs to be in proximity to the victim’s device and connected to the same Wi-Fi.
However, Sharabani said that attackers can also combine the attack with a “malicious profile” attack. This connects the device to a VPN server and creates a continuous connection between the victim’s device and the attacker’s computer. Attackers can leverage this attack anytime and without the restriction of being in proximity with the device or connected to the same network, he said.
After the issue was reported to Apple in mid-July 2017, the smartphone company has released a mechanism in iOS 11 making sure that only the real owner of the iOS device can choose to trust a new computer, through requiring that the user enter his passcode when choosing to authorize a computer.
However, Symantec researchers said that additional steps are necessary on top of this update to ensure full security for end users: “While we appreciate the mitigation that Apple has taken, we’d like to highlight that it does not address Trustjacking in an holistic manner. Once the user has chosen to trust the compromised computer, the rest of the exploit continues to work as described above,” according to Symantec.
In order to protect devices, researchers recommend users enable encrypted backups in iTunes and choose a strong password.
Users can also go to Settings > General > Reset > Reset Location & Privacy, and re-authorize all previously connected computers next time they are connecting the iOS device to each device, said Symantec.
