Don't think you're SAFE from Windows zombies just 'cos you have an iPhone - research

Malware can be pushed across the species gap


Fanbois aren't safe from Windows malware - and it's all down to iTunes syncing.

The music software's sync is the Achilles' heel that could expose otherwise secure iOS devices to malware, security researchers warn. Simply connecting an iPhone or iPad to an infected Windows machine through a USB cable leaves it vulnerable to custom iOS malware.

Researchers from the Georgia Institute of Technology are due to demonstrate next week how syncing songs, pictures and other content between a computer and an iPhone or iPad creates a way to circumvent Apple's security controls.

The demo – due to take place next Wednesday (20 August) at the Usenix Security Symposium in San Diego – relies on the trust model of paired devices rather than any software vulnerabilities as such. The trick relies on first compromising a connected computer before using this hacker-controlled machine to push attacker-signed malicious apps onto an iPhone or fondleslab before siphoning off confidential data, as an abstract for the talk explains.

While Apple iOS has gained increasing attention from attackers due to its rising popularity, very few large scale infections of iOS devices have been discovered because of iOS’s advanced security architecture.

In this paper, we show that infecting a large number of iOS devices through botnets is feasible. By exploiting design flaws and weaknesses in the iTunes syncing process, the device provisioning process, and in file storage, we demonstrate that a compromised computer can be instructed to install Apple-signed malicious apps on a connected iOS device, replace existing apps with attacker-signed malicious apps, and steal private data (eg, Facebook and Gmail app cookies) from an iOS device.

The Georgia Institute of Technology team – Tielei Wang,Yeongjin Jang, Yizheng Chen, Simon Chung, Billy Lau and Wenke Lee – point out that many iOS devices are paired with Windows PCs, whose susceptibility to malware is well known by long-suffering Reg readers.

There are tens of millions of malware strains that affect Windows PCs, so many in fact that most-antivirus vendors have stopped counting. iOS nasties, in extreme contrast, number less than 10 (and that's including proof-of-concept nasties from celebrated hacker Charlie Miller).

Apple's strict mobile app vetting procedure is the biggest contributor to this low number, but Apple's layered protections also make a contribution. Both iTunes syncing and simple connection using a USB cable to a compromised host machine represents a way to circumvent these tight controls, according to the researchers.

The Apple File Connection protocol used for communication between a host and iThing gives access to files within iOS's application directories, such as cookies. Stolen cookies can, in turn, be used by hackers to hijack the corresponding webmail, social networking or other online accounts.

"We believe that Apple kind of over-trusted the USB connection," Tielei Wang, a co-author of the study and research scientist at GT, told Computerworld.

Apple issues developer certificates and these can be used to self-sign an application prior to distribution. The Georgia team found it was possible to smuggle a developer provisioning file onto an iOS device during the iTunes syncing process, a tactic that paves the way for a self-signed malicious application to be installed or for legitimate apps to get replaced by doctored versions. "The whole process can be done without the user's knowledge," Wang explained.

The researchers also developed an attack capable of tricking an Apple device into authorising the download of an application using someone else's Apple ID, a tactic that gets around Apple's requirement that someone needs to be logged into their account to download content from its App Store.

The latest research focuses on potential delivery mechanisms of future iOS malware.

Last year, the same GT team developed Jekyll, an iPhone application with malicious functions that passed Apple's inspection and was briefly available from its App Store. The latest research shows how it might be able to push apps like Jekyll onto iThings without tricking users into requesting them, one of the main barriers against anything beyond a small scale outbreak.

The research is designed to act as a wake-up call to Apple and others on potential security problems with iOS devices before trouble hits, allowing security to be tightened up and potential attacks thwarted.

Wang told Computerworld that although the Georgia team's research focused on the possibility of using Windows botnets to push malware onto connected iOS devices, much the same attack method also apply to OS X zombie networks.

Although the Georgia team talks about the possibility of large scale attacks, this type of approach might be applied by determined and well-resourced hackers in targeted attacks.

Apple can remove applications from the App Store, remotely disable applications and revoke developer certificates – all tactics that might be brought into play to quell a large scale attack – but smaller scale attacks are much more likely to escape notice and therefore arguably present the biggest concern, especially in the post-Snowden era of widespread concern about state-sponsored industrial espionage and surveillance.

But that's not the only risk in this area. Earlier this week we reported that Chinese malware had infected more than 75,000 iPhones as part of a click fraud scam.

The AdThief malware relied on the Cydia Substrate extension present only on jailbroken Apple devices to hijack advertising. Unmodified iThings are immune. And the same thing applied to a worm that infected jailbroken iPhones and targeted customers of Dutch online bank ING Direct way back in 2009. ®


Other stories you might like

  • Robotics and 5G to spur growth of SoC industry – report
    Big OEMs hogging production and COVID causing supply issues

    The system-on-chip (SoC) side of the semiconductor industry is poised for growth between now and 2026, when it's predicted to be worth $6.85 billion, according to an analyst's report. 

    Chances are good that there's an SoC-powered device within arm's reach of you: the tiny integrated circuits contain everything needed for a basic computer, leading to their proliferation in mobile, IoT and smart devices. 

    The report predicting the growth comes from advisory biz Technavio, which looked at a long list of companies in the SoC market. Vendors it analyzed include Apple, Broadcom, Intel, Nvidia, TSMC, Toshiba, and more. The company predicts that much of the growth between now and 2026 will stem primarily from robotics and 5G. 

    Continue reading
  • Deepfake attacks can easily trick live facial recognition systems online
    Plus: Next PyTorch release will support Apple GPUs so devs can train neural networks on their own laptops

    In brief Miscreants can easily steal someone else's identity by tricking live facial recognition software using deepfakes, according to a new report.

    Sensity AI, a startup focused on tackling identity fraud, carried out a series of pretend attacks. Engineers scanned the image of someone from an ID card, and mapped their likeness onto another person's face. Sensity then tested whether they could breach live facial recognition systems by tricking them into believing the pretend attacker is a real user.

    So-called "liveness tests" try to authenticate identities in real-time, relying on images or video streams from cameras like face recognition used to unlock mobile phones, for example. Nine out of ten vendors failed Sensity's live deepfake attacks.

    Continue reading
  • Lonestar plans to put datacenters in the Moon's lava tubes
    How? Founder tells The Register 'Robots… lots of robots'

    Imagine a future where racks of computer servers hum quietly in darkness below the surface of the Moon.

    Here is where some of the most important data is stored, to be left untouched for as long as can be. The idea sounds like something from science-fiction, but one startup that recently emerged from stealth is trying to turn it into a reality. Lonestar Data Holdings has a unique mission unlike any other cloud provider: to build datacenters on the Moon backing up the world's data.

    "It's inconceivable to me that we are keeping our most precious assets, our knowledge and our data, on Earth, where we're setting off bombs and burning things," Christopher Stott, founder and CEO of Lonestar, told The Register. "We need to put our assets in place off our planet, where we can keep it safe."

    Continue reading

Biting the hand that feeds IT © 1998–2022