Fanbois aren't safe from Windows malware - and it's all down to iTunes syncing.
The music software's sync is the Achilles' heel that could expose otherwise secure iOS devices to malware, security researchers warn. Simply connecting an iPhone or iPad to an infected Windows machine through a USB cable leaves it vulnerable to custom iOS malware.
Researchers from the Georgia Institute of Technology are due to demonstrate next week how syncing songs, pictures and other content between a computer and an iPhone or iPad creates a way to circumvent Apple's security controls.
The demo – due to take place next Wednesday (20 August) at the Usenix Security Symposium in San Diego – relies on the trust model of paired devices rather than any software vulnerabilities as such. The trick relies on first compromising a connected computer before using this hacker-controlled machine to push attacker-signed malicious apps onto an iPhone or fondleslab before siphoning off confidential data, as an abstract for the talk explains.
While Apple iOS has gained increasing attention from attackers due to its rising popularity, very few large scale infections of iOS devices have been discovered because of iOS’s advanced security architecture.
In this paper, we show that infecting a large number of iOS devices through botnets is feasible. By exploiting design flaws and weaknesses in the iTunes syncing process, the device provisioning process, and in file storage, we demonstrate that a compromised computer can be instructed to install Apple-signed malicious apps on a connected iOS device, replace existing apps with attacker-signed malicious apps, and steal private data (eg, Facebook and Gmail app cookies) from an iOS device.
The Georgia Institute of Technology team – Tielei Wang,Yeongjin Jang, Yizheng Chen, Simon Chung, Billy Lau and Wenke Lee – point out that many iOS devices are paired with Windows PCs, whose susceptibility to malware is well known by long-suffering Reg readers.
There are tens of millions of malware strains that affect Windows PCs, so many in fact that most-antivirus vendors have stopped counting. iOS nasties, in extreme contrast, number less than 10 (and that's including proof-of-concept nasties from celebrated hacker Charlie Miller).
Apple's strict mobile app vetting procedure is the biggest contributor to this low number, but Apple's layered protections also make a contribution. Both iTunes syncing and simple connection using a USB cable to a compromised host machine represents a way to circumvent these tight controls, according to the researchers.
The Apple File Connection protocol used for communication between a host and iThing gives access to files within iOS's application directories, such as cookies. Stolen cookies can, in turn, be used by hackers to hijack the corresponding webmail, social networking or other online accounts.
"We believe that Apple kind of over-trusted the USB connection," Tielei Wang, a co-author of the study and research scientist at GT, told Computerworld.
Apple issues developer certificates and these can be used to self-sign an application prior to distribution. The Georgia team found it was possible to smuggle a developer provisioning file onto an iOS device during the iTunes syncing process, a tactic that paves the way for a self-signed malicious application to be installed or for legitimate apps to get replaced by doctored versions. "The whole process can be done without the user's knowledge," Wang explained.
The researchers also developed an attack capable of tricking an Apple device into authorising the download of an application using someone else's Apple ID, a tactic that gets around Apple's requirement that someone needs to be logged into their account to download content from its App Store.
The latest research focuses on potential delivery mechanisms of future iOS malware.
Last year, the same GT team developed Jekyll, an iPhone application with malicious functions that passed Apple's inspection and was briefly available from its App Store. The latest research shows how it might be able to push apps like Jekyll onto iThings without tricking users into requesting them, one of the main barriers against anything beyond a small scale outbreak.
The research is designed to act as a wake-up call to Apple and others on potential security problems with iOS devices before trouble hits, allowing security to be tightened up and potential attacks thwarted.
Wang told Computerworld that although the Georgia team's research focused on the possibility of using Windows botnets to push malware onto connected iOS devices, much the same attack method also apply to OS X zombie networks.
Although the Georgia team talks about the possibility of large scale attacks, this type of approach might be applied by determined and well-resourced hackers in targeted attacks.
Apple can remove applications from the App Store, remotely disable applications and revoke developer certificates – all tactics that might be brought into play to quell a large scale attack – but smaller scale attacks are much more likely to escape notice and therefore arguably present the biggest concern, especially in the post-Snowden era of widespread concern about state-sponsored industrial espionage and surveillance.
But that's not the only risk in this area. Earlier this week we reported that Chinese malware had infected more than 75,000 iPhones as part of a click fraud scam.
The AdThief malware relied on the Cydia Substrate extension present only on jailbroken Apple devices to hijack advertising. Unmodified iThings are immune. And the same thing applied to a worm that infected jailbroken iPhones and targeted customers of Dutch online bank ING Direct way back in 2009. ®