This article is more than 1 year old

A third of iThings open to VPN-hijacking, app-wrecking attacks

Masques off: Researchers detail five ways to wreck Apple stuff

A trio of FireEye researchers have reported twin 'app-demolishing' iOS vulnerabilities Apple has partially fixed in its latest update that could wreck core apps such as the App Store and Settings.

Researchers Zhaofeng Chen, Tao Wei, Hui Xue, and Yulong Zhang revealed the latest in five so-called Masque attacks that could wreck installed apps when installed over wireless enterprise provisioning.

They detailed the entire family of 'app-demolishing' Masque attacks that after some five months still affect about a third of all iOS devices that run versions below iOS 8.1.3.

"The Manifest masque attack leverages the vulnerability (CVE-2015-3722, CVE-2015-3725) to demolish an existing app on iOS when a victim installs an in-house iOS app wirelessly using enterprise provisioning from a website," the team say in an advisory.

"The demolished app can be either a regular app downloaded from official App Store or even an important system app, such as Apple Watch, Apple Pay, App Store, Safari, and Settings.

"This vulnerability affects all iOS 7.x and iOS 8.x versions prior to iOS 8.4."

Apple has implemented what the team calls, without elaborating a "partial" fix after the vulnerabilities were reported August.

The team also revealed what they say is the nastiest member of the Masque family that was not previously disclosed.

The undisclosed Plugin Masque untrusted code injection attack allows traffic including that over VPN to be hijacked by replacing the VPN Plugin in affected devices.

The researchers say "... this exploit is even more severe than the original Masque Attack," the team says. "The malicious code can be injected to the neagent process and can perform privileged operations, such as monitoring all VPN traffic, without the user’s awareness."

"Our investigation also shows that around one third of iOS devices still have not updated to versions 8.1.3 or above, even five months after the release of 8.1.3, and these devices are still vulnerable to all the Masque attacks."

Concerned Apple users should update their devices.

The vulnerability disclosures come after Cupertino patched a nest of 77 flaws across its platforms. ®

More about


Send us news

Other stories you might like