iOS trustjacking vulnerability lets hackers steal iPhone data, install spy apps

The flaw takes advantage of Wi-Fi syncing in iTunes, but requires a developer image to work properly.

Tips for developing a secure mobile app
Building a slide deck, pitch, or presentation? Here are the big takeaways:
  • The trustjacking attack exploits a flaw in the implementation of Wi-Fi device syncing in iTunes..
  • An update to iOS now requires users to insert their pin before trusting a computer, though the researchers claim that this does not sufficiently address the issue.

At the 2018 RSA Conference in San Francisco on Wednesday, Symantec researchers Roy Iarchy and Adi Sharabani disclosed a new type of attack that grants attackers access to iPhones and iPads.

The vulnerability, called trustjacking, requires a user to configure Wi-Fi syncing in iTunes, which allows iOS device owners to manage their devices without physically connecting it to their computer. Under normal operation, this allows users to access photos, add/remove apps, perform backups, and other administrative tasks, without any authorization beyond the initial connection prompt asking if the connecting computer is trusted.

While this initial setup requires connecting a device using a USB cable, Iarchy notes that there is no notification given to users that devices can still be accessed after disconnecting the cable--the prompt given to users only states: "Your settings and data will be accessible from this computer when connected." Further, there is no way to deauthorize a computer after granting access, except to revoke access to all authorized computers.

SEE: Hiring kit: IOS developer (Tech Pro Research)

The level of control that this grants attackers is high, though it requires some intermediary steps, according to Iarchy. In order to view the device's screen, the attacker must install the developer image--which can be done over Wi-Fi--allowing for screenshots to be taken rapidly, giving near-realtime access to the attacker's screen.

Additionally, by having the ability to perform backups, it grants attackers the ability to view historical information, including photos, messages, and app data, researchers said. With the developer image installed, it is possible for attackers to replace apps with "a modified wrapped version that looks exactly like the original app, but is able to spy on the user while using the app and even leverage private APIs to spy on other activities all the time," according to the report. Iarchy's demonstration shows an app being replaced nearly instantly, making visual detection practically impossible.

This type of attack is typically limited to operating when both the malicious controlling computer and the target device are on the same Wi-Fi network. However, the report noted that the attack can be used in conjunction with a malicious profile attack, enabling attackers to connect both devices to VPNs, thereby overriding the Wi-Fi network requirement.

As per standard, the researchers have disclosed the vulnerability to Apple. In response, Apple has patched iOS to require users to enter their device PIN when pairing with a computer. However, the warning prompt of "Your settings and data will be accessible from this computer when connected" is unchanged, which does not explicitly state that the connection is essentially persistent.

The researchers caution that this measure "does not address Trustjacking in an holistic manner," adding that "Once the user has chosen to trust the compromised computer, the rest of the exploit continues to work as described above."

The researchers advise enabling encrypted backups in iTunes, paired with a strong password, to avoid allowing attackers to read private information.

Also see

Image: Sarah Tew/CNET