Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
IOS Cellphones Handhelds Iphone Security IT

The Biggest iPhone Security Risk Could Be Connecting One To a Computer 72

Posted by timothy
from the seems-an-obvious-hole dept.
angry tapir (1463043) writes Apple has done well to insulate its iOS mobile operating system from many security issues, but a forthcoming demonstration shows it's far from perfect. Next Wednesday at the Usenix Security Symposium in San Diego, researchers with the Georgia Institute of Technology will show how iOS's Achilles' heel is exposed when devices are connected over USB to a computer or have Wi-Fi synching enabled. The beauty of their attack is that it doesn't rely on iOS software vulnerabilities, the customary way that hackers commandeer computers. It simply takes advantage of design issues in iOS, working around Apple's layered protections to accomplish a sinister goal.
This discussion has been archived. No new comments can be posted.

The Biggest iPhone Security Risk Could Be Connecting One To a Computer

Comments Filter:
  • Otherwise there is literally no secure mobile phone platform out there for the masses.
    • Which dumbphone brands have had published security vulnerabilities over the past half decade?
      • Who's given enough shit about them to discover and publish them?
      • by Bugamn (1769722)

        It doesn't help to have no security vulnerabilities if it also doesn't have the desired functionalities. Why don't we all go back to talking only face to face? It's not practical.

        By the way, someone down said that Merkel's 6210 was hacked. Isn't this one a dumbphone?

    • by thieh (3654731)
      Replicant the phone OS?
    • Didn't Angela Merkel's Blackberry get hacked by the NSA?
      • No, it was a Nokia 6210 at first, they were doing it back in 2002. A Blackberry z10 is what she was given with Secusmart Micro-SD card with extra security features after the revelation. Blackberry has since acquired Secusmart & Germany has ordered 10000 of this combo for Government use.
        • Re: (Score:2, Funny)

          by Anonymous Coward

          Blackberry has since acquired Secusmart & Germany

          My hobby: terminating sentences prematurely

        • So the standard issue Blackberrys aren't secure from the NSA, they need the added Secusmart protections. Hopefully Blackberry will integrate these protections into the standard Blackberrys. Since Blackberry finally has an actual real CEO, I'm sure it will happen.
    • by sasparillascott (1267058) on Thursday August 14, 2014 @09:44AM (#47670443)
      Not really (at this point), at the recent BlackHat some researchers demonstrated how they could remotely compromise a Blackberry.

      http://www.accuvant.com/about-... [accuvant.com]

      Another great article that talks a little about that instance with Blackberry and another smartphone platform designed for security as well:

      http://arstechnica.com/securit... [arstechnica.com]
      • by Rigel47 (2991727)
        That's an issue with carrier code, not bberry.

        And as to this line

        Dependent upon device and carrier, when exploited the vulnerabilities in this control software may enable attackers to install malicious software; access data; add, delete and run applications; wipe a device; and remotely change the PIN for the screen lock, among other items.

        I'm highly skeptical they could alter the OS. BlackBerry devices will not run firmware code that is not signed by BlackBerry itself.

      • by Anonymous Coward

        To little items you forgot

        "The vulnerabilities discovered by the pair impact Android, Blackberry and a small number of iOS-based devices, with risk varying by carrier and device make and model."

        “Carriers embed control software into most mobile devices so that they can configure phones for their networks and push over-the-air firmware updates,” said Ryan Smith, Accuvant vice president and chief scientist. “Our researchers – Mathew Solnik and Marc Blanchou – found serious securit

    • Blackberry is not secure.
  • by Anonymous Coward on Thursday August 14, 2014 @09:34AM (#47670387)

    Stopped reading at "Their attack requires the victim's computer to have malware installed".

    If you create a trusted connection between your computer and your iPhone, it's a trusted connection. If you don't trust your computer, you shouldn't use it to make a trusted connection to other devices. It's really just that simple.

    • by Anonymous Coward on Thursday August 14, 2014 @10:42AM (#47670829)

      No. The phone should display a notification if an application is side loaded over USB. It shouldn't be possible to install an application without the user's knowledge. Trusting the connection should merely allow the phone and the computer to communicate. It should not allow remote control of the device.

      • by tlhIngan (30335) <[ten.frow] [ta] [todhsals]> on Thursday August 14, 2014 @11:43AM (#47671267)

        No. The phone should display a notification if an application is side loaded over USB. It shouldn't be possible to install an application without the user's knowledge. Trusting the connection should merely allow the phone and the computer to communicate. It should not allow remote control of the device.

        Technically, the application is signed by Apple still. Or it's self-signed using a developer certificate (which only gives you 100 devices once a year - you can freely add devices up to that 100 limit, but after that, you can only change their device IDs once a year.).

        The hack is effectively being able to install a provisioning profile to allow an unsigned app to run. The provisioning profile is signed by Apple, so it's either an enterprise or developer profile.

        At the same time, it works by hijacking the iTunes connection to do so.

        In other words, all that's going ot happen is Apple is going to ask for confirmation to install new provisioning profiles. Doesn't matter when you ask since the profile is required to run the unsigned app - you can ask at the beginning, at the end, in the middle, or when the app is attempted to be run.

        (Provisioning profiles also expire after a certain amount of time - after which the app will NOT run. And the user is free to remove them at any time. None of this is any protection though).

        Though, provisioning profiles are tracable to the original account that had them made, and since they cost $99, that makes the attack far less easy than it appears because if you do this, it's traceable to the person who paid for it.

        Granted, developers have been warned to keep their provisioning certificates safe because a fair bit of malware does target ripping them off.

      • No. The phone should display a notification if an application is side loaded over USB. It shouldn't be possible to install an application without the user's knowledge. Trusting the connection should merely allow the phone and the computer to communicate. It should not allow remote control of the device.

        It DOES display a notification when a computer attempts to establish a link, along with requiring user confirmation.

    • Re: (Score:2, Informative)

      by gtall (79522)

      Thanks for that bit of useless advice. I'll now ascertain whether any computers I need to connect with have malware installed, then I'll be safe.

      Hint: classical logic presumes you have complete knowledge of the world. Use it with care.

      • by Anonymous Coward

        You sync your phone with random computers, or what?

    • by Darinbob (1142669)

      What's scary to me is that a "trusted connection" is pre-installed! I was amazed that I could plug my phone into a Windows computer and it would automatically mount it and install drivers. Every other thing in the world I plug in would have Windows ask me first if I wanted to install, and I have all auto-play turned off. But because there was a signed driver Windows decides against my will to install it. I don't care if Microsoft thinks the certificate chain is safe, I do NOT want Windows to install any

      • On Android, access to the contents of the device requires the screen to be unlocked. Does iOS also require this?

        (Access to the device without installing drivers isn't an issue, but the computer OS should prompt before automatically mounting the device too, which I believe Linux does but Windows doesn't).

        • by tlhIngan (30335)

          On Android, access to the contents of the device requires the screen to be unlocked. Does iOS also require this?

          On iOS, it's the same - if you want to see your photos or other content, you have to unlock the phone (or slide to unlock if you don't have a passcode).

          HOWEVER, I think if you plug in your phone for a sync (with iTunes to backup/install/etc), you don't get that as long as the connection was established as a trusted connection. (Plug into a new computer and it will charge, but not establish communi

  • Developer Access? (Score:4, Interesting)

    by Ronin Developer (67677) on Thursday August 14, 2014 @09:40AM (#47670421)

    To my knowledge, to utilize an iOS device with developer provisioning profiles, you have to enable the device for development access via XCode.

    Even with an ad-hoc distribution, the device must be listed in the provisioning profile with the exceptions being enterprise and app-store apps.

    Did this attack vector circumvent these protections? Or, was he using iOS devices configured for development and, thus, not a real-world attack?

  • by Anonymous Coward on Thursday August 14, 2014 @09:47AM (#47670467)

    if you connect you iDevice to a computer, unlock your device, and explicitly tell your device that the computer is trustworthy... The computer is able to install apps and interact with the filesystem on your device! Who would have thought?

  • Here I thought the biggest security threat was turning the device on.... Second to actually having the device on your person, followed by putting it on the charger.

    If the device is totally discharged and not running, there is no threat beyond getting mugged for having it.

  • by davidwr (791652) on Thursday August 14, 2014 @10:00AM (#47670539) Homepage Journal

    This is one reason why charging-only cables or cable adapters which do not carry the "data lines" should be cheap and just as widely-available and widely-marketed as other USB cables.

    Bonus points if they are transparent so the end user can visually verify that the only connected lines are the power and ground lines.

    OBDIYHACK: http://www.instructables.com/i... [instructables.com]

  • um no (Score:5, Insightful)

    by Charliemopps (1157495) on Thursday August 14, 2014 @10:03AM (#47670567)

    The IPhones biggest security threat is the US Federal Government.
    http://www.washingtonpost.com/... [washingtonpost.com]

  • It simply takes advantage of design issues in iOS, working around Apple's layered protections to accomplish a sinister goal.

    ...Improving the ambidextrous [stackexchange.com] use of the device?

  • The beauty of their attack is that it doesn't rely on iOS software vulnerabilities, the customary way that hackers commandeer computers. It simply takes advantage of design issues in iOS

    Then the design issue is a vulnerability, surely?

    • by Anonymous Coward

      The beauty of their attack is that it doesn't rely on iOS software vulnerabilities, the customary way that hackers commandeer computers. It simply takes advantage of design issues in iOS

      Then the design issue is a vulnerability, surely?

      Not really.

      They're basically saying that, if (A) you've set up your phone to sync with your PC, and (B) your PC gets cracked/infected, then your phone can also be cracked/infected.

      It's a vulnerability in the way that doing a series of stupid things in succession is always a vulnerability.

  • Can this be used to jailbreak iphones? That's all I care(d) about.

"There is nothing new under the sun, but there are lots of old things we don't know yet." -Ambrose Bierce

Working...