Mobile
News
3/12/2013
05:22 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

iPhone, iPad Configuration Files Security Hole Shown

Mobile configuration files used by carriers could be repurposed to steal data and remotely control an iPhone or iPad, security firm warns.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
iPhone and iPad users: Beware malicious profile configuration files.

That warning comes via Israeli mobile security startup Skycure, which Tuesday published a proof-of-concept research on the company's blog, showing how iOS mobileconfig files, which are designed to configure devices to work with a carrier's cellular network, could be used instead to remotely control an iPhone or iPad and steal data.

Skycure CEO Adi Sharabani, a former security and research manager at Web application security firm Watchfire -- bought by IBM in 2007 -- was scheduled to present the company's findings Tuesday at the 13th annual Herzliya Conference in Israel. The conference is billed as the country's "primary global policy annual gathering … to address pressing national, regional and world strategic issues."

[ Looking for mobile spam relief? Read Cell Phone Spam Doesn't Pay, FTC Says. ]

Just what is a mobileconfig file? The XML files are produced using the iPhone Configuration Utility (iPCU), and are designed to allow carriers to easily configure their subscribers' phones. "These MobileConfiguration files can contain device security policies and restrictions, VPN configuration information, Wi-Fi settings, email and calendar accounts, and authentication credentials that permit iPhone, iPod Touch, and iPad to work with certain enterprise systems," said a post to the developer question-and-answer site Stack Overflow. Such files also can be distributed via websites or email.

But mobileconfig files also could be generated and used by attackers to configure devices to their liking. "A malicious profile could be used to remote control mobile devices, monitor and manipulate user activity and hijack user sessions," said the Skycure blog, which was posted by CTO Yair Amit, who noted that such profiles can be used to install new root certificates on a targeted device. "This makes it possible to seamlessly intercept and decrypt SSL/TLS secure connections, on which most applications rely to transfer sensitive data," he said. "A few concrete impact examples include: stealing one's Facebook, LinkedIn, mail and even bank identities and acting on his/her behalf in these [accounts], potentially creating havoc."

To be clear, any such iOS attacks are only theoretical. But according to Amit, the use of malicious mobileconfig files is akin to finding a way to target iOS devices with malware, without having to worry about installing an executable on the device, which thanks to Apple's walled garden model has proven to be almost impossible.

One innovative -- and non-malicious -- use of mobileconfig files is offered by the iPhone APN Changer website, which allows iPhone users to change the carrier settings on their phones "so you can use unofficial carrier SIMs with your device."

Interestingly, the Skycure researchers said they found that at several AT&T stores, including one in Manhattan, AT&T employees directed people who want to use the carrier's pay-as-you-go service for their iPhone to download and install a configuration file from the third-party APN Changer website. "In one of the stores, an AT&T salesperson actually took our phone and performed the aforementioned process via a public Wi-Fi network, which is an easy target for man-in-the-middle attacks," said Amit. That's because the APN Changer site transmits all of its mobileconfig files in plain text over HTTP, without using HTTPS, which means that the communications could be intercepted and spoofed by an enterprising attacker.

In other words, although mobileconfig files offer useful functionality for carriers who want to configure their subscribers' phones, with a bit of social engineering trickery, attackers -- or espionage artists -- could use the files to easily alter phone settings and keep tabs on a targeted iPhone. As a result, users should beware installing any mobileconfig files unless obtained from a trusted source, and preferably only when downloaded from a site via HTTPS.

The Enterprise Connect conference program covers the full range of platforms, services and applications that comprise modern communications and collaboration systems. Hear case studies from senior enterprise executives, as well as from the leaders of major industry players like Cisco, Microsoft, Avaya, Google and more. Register for Enterprise Connect 2013 today with code IWKPREM to save $200 off a conference pass or get a free Expo Pass. It happens March 18-21 in Orlando, Fla.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
moarsauce123
50%
50%
moarsauce123,
User Rank: Ninja
3/14/2013 | 10:42:57 PM
re: iPhone, iPad Configuration Files Security Hole Shown
They are just holding it wrong....
InformationWeek Elite 100
InformationWeek Elite 100
Our data shows these innovators using digital technology in two key areas: providing better products and cutting costs. Almost half of them expect to introduce a new IT-led product this year, and 46% are using technology to make business processes more efficient.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 - 2014
Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators.
Video
Slideshows
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.