iPhone, iPad Configuration Files Security Hole Shown

Mobile configuration files used by carriers could be repurposed to steal data and remotely control an iPhone or iPad, security firm warns.

Mathew J. Schwartz, Contributor

March 12, 2013

4 Min Read

Anonymous: 10 Things We Have Learned In 2013

Anonymous: 10 Things We Have Learned In 2013

Anonymous: 10 Things We Have Learned In 2013(click image for larger view and for slideshow)

iPhone and iPad users: Beware malicious profile configuration files.

That warning comes via Israeli mobile security startup Skycure, which Tuesday published a proof-of-concept research on the company's blog, showing how iOS mobileconfig files, which are designed to configure devices to work with a carrier's cellular network, could be used instead to remotely control an iPhone or iPad and steal data.

Skycure CEO Adi Sharabani, a former security and research manager at Web application security firm Watchfire -- bought by IBM in 2007 -- was scheduled to present the company's findings Tuesday at the 13th annual Herzliya Conference in Israel. The conference is billed as the country's "primary global policy annual gathering … to address pressing national, regional and world strategic issues."

[ Looking for mobile spam relief? Read Cell Phone Spam Doesn't Pay, FTC Says. ]

Just what is a mobileconfig file? The XML files are produced using the iPhone Configuration Utility (iPCU), and are designed to allow carriers to easily configure their subscribers' phones. "These MobileConfiguration files can contain device security policies and restrictions, VPN configuration information, Wi-Fi settings, email and calendar accounts, and authentication credentials that permit iPhone, iPod Touch, and iPad to work with certain enterprise systems," said a post to the developer question-and-answer site Stack Overflow. Such files also can be distributed via websites or email.

But mobileconfig files also could be generated and used by attackers to configure devices to their liking. "A malicious profile could be used to remote control mobile devices, monitor and manipulate user activity and hijack user sessions," said the Skycure blog, which was posted by CTO Yair Amit, who noted that such profiles can be used to install new root certificates on a targeted device. "This makes it possible to seamlessly intercept and decrypt SSL/TLS secure connections, on which most applications rely to transfer sensitive data," he said. "A few concrete impact examples include: stealing one's Facebook, LinkedIn, mail and even bank identities and acting on his/her behalf in these [accounts], potentially creating havoc."

To be clear, any such iOS attacks are only theoretical. But according to Amit, the use of malicious mobileconfig files is akin to finding a way to target iOS devices with malware, without having to worry about installing an executable on the device, which thanks to Apple's walled garden model has proven to be almost impossible.

One innovative -- and non-malicious -- use of mobileconfig files is offered by the iPhone APN Changer website, which allows iPhone users to change the carrier settings on their phones "so you can use unofficial carrier SIMs with your device."

Interestingly, the Skycure researchers said they found that at several AT&T stores, including one in Manhattan, AT&T employees directed people who want to use the carrier's pay-as-you-go service for their iPhone to download and install a configuration file from the third-party APN Changer website. "In one of the stores, an AT&T salesperson actually took our phone and performed the aforementioned process via a public Wi-Fi network, which is an easy target for man-in-the-middle attacks," said Amit. That's because the APN Changer site transmits all of its mobileconfig files in plain text over HTTP, without using HTTPS, which means that the communications could be intercepted and spoofed by an enterprising attacker.

In other words, although mobileconfig files offer useful functionality for carriers who want to configure their subscribers' phones, with a bit of social engineering trickery, attackers -- or espionage artists -- could use the files to easily alter phone settings and keep tabs on a targeted iPhone. As a result, users should beware installing any mobileconfig files unless obtained from a trusted source, and preferably only when downloaded from a site via HTTPS.

The Enterprise Connect conference program covers the full range of platforms, services and applications that comprise modern communications and collaboration systems. Hear case studies from senior enterprise executives, as well as from the leaders of major industry players like Cisco, Microsoft, Avaya, Google and more. Register for Enterprise Connect 2013 today with code IWKPREM to save $200 off a conference pass or get a free Expo Pass. It happens March 18-21 in Orlando, Fla.

About the Author(s)

Mathew J. Schwartz


Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights