Vulnerability in iOS' mobile device management protocol lets hackers push malware to enterprise iPhones

Apple has demonstrated numerous times that security is a top priority in its software efforts. For example, improvements to iOS 9 have made it harder for attackers to employ the old trick of abusing stolen enterprise certificates to lure unsuspecting users into installing unauthorized apps. But it appears Apple left a hole open for knowledgeable attackers to exploit. At the Black Hat Asia security conference, Check Point researchers will show the 'Sidestepper' method of compromising the communication between mobile device management products and iOS devices to execute man-in-the-middle attacks, installing malware on non-jailbroken devices with minimal user input.

Abusing stolen enterprise development certificates is a common way for hackers to infect non-jailbroken iOS devices. Normally, these code-signing certificates are obtained through the Apple Developer Enterprise Program and let companies distribute apps internally without submitting them inside the app store. In older iOS versions, deploying an app signed with an enterprise certificate required the user to open a specific link, agree to trust the developer, and then install the app. Although the process still required user interaction, it could be abused in social engineering attacks that tricked users into performing these steps.

Even the safest platforms are only 99% safe.

Check Point's head of mobility product management, Michael Shaulov, explained that Apple addressed this risk in iOS 9 by implementing additional steps in the enterprise app deployment process. However, the way in which MDM products install apps on iOS devices remained unaffected. MDM gives a lot of power over Apple gear, making it very dangerous if it fell in the wrong hands. MDM products are used by companies to configure, secure, deploy apps and, if necessary, wipe employees’ mobile devices. Check Point discovered that the MDM protocol implemented in iOS is susceptible a particular attack that would only work against devices registered to an MDM server, as it's the case with many devices used in enterprise environments.

Attackers could trick users into installing a malicious configuration profile, which wouldn't be too hard to do as most enterprise users are used to installing such profiles. Typically, they are used to deploy VPN, Wi-Fi, email, calendar, and other settings, which means the malicious profile can be masked easily. It would then install a rogue root certificate and configure a proxy for the device’s Internet connection, which would route the device’s traffic through a server under the attacker’s control, enabling a man-in-the-middle attack. Hackers can then push malware, masked as an app that the user expects to receive and signed with a stolen enterprise certificate. Even if the user declines to install it, the attacker can keep sending the request over and over, which would prevent users from doing anything on the device until they agree to installing the app.

Although casual users aren't in danger, seeing they don't have to deal with enterprise mobile device management platforms, companies are definitely at risk. Shaulov said a scan performed on around 5,000 iOS devices at a Fortune 100 company found 300 sideloaded applications signed with over 150 enterprise certificates. Many of those certificates had been issued by Apple to entities in China and had been used to sign pirated versions of legitimate apps. However, at least two apps belonged to known malware families.

source: MacWorld