Vulnerability in iOS' mobile device management protocol lets hackers push malware to enterprise iPhones


Apple has demonstrated numerous times that security is a top priority in its software efforts. For example, improvements to iOS 9 have made it harder for attackers to employ the old trick of abusing stolen enterprise certificates to lure unsuspecting users into installing unauthorized apps. But it appears Apple left a hole open for knowledgeable attackers to exploit. At the Black Hat Asia security conference, Check Point researchers will show the 'Sidestepper' method of compromising the communication between mobile device management products and iOS devices to execute man-in-the-middle attacks, installing malware on non-jailbroken devices with minimal user input.

Abusing stolen enterprise development certificates is a common way for hackers to infect non-jailbroken iOS devices. Normally, these code-signing certificates are obtained through the Apple Developer Enterprise Program and let companies distribute apps internally without submitting them inside the app store. In older iOS versions, deploying an app signed with an enterprise certificate required the user to open a specific link, agree to trust the developer, and then install the app. Although the process still required user interaction, it could be abused in social engineering attacks that tricked users into performing these steps.

Check Point's head of mobility product management, Michael Shaulov, explained that Apple addressed this risk in iOS 9 by implementing additional steps in the enterprise app deployment process. However, the way in which MDM products install apps on iOS devices remained unaffected. MDM gives a lot of power over Apple gear, making it very dangerous if it fell in the wrong hands. MDM products are used by companies to configure, secure, deploy apps and, if necessary, wipe employees’ mobile devices. Check Point discovered that the MDM protocol implemented in iOS is susceptible a particular attack that would only work against devices registered to an MDM server, as it's the case with many devices used in enterprise environments.

Attackers could trick users into installing a malicious configuration profile, which wouldn't be too hard to do as most enterprise users are used to installing such profiles. Typically, they are used to deploy VPN, Wi-Fi, email, calendar, and other settings, which means the malicious profile can be masked easily. It would then install a rogue root certificate and configure a proxy for the device’s Internet connection, which would route the device’s traffic through a server under the attacker’s control, enabling a man-in-the-middle attack. Hackers can then push malware, masked as an app that the user expects to receive and signed with a stolen enterprise certificate. Even if the user declines to install it, the attacker can keep sending the request over and over, which would prevent users from doing anything on the device until they agree to installing the app.

Although casual users aren't in danger, seeing they don't have to deal with enterprise mobile device management platforms, companies are definitely at risk. Shaulov said a scan performed on around 5,000 iOS devices at a Fortune 100 company found 300 sideloaded applications signed with over 150 enterprise certificates. Many of those certificates had been issued by Apple to entities in China and had been used to sign pirated versions of legitimate apps. However, at least two apps belonged to known malware families.

source: MacWorld

FEATURED VIDEO

30 Comments

1. PhoneCritic

Posts: 1354; Member since: Oct 05, 2011

What else is new? We all know that no platform or operating system is safe. If there is a will there is a way. Today Apple tomorrow Android then BB and Win Mobile. No one is immune

3. TechieXP1969

Posts: 14967; Member since: Sep 25, 2013

No matter how will, there will never be a way. Software is imperfect by default. There will never be a 100% secure coding platform. It is impossible for one main reason..."MAN" Man isn't perfect, so thus nothing he makes can be either. Now if God made computer code, that would be different.

19. FrenchGuy

Posts: 134; Member since: Dec 12, 2014

"Now if God made computer code, that would be different." I understand why ifan think IOS is perfect in terms of security. Apple is their god so so for them, it is perfect.

29. Ahovking

Posts: 711; Member since: Feb 03, 2015

No ifan thinks IOS is perfect fanboy.. there are ifans who think ios is more secure and more stable than android.. but no one thinks their chosen os is perfect.

7. Unordinary unregistered

It's more like today Apple, Saturday Sunday Monday and Tues Android.

8. Finalflash

Posts: 4063; Member since: Jul 23, 2013

Damn, Saturday, Sunday, Monday, then all of a sudden Android gets hacked on Tuesday? It took them 3+ days to hack Android, but attacked iOS overnight? Must be a very secure system indeed. By the way, your comma keys seems to have stopped working. Might want to look into buying better hardware next time.

21. marorun

Posts: 5029; Member since: Mar 30, 2015

Because Apple will ban your developper account if you come out to media with security hole and bug. another reason is Apple and microsoft love paying security firm to specifically search android for security hole and bug so they can bash on them using tech website like PA. but yeah live in your dream world PS: nearly 40% of apps on apple apps store steal personal information whitout even telling you. search the web mr troll. Anyway they removed several of them in past october ( the worst of them thats even took your name and email lol ) but there is still many thats take others informations like website visited , what you like ect. Android not better on thats end but at least we dont live in a dream world where we think we are safe because we just dont ear about the security holes we know there is risk and act on it.

2. Zylam

Posts: 1817; Member since: Oct 20, 2010

Popcorn in the oven, don't worry I'm making plenty for all of us, from both sides of the war. Let it begin.

10. Mxyzptlk unregistered

Grab some beer while you're at it.

4. tedkord

Posts: 17357; Member since: Jun 17, 2009

Let's not start a war over this. No OS is perfectly secure.

11. Mxyzptlk unregistered

Oh my God, I actually have to +1 Ted. I think heck has frozen over.

18. tedkord

Posts: 17357; Member since: Jun 17, 2009

I've said this every time an iOS vulnerability has been exposed. I'm not a troll fanboy like you.

27. Mxyzptlk unregistered

And there goes tedkord being tedkord again.

13. gaming64

Posts: 234; Member since: Mar 22, 2016

But phone companies will still release B.S. campaigns about their phones being 100% secure. Heck, anything on the internet isn't secure at all.

22. marorun

Posts: 5029; Member since: Mar 30, 2015

for one of the rare time.. i agree with you.

5. tedkord

Posts: 17357; Member since: Jun 17, 2009

Or, is this an April Fools story?

9. AlikMalix unregistered

Is the comment section avoiding that this is for entrprise iPhones - the ones specifically opened to allow software installation without apples approval within the company. And that one must obtain a stolen enterprise software before this can be done? I don't have an iPhone that's set up to be opened up for this, nor do anyone who bought their phone for personal use - the iphones in question are maintained and monitored by the company's IT department. Just had to point out the elephant in the room.

12. natypes

Posts: 1110; Member since: Feb 02, 2015

14. AlikMalix unregistered

How is that related to iPhone running VPN software? + you do realize using words like "most" "best" "top of" etc. are just loud words that generate clicks. Did you read the article, bet you didn't - u just clicked on title and took it for facevalue based on clicks generating title. Great Job, mr investigator.

15. AlikMalix unregistered

Before you reply, the article and the website indicates what kind of volnurabilities, which part of the OS affected, how they're volnurable, just numbers, and numbers - might as well pulled from their own ass. If you want a completing factual statement, you can't just post numbers and call it facts. For all we know none of those volnurabilities have any ability to do harm, vs one that really opens up android like stagefright. For all we know this is scheme from competition.

17. natypes

Posts: 1110; Member since: Feb 02, 2015

Have a nice day!

20. AlikMalix unregistered

Never mind - I've dug deeper. This seems to be legit. My fanboy got the better of me, again. They have explanation for each. They also say which versions are affected. If you look at android they list 6.x just as volnurable, but if you look at iOS - they specifically list "before iOS 4.0, or before 7.3, or before 9.3 even", and in any case every volnurability - non is affective after 9.3. These seem to list volnurabilities that android, iOS and others has put out a patch for (look at their descriptions for each one) I think these are generated/found based on fixes that updates/patches cover, they analyze update/patch software for what bugs they fix and list them - and if iOS is updated more frequently and timely - everything already got patched. While android updates are seldom to none existent for many people and are still sitting with those problems. This is why iOS is more secure as they patch it up right away, yet 3rd of android users are still on lollipop and the other third is on kitkat, and the rest are older, only a mere 3% are up to date which means all the listed volnurabilities of android are still an open problem unlike iOS. Basically these are not active volnurabilities, but the patched ones. Now consider users who are running the latest software and you'll see who is actually more volnurable.

24. marorun

Posts: 5029; Member since: Mar 30, 2015

Alik maybe the same apply to apple scheming with security company paying them a lots to make them search and annouce hole in android. but on the others hand they wont allow ios app developper to give to media fact about hole they found because they will get banned from dev ios app. an example :http://www.networkworld.com/article/2183007/wireless/apple-bans-researcher-for-app-exposing-ios-security-flaw.html So even in the contract you sign with apple its clearly stated thats if you make an app to show security hole or even talk about it you end up loosing your dev account.. no wonder ppl wont do it and just report to apple so they can fix it in the back whitout anyone knowing. At least google dont do thats because otherwise many security firm thats have google developper account would end up banned as well. but hey its okay when they do it for android app but not for ios right?

26. AlikMalix unregistered

You're late to the party, I already retracted what I said about the sourse website. The article @natypes linked to was misleading about what these numbers actually mean. The reason Apple limited devs from bublishing holes are two gold: 1. Exposing volnurabilities only hurts users of said platform. 2. There's a lot of entities that would otherwise lie (but I'm not an idiot, biblically exposing holes is also bad for Apples reputation of course - so if you want to make money on iOS platform - play by the rules - and they all play by the rules because iOS is the only platform that bring nearly 90% of profits for them). Speculation on whether competsrors make up statistics and sites is just that speculation (myself included) - I assumed everyone understands that. But like I said, read my post #20 - I believe the site is legit, just had to do mor digging. The most important part to understand about these numbers is whether they're still effective! And iOS updates that carry fixes for ALL of these are available to anyone with devices that date back like 4 years - which is nearly all users. They may not have all the features available with new hardware but the important part is all these holes are patched!!! Android patches for all the holes (let them be - a little less than iOS) are NOT available to nearly all users!!! That means that currently there are quite a lot of android devices (nearly all) that are currently volnurable to "holes" listed. And that's why android is less secure - they just can't reach most of the users in time and most takes from 6 months to 2 years of they actually get it!!!

23. marorun

Posts: 5029; Member since: Mar 30, 2015

here come the apple apologizing specialist xD There is a website thats record and keep all security hole on all the OS. Before ios 9.3 ios had the most hole of all the OS mobile or desktop. They did a good job at plugging them in 9.3 but still you need to take into account every info.

16. MrMiyagi

Posts: 41; Member since: Feb 27, 2014

So Apple has upgraded its software 2 times in the last 2 weeks and there are still vulnerabilities...The only thing assured in your next iOS update is that it comes with new unforseen bugs.

25. marorun

Posts: 5029; Member since: Mar 30, 2015

Thats the problem with apple. They fix bug and create new one every update. They fix security hole but create new one as well at every updates.. thats whitout saying how device older than 2 year fare with latest update...

28. Ahovking

Posts: 711; Member since: Feb 03, 2015

HAHAHAHAH APPLE PR thats alll it is... what do you expect from Applearena

31. lakeswolf

Posts: 10; Member since: Feb 22, 2016

I am not a good in english and in grammar, but thanks to android prediction key-board that i can type without doing mistake ...mr.alik iPhone key-board doesnt seems to have prediction key-board? Thats why i can see loads of typos like volnurabilities instead of vulnerabilities!! Lols

32. AlikMalix unregistered

Yes it does, hold down the "World" key (the one you change language and it will have an option "Predictive ON/OFF" - tap that. Predictive text on iOS keyboard works for both languages that I speak. But I dont use the features because i'm used to typing it out or more frequently just dictate.

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.