iPhones, iPads ripe for the picking

iPhones, iPads ripe for the picking

USENIX Security Symposium: Georgia Tech researchers show how PC botnets could infect iOS devices to steal passwords.

Attackers could compromise iPads and iPhones on a large scale through the infected computers that make up botnets, researchers say.

Nearly a quarter of zombie computers that make up certain known botnets eventually connect with Apple iOS devices, making these phones and tablets vulnerable to infection from malicious applications, a team from Georgia Institute of Technology said last week at the 23rd USENIX Security Symposium.

+[Also on Network World: Office for iPad could have security implications both good and bad; Researchers demo how apps, chargers can circumvent Apple iPhone, iPad security]+

Attackers would install malicious applications on the iOS devices when they connect to infected PCs via USB cable or Wi-Fi, says the team led by Tielei Wang. The apps would steal passwords and other personal information.

Generally, iOS apps must come from the App Store and have been vetted, but in the past malicious apps have gotten under the radar until users discovered they were malicious, and then Apple dropped them from the store, the researchers say. Placing them in the store could be done again, and bot computers could download them before they were dropped.

Then when an iOS device attached to the bot computer, the bot would download the app onto the phone or tablet.

As a rule iOS devices will accept only those apps that are bound to their Apple ID. But the phones and tablets would accept the apps from the bot because iTunes running on the bot would be allowed to make the transfer. As the researchers put it, "Specifically, when an iOS device with Apple ID B is connected to iTunes with Apple ID A, iTunes can still sync apps purchased by Apple ID A to the iOS device, and authorize the device to run the apps."

This will work even after Apple has removed the malicious app from the App Store, they say. "Although Apple has absolute control of the App Store, attackers can leverage [Man in the Middle attacks] to build a covert distribution channel of iOS apps." The covert distribution channel would be the botnet.

The researchers show another mechanism to get malicious apps onto iOS devices by using permissions granted to developers for testing apps on devices or for enterprises to distribute in-house apps. With enough developer credentials, attackers could distribute malicious applications by getting around the protections put in place for Apps Store applications.

The researchers also discovered that while an iOS device is connected to a PC the host computer can connect to it via Apple File Connection (AFC) protocol. As a proof of concept, the researchers say they retrieved cookies from Facebook and Gmail apps on iOS devices, and transferred them to another computer where they were used to get into those Web accounts.

To estimate how many iOS devices might be vulnerable to such attacks the researchers used DNS traffic from two U.S. ISPs in 13 cities for five days last October. They searched the traffic for the domain names of known botnet command-and-control servers being tracked by security company Damballa to determine how many Windows machines on customer networks included bots. They eliminated Mac OS X machines from the count.

They came up with a conservative estimate that 23% of all the bot machines in the sample had both Windows iTunes installed and also had iOS devices connecting from the same IP address, meaning these iOS devices could be vulnerable to the researchers' attacks. Put another way, if the attacks were bundled into payloads directed at the iOS devices, "there would be 75,714 potential victims in 13 cities, within the networks we monitor."

The researchers say they've already told Apple about their discoveries. "We have made a full disclosure to Apple and notified Facebook and Google about the insecure storage of cookies in their apps," the researchers write in their paper. "Apple acknowledged that, based on our report, they have identified several areas of iOS and iTunes that can benefit from security hardening."

Follow Us

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags iPadsmartphonestabletsAppleiosiPhonehardware systemsconsumer electronics

Brand Post

How to become the best IT MSP

This article provides guidance for managed service providers (MSPs) that want to grow their business. It is also useful for any IT service provider looking to move from the break-fix model to managed IT services.



Reseller News Innovation Awards 2019: meet the winners

Reseller News Innovation Awards 2019: meet the winners

Reseller News honoured the standout players of the New Zealand channel in front of more than 480 technology leaders in Auckland on 23 October, recognising the achievements of top partners, emerging entrants and innovative start-ups.

Reseller News Innovation Awards 2019: meet the winners
Malwarebytes shoots the breeze with channel, prospects

Malwarebytes shoots the breeze with channel, prospects

A Kumeu, Auckland, winery was the venue for a Malwarebytes event for partner and prospect MSPs - with some straight shooting on the side. The half-day getaway, which featured an archery competition, lunch and wine-tasting aimed at bringing Malwarebytes' local New Zealand and top and prospective MSP partners together to celebrate recent local successes, and discuss the current state of malware in New Zealand. This was also a unique opportunity for local MSPs to learn about how they can get the most out of Malwarebytes' MSP program and offering, as more Kiwi businesses are targeted by malware.

Malwarebytes shoots the breeze with channel, prospects
Show Comments