Menu
Hackers can abuse the iOS mobile device management protocol to deliver malware

Hackers can abuse the iOS mobile device management protocol to deliver malware

The attack bypasses the restrictions for enterprise app deployment introduced in iOS 9, Check Point researchers said

Starting with iOS 9, Apple has tried to make it harder for attackers to trick users into installing unauthorized apps on their devices by abusing stolen enterprise certificates. However, it left one door open that attackers can still exploit: the protocol used by mobile device management products.

In a presentation at the Black Hat Asia security conference on Friday, researchers from Check Point Software Technologies will demonstrate that the communication between MDM products and iOS devices is susceptible to man-in-the-middle attacks and can be hijacked to install malware on non-jailbroken devices with little user interaction.

Apple's tight control over the iOS App Store has made it hard, but not impossible, for attackers to infect iOS devices with malware.

The most common way for hackers to infect non-jailbroken iOS devices with malware is through stolen enterprise development certificates. These are code-signing certificates obtained through the Apple Developer Enterprise Program that allow companies to distribute internal apps to iOS devices without publishing them in the public app store.

In older versions of iOS, deploying an app signed with an enterprise certificate required the user to open a link where the app was hosted, agree to trust the developer and then agree to install the app. The process required user interaction, but it was easy enough to be abused in social engineering attacks that tricked users into performing the required steps.

According to Michael Shaulov, the head of mobility product management at Check Point, Apple decided to address this risk in iOS 9 by adding additional steps to the enterprise app deployment process. But, it left open a loophole: the way in which MDM products install apps on iOS devices remained unaffected.

Companies use MDM products to control, configure, secure and, if necessary, wipe their employees' mobile devices. These products also include private app stores that allow companies to easily deploy apps to their employees' devices.

The Check Point researchers found that the MDM protocol implemented in iOS is susceptible to man-in-the-middle attacks and can be used to install malware on non-jailbroken devices.

The attack would only work against devices that are registered to an MDM server, but many mobile devices used in enterprise environments are.

Then the attacker would need to trick the users of those devices to install a malicious configuration profile. This wouldn't be hard to do either, because most enterprise users are used to installing such profiles. They are typically used to deploy VPN, Wi-Fi, email, calendar and other settings.

The malicious configuration profile distributed by the attacker would install a rogue root certificate and would configure a proxy for the device's Internet connection. This would route the device's traffic through a server under the attacker's control and would enable the man-in-the-middle attack.

The hacker can then impersonate the MDM server and push a malicious app signed with a stolen enterprise certificate to the device. In a targeted attack, the app could be crafted to masquerade as an app that the user expects to receive.

The device would display a confirmation prompt asking the user if he agrees to install the app or not, but even if he declines, the attacker can keep sending the request again and again. This would essentially prevent the user from doing anything on the device until he agrees to install the app, Shaulov said.

Because this method bypasses iOS 9's new restrictions for enterprise app deployments, the Check Point researchers have named the vulnerability Sidestepper.

The misuse of enterprise certificates is not uncommon. According to Shaulov, a scan performed on around 5,000 iOS devices belonging to one of Check Point's customers -- a Fortune 100 global company -- found 300 sideloaded applications signed with over 150 enterprise certificates. Many of those certificates had been issued by Apple to entities in China and had been used to sign pirated versions of legitimate apps, but at least two apps were part of known malware families.


Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Featured

Slideshows

Tight lines as Hooked on Lenovo catches up at Great Barrier Island

Tight lines as Hooked on Lenovo catches up at Great Barrier Island

​Ingram Micro’s Hooked on Lenovo incentive programme recently rewarded 28 of New Zealand's top performing resellers with a full-on fishing trip at Great Barrier Island for the third year​ in a row.

Tight lines as Hooked on Lenovo catches up at Great Barrier Island
Inside the AWS Summit in Sydney

Inside the AWS Summit in Sydney

As the dust settles on the 2017 AWS Summit in Sydney, ARN looks back an action packed two-day event, covering global keynote presentations, 80 breakout sessions on the latest technology solutions, and channel focused tracks involving local cloud stories and insights.

Inside the AWS Summit in Sydney
Channel tees off on the North Shore as Ingram Micro hosts annual Cure Kids Charity golf day

Channel tees off on the North Shore as Ingram Micro hosts annual Cure Kids Charity golf day

Ingram Micro hosted its third annual Cure Kids Charity Golf Tournament at the North Shore Golf Club in Auckland. In total, 131 resellers, vendors and Ingram Micro suppliers enjoyed a round of golf consisting of challenges on each of the 18 sponsored holes, with Team Philips taking out the top honours.

Channel tees off on the North Shore as Ingram Micro hosts annual Cure Kids Charity golf day
Show Comments