A fresh attack vector for iOS has been uncovered, dubbed “SideStepper.” It could give threat actors control of devices, the data that resides on them, and even enterprise services, potentially impacting millions of iOS users worldwide.
The Check Point research team said that the issue resides in Apple’s iOS 9 security paradigm, and enables threat actors to stage a man-in-the-middle attack that hijacks communications between managed iOS devices and mobile device management (MDM) solutions.
At the heart of the issue is the use of enterprise certificates, which are certificates signed by Apple that developers can use for signing apps they create in XCode. Apps signed with this certificate can be installed on iOS devices without having to be vetted through the traditional App Store processes. This is done to help enterprises who may want to develop apps themselves and then distribute them to their employees without requiring that these employees install the app through the App Store.
In response to what amounted to a significant vulnerability to this ecosystem, as demonstrated by the Masque attack, Apple introduced new security measures for enterprise apps in iOS 9 to prevent hackers from making use of this situation to get around the App Store vetting process.
“For instance, when the enterprise app is initially downloaded, the user must go through a maze of settings screens to verify the app’s developer. Only after this verification process is complete can the app be executed,” Check Point explained in a paper on the issue. “Apple did leave a loophole, however. Enterprises use apps in myriad ways, and many users can’t handle the new workflow for actively trusting apps. So iOS natively trusts any app installed by MDM solutions, which are exclusively used by businesses. In fact, an app installed by an MDM will not show any indication of its origin.”
First, an attacker convinces a user to install a malicious configuration profile on a device by using a phishing attack. Once installed, this malicious profile allows an attacker to stage a MitM attack on the communication between the device and an MDM solution. The attacker can then hijack and imitate MDM commands that iOS trusts, including the ability to install enterprise apps over-the-air.
Malicious apps can be designed to: Capture screenshots, including screenshots captured inside secure containers; record keystrokes, exposing login credentials of personal and business apps and sites to theft; save and send sensitive information like documents and pictures to an attacker’s remote server; and control sensors like the camera and microphone remotely, allowing an attacker to view and capture sounds and images.
The best way to mitigate the threat is to not fall for the phishing attack in the first place. And, of course, users should always be extra vigilant when downloading apps onto their devices.
Photo © Hadrian/Shutterstock.com