iPhone, iPad Configuration Files Security Hole Shown - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Mobile

iPhone, iPad Configuration Files Security Hole Shown

Mobile configuration files used by carriers could be repurposed to steal data and remotely control an iPhone or iPad, security firm warns.

Anonymous: 10 Things We Have Learned In 2013
Anonymous: 10 Things We Have Learned In 2013
(click image for larger view and for slideshow)
iPhone and iPad users: Beware malicious profile configuration files.

That warning comes via Israeli mobile security startup Skycure, which Tuesday published a proof-of-concept research on the company's blog, showing how iOS mobileconfig files, which are designed to configure devices to work with a carrier's cellular network, could be used instead to remotely control an iPhone or iPad and steal data.

Skycure CEO Adi Sharabani, a former security and research manager at Web application security firm Watchfire -- bought by IBM in 2007 -- was scheduled to present the company's findings Tuesday at the 13th annual Herzliya Conference in Israel. The conference is billed as the country's "primary global policy annual gathering … to address pressing national, regional and world strategic issues."

[ Looking for mobile spam relief? Read Cell Phone Spam Doesn't Pay, FTC Says. ]

Just what is a mobileconfig file? The XML files are produced using the iPhone Configuration Utility (iPCU), and are designed to allow carriers to easily configure their subscribers' phones. "These MobileConfiguration files can contain device security policies and restrictions, VPN configuration information, Wi-Fi settings, email and calendar accounts, and authentication credentials that permit iPhone, iPod Touch, and iPad to work with certain enterprise systems," said a post to the developer question-and-answer site Stack Overflow. Such files also can be distributed via websites or email.

But mobileconfig files also could be generated and used by attackers to configure devices to their liking. "A malicious profile could be used to remote control mobile devices, monitor and manipulate user activity and hijack user sessions," said the Skycure blog, which was posted by CTO Yair Amit, who noted that such profiles can be used to install new root certificates on a targeted device. "This makes it possible to seamlessly intercept and decrypt SSL/TLS secure connections, on which most applications rely to transfer sensitive data," he said. "A few concrete impact examples include: stealing one's Facebook, LinkedIn, mail and even bank identities and acting on his/her behalf in these [accounts], potentially creating havoc."

To be clear, any such iOS attacks are only theoretical. But according to Amit, the use of malicious mobileconfig files is akin to finding a way to target iOS devices with malware, without having to worry about installing an executable on the device, which thanks to Apple's walled garden model has proven to be almost impossible.

One innovative -- and non-malicious -- use of mobileconfig files is offered by the iPhone APN Changer website, which allows iPhone users to change the carrier settings on their phones "so you can use unofficial carrier SIMs with your device."

Interestingly, the Skycure researchers said they found that at several AT&T stores, including one in Manhattan, AT&T employees directed people who want to use the carrier's pay-as-you-go service for their iPhone to download and install a configuration file from the third-party APN Changer website. "In one of the stores, an AT&T salesperson actually took our phone and performed the aforementioned process via a public Wi-Fi network, which is an easy target for man-in-the-middle attacks," said Amit. That's because the APN Changer site transmits all of its mobileconfig files in plain text over HTTP, without using HTTPS, which means that the communications could be intercepted and spoofed by an enterprising attacker.

In other words, although mobileconfig files offer useful functionality for carriers who want to configure their subscribers' phones, with a bit of social engineering trickery, attackers -- or espionage artists -- could use the files to easily alter phone settings and keep tabs on a targeted iPhone. As a result, users should beware installing any mobileconfig files unless obtained from a trusted source, and preferably only when downloaded from a site via HTTPS.

The Enterprise Connect conference program covers the full range of platforms, services and applications that comprise modern communications and collaboration systems. Hear case studies from senior enterprise executives, as well as from the leaders of major industry players like Cisco, Microsoft, Avaya, Google and more. Register for Enterprise Connect 2013 today with code IWKPREM to save $200 off a conference pass or get a free Expo Pass. It happens March 18-21 in Orlando, Fla.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
moarsauce123
50%
50%
moarsauce123,
User Rank: Ninja
3/14/2013 | 10:42:57 PM
re: iPhone, iPad Configuration Files Security Hole Shown
They are just holding it wrong....
Commentary
Future IT Teams Will Include More Non-Traditional Members
Lisa Morgan, Freelance Writer,  4/1/2020
News
COVID-19: Using Data to Map Infections, Hospital Beds, and More
Jessica Davis, Senior Editor, Enterprise Apps,  3/25/2020
Commentary
Enterprise Guide to Robotic Process Automation
Cathleen Gagne, Managing Editor, InformationWeek,  3/23/2020
White Papers
Register for InformationWeek Newsletters
State of the Cloud
State of the Cloud
Cloud has drastically changed how IT organizations consume and deploy services in the digital age. This research report will delve into public, private and hybrid cloud adoption trends, with a special focus on infrastructure as a service and its role in the enterprise. Find out the challenges organizations are experiencing, and the technologies and strategies they are using to manage and mitigate those challenges today.
Video
Current Issue
IT Careers: Tech Drives Constant Change
Advances in information technology and management concepts mean that IT professionals must update their skill sets, even their career goals on an almost yearly basis. In this IT Trend Report, experts share advice on how IT pros can keep up with this every-changing job market. Read it today!
Slideshows
Flash Poll