It has long been established that plugging one's iPhone into an unknown computer or hardware device exposes that mobile phone to potentially malicious cyber-activity. However, once the user disconnects, adversaries typically lose their conduit through which they can pull off direct attacks.
But researchers presenting at RSA 2018 on Wednesday disclosed how attackers in this scenario can gain persistent remote control over plugged-in devices, even after they are disconnected, by abusing a weakness in iTunes Wi-Fi sync, a feature that allows users to sync up iTunes content and data between Apple devices.
The only action required on the part of the victim is agreeing to "trust" the connected device when responding to an Apple security notification acknowledging the presence of an unknown machine. The victim does not even have to enable the iTunes Wi-Fi sync feature, as this functionality can instead be activated by malware installed on the boobytrapped computer or hardware device.
This exploit technique, dubbed Trustjacking, is "extremely impactful," said Adi Sahabani, SVP of modern OS security at Symantec, who revealed the findings at the session alongside his colleague Roy Iarchy, Symantec's modern OS research team leader. Indeed, by employing this exploit, attackers have the power to remotely view victims' mobile screens, exfiltrate valuable content, or even install malicious spy apps disguised in the package of genuine apps.
According to Symantec, Trustjacking attackers would be able to view a victim's device screen essentially in real time by installing the developer image suitable for a particular iPhone's iOS version, and then taking continuous screenshots. And they could steal content such as photos, app data and SMS and iMessage chat history simply by creating an iTunes back-up.
In a blog post released in conjunction with the RSA session, Iarchy explains that when iOS device owners plug into a computer and agree to trust it, many users assume their mobile data is no longer exposed once they disconnect. However, "Even if the device is only connected for a very short period of time, it is enough for an attacker to execute the necessary steps to maintain visibility of all actions performed on the device after it is disconnected."
Normally, Trustjacking attackers would only be able to execute malicious actions if they remain close enough in proximity to the victim to share the same Wi-Fi network; however, there are several ways around this limitation to create a permanent remote connection.
One, they could combine the exploit with a malicious profile attack - essentially tricking victims into downloading and executing an insecure iOS configuration profile - so that they can continuously connect to the mobile device via a VPN server.
Or alternatively, they could try infecting iOS users' own computers with malware, essentially leveraging the victims' own hardware against them. "In this case, the attacker can utilise the relation of trust the victim has between his iOS device and his computer, along with the fact one's own computer is usually in close proximity to the mobile phone..." the blog post states.
Symantec reports that Apple responded to its responsible disclosure by adding a new mechanism requiring iOS device owners to enter a passcode before they can trust and authorise a new device. However, the researchers contend that such measures are inadequate.
"...The user is still being told that this authorisation is only relevant while the device is connected to the computer, making him believe that disconnecting his device guarantees that no one can access his private data," writes Iarchy in the blog post. "While we appreciate the mitigation that Apple has taken, we'd like to highlight that it does not address Trustjacking in an holistic manner. Once the user has chosen to trust the compromised computer, the rest of the exploit continues to work..."
SC has reached out to Apple for comment.
To guard against this threat, Symantec recommends that iOS users reset their list of trust devices and enable encrypted back-ups in iTunes while implementing a strong password.