August 14, 2014, 1:21 AM — Apple has done well to insulate its iOS mobile operating system from many security issues, but a forthcoming demonstration shows it's far from perfect.
Next Wednesday at the Usenix Security Symposium in San Diego, researchers with the Georgia Institute of Technology will show how iOS's Achilles' heel is exposed when devices are connected over USB to a computer or have Wi-Fi synching enabled.
The beauty of their attack is that it doesn't rely on iOS software vulnerabilities, the customary way that hackers commandeer computers. It simply takes advantage of design issues in iOS, working around Apple's layered protections to accomplish a sinister goal.
"We believe that Apple kind of overtrusted the USB connection," said Tielei Wang, a co-author of the study and research scientist at the institute.
Last year, Wang's team developed Jekyll, an iPhone application with well-masked malicious functions that passed Apple's inspection and briefly ended up on its App Store. Wang said although the research was praised, critics contended it might have been hard to get people to download Jekyll amid the thousands of apps in the store.
This time around, Wang said they set out to find a way to infect a large number of iOS devices and one that didn't rely on people downloading their malicious app.
Their attack requires the victim's computer to have malware installed, but there's a thriving community of people known as "botnet herders" who sell access to large networks of compromised computers.
Wang said they conducted their research using iOS devices connected to Windows, since most botnets are on that platform, but their attack methods also apply to OS X.
Apple requires a person to be logged into his account in order to download an application from the App Store. But Wang and the researchers developed a man-in-the-middle attack that can trick an Apple device that's connected to a computer into authorizing the download of an application using someone else's Apple ID.
As long as the application still has Apple's digital signature, it doesn't even need to still be in the App Store and can be supplied from elsewhere.
But Apple is pretty good at not approving malicious applications, so the researchers found another way to load a malicious app that didn't involve the App Store.
Apple issues developer certificates to those who want to do internal distributions of their own applications. Those certificates can be used to self-sign an application and provision it.
Wang's team found they could sneak a developer provisioning file onto an iOS device when it was connected via USB to a computer. A victim doesn't see a warning.