Critical iPhone Vulnerability Exposed by Israeli Security Company

TEL AVIV—The number of smartphone malware attacks grew rapidly last year, but attacks on iPhones were less than one percent of those attacks. Even with the attacks that did get through, due to the iOS architecture, the impact was was rather insignificant. But this could change very soon, a massive number of iPhone users could be affected.

A vulnerability exposed by Israeli mobile security start-up Skycure could be used by hackers to easily control and spy on iPhones—and on a large scale. Not only would a hacker have access to a user’s private information, including passwords, but the connection would seem secure, so that the spying would be totally unnoticeable.

Adi Sharabani, CEO and co-founder of Skycure, showed The Epoch Times how an attacker could not only retrieve sensitive information, including the victim’s exact location, but also control the victim’s phone, and even quietly change a user’s GPS destination while driving.

iPhones that haven’t gone through the Jailbreak process are generally considered highly secure. Applications can be downloaded only from Apple’s App Store, each of which goes through a tough screening process.

Only several applications containing malicious code have made it temporarily to the App Store. Even then, their influence was limited by Apple’s sandboxing approach, which restricts what an application can actually do. While some malicious applications managed to steal users’ contacts lists, for example, none could access the users’ bank or email passwords, or the organizational exchange server credentials. 

However, there is one approach, Profiles, that does not require screening by Apple and is not restricted by sandboxing, as demonstrated by Sharabani in a March 12 Herzliya Conference.

“This technology wasn’t being widely used during the first years since its creation, but during the last one or two years it has been used on an increasingly large scale,” said Sharabani in an interview.

Put simply, Profiles are configuration files that can be installed on an iPhone with a click. They can be sent through email or downloaded from Web pages. Once installed, these files can modify a large variety of the iPhone’s settings, some of which cannot be modified otherwise.

To demonstrate the potential damage, Sharabani installed a malicious profile on an iPhone. The malicious profile routed all Internet activity through a special proxy server. Every keystroke on the Safari browser showed right on Sharabani’s computer. After opening the Facebook app, Sharabani could easily get into the iPhone user’s Facebook account and look around.

This could have been done with a traditional man-in-the-middle attack, in which the Internet connection is routed through an invisible third party factor, but not for secure connections (https).

The attacker could show the user the desired Web page, but the user would be unable to verify the authenticity of the Web page. Using the Profile approach, the attacker can install Web certificates on the iPhone to mask malicious connections as being trusted.

That means a connection might seem perfectly secure, and the user will have no way of noticing that someone else is watching.

But how would a malicious profile be installed on your iPhone?

Carriers, as well as stores which provide mobile services, use Profiles to easily configure iPhones after installing a new SIM card. Enterprises use Profiles to set up organizational settings for workers with one click. These Profile files are stored on the Web, and are often available to download without a secure connection.

Through a non-secure connection an attacker might manipulate the Profile file being downloaded by the user. The legitimate Profile could be replaced by a malicious one, which could seem as a fully legitimate Profile, and even appear as “Verified” in your iPhone by simply using a fake signature.

Many private websites offer Profiles for download today, in order to allow users to easily perform settings when switching carriers. Attackers could spread such Profiles which would work just the same, but contain a setting that will allow the attacker to take control.

Yair Amit, CTO and co-founder of Skycure, said another way one could get infected with such malware could be through websites that offer free videos, for example, and require the user to install a profile to work properly, thus tempting an innocent user to do what he or she normally would not. 

Today, some iPhone applications already require the user to install a profile in order to work. An application might ask the user to install a profile to legitimately enable some features, but at the same time use this vulnerability to perform malicious settings.

The Epoch Times publishes in 35 countries and in 21 languages. Subscribe to our e-newsletter.