How attackers can exploit iTunes Wi-Fi sync to gain lasting control of target devices
An iOS feature called iTunes Wi-Fi sync, which allows a user to manage their iOS device without physically connecting it to their computer, could be exploited by attackers to gain lasting control over the device and extract sensitive information from it.
The vulnerability was discovered by Symantec researchers, disclosed to Apple and now to the RSA Conference 2018 attendees and the wider public.
Apple has implemented a mechanism that should prevent easy exploitation of the feature, but the researchers say that it doesn’t address the “Trustjacking” problem in an holistic manner.
Exploitation
When users connect their iOS device to a computer or, for example, a free charger at an airport, they are asked whether they will trust the computer (meaning, that its settings and data will be accessible from it when connected).
Most users believe that they have to trust the computer to get their device charged and believe the trust/access works only as long as the device is physically connected to the computer.
But if the “Sync with this iPhone/iPad over Wi-Fi” feature is enabled, the connection will last and the synching will happen as long as the user doesn’t revoke the trust.
“Choosing to trust the computer allows it to communicate with the iOS device via the standard iTunes APIs,” the researchers explained.
“This allows the computer to access the photos on the device, perform backup, install applications and much more, without requiring another confirmation from the user and without any noticeable indication. Furthermore, this allows activating the ‘iTunes Wi-Fi sync’ feature [from the computer side and without the victim’s approval], which makes it possible to continue this kind of communication with the device even after it has been disconnected from the computer, as long as the computer and the iOS device are connected to the same network.”
(The connection between the mobile device and the computer persists because the access credentials provided by the former to the latter when physically connected are saved by the computer and automatically reused when the mobile device pops up on the same network.)
The two steps for the attack – allowing the device to connect to iTunes and enabling the iTunes Wi-Fi sync feature while the device is physically connected – can be automated and quickly executed by malicious software. Once that’s done, the attacker can repeatedly sync the device while the computer and mobile device are one the same network.
The Wi-Fi connection can also be used to install a developer image. Such access would allow the attacker to see everything the user is doing, and to see and harvest sensitive information such as passwords as the user enters them. Also, he or she could leverage the remote iTunes backup option to harvest various data and files (photos, message history, etc.) or the access to the device to install malicious apps or create a malicious profile.
“By combining this attack with the malicious profile attack, we are able to connect the device to a VPN server and create a continuous connection between the victim’s device and the attacker’s computer and leverage this attack anytime and without the restriction of being in proximity with the device or connected to the same network,” they researchers concluded.
What can users do?
Apple has made it so that the owner of the mobile device has to enter their passcode in order for the trust between it and the computer can be established.
This would prevent individuals that are not the owner of the mobile device to make the connection needed to slurp the data wirelessly, but does nothing to stop the attack if the user decides to or is tricked into trusting a computer controlled by the attacker.
In the meantime, the users can make sure that their iTunes backups are encrypted and that no potentially malicious computers are trusted by their device (“Reset Location & Privacy” in Settings > General > Reset).
Unfortunately, it could happen that their own computer is compromised by an attacker and, as long as this is the case and that computer is trusted, the attacker will have a way into the mobile device.
