Unpatched stealthy iOS MDM hack spells ruin for Apple tech enterprises

[steven36]

Clicking 'OK' to ordinary and expected phishing prompt enough for complete iPhone compromise

 

Black Hat Asia Enterprises the world over are at risk from a seamless new attack that allows the latest Apple devices to be quietly compromised in what researchers say requires a total overhaul of Cupertino's enterprise provisioning architecture for mobile device management.

 

The unpatched hack – dubbed SideStepper and crafted by Israel-based Check Point hackers Ohad Bobrov and Avi Bashan – begins with a near-perfect phishing attack targeted at staff, and ends with complete compromise of fully updated iOS devices running version 9.2.

 

It takes advantage of Apple's newly streamlined enterprise provisioning architecture, which allows tech shops to install non-App Store applications on staff handsets.

 

Mobile device management of Apple devices is a system used by almost all Fortune 100 companies and scores more enterprises. Almost all are at risk of the attack, the pair told The Register.

Apple's upgrade means attackers need only send an SMS – to trick staff into accepting a legitimate-looking request to install a configuration file – for attackers to have remote man-in-the-middle access. From there, attackers can install applications that will quietly eviscerate Apple devices.

 

The attack demonstrated to The Register by Bobrov and Bashan ahead of their presentation at BlackHat Asia today generates a pop-up on staff handsets that would appear typical of those requests generated by mobile device management platforms.

 

Apple has been contacted for comment. However, the pair say they informed the tech giant of their research, and Apple labeled it "a feature, not a bug."

 

The pair say the attack is cleaner and more deadly than any that have come before, and is explicitly thanks to Apple borking its enterprise provisioning service.

 

"We found a way to do a man-in-the-middle attack on an iOS mobile device and replace an original command such as 'query device' with one to install a malicious enterprise certificate application," Bobrov says.

"That pretty much seamlessly installs a malicious application on the device, and then game over."

 

Bashan says a configuration profile sent to devices and accepted by users will install routing commands and root certificates, which combined let attackers route and decrypt handset traffic to their servers.

"Once staff open the malicious app, sensitive data like contacts, emails, screenshots can be sent to a server so that personal and enterprise data is compromised," Bashan says.

 

"Apple tried to solve the problem but actually made it worse, because now it is even easier to infect a mobile device."

 

Cupertino indeed made it easier for enterprise provisioning, which has been a target of black and white hats since the FinFisher government mobile malware was identified in 2013. Following that revelation, jailbreakers Pangu and white hats behind the Masque attack have targeted the enterprise provisioning vector. Last year alone, Wire Lurker, Hacking Team, and YiSpecter surfaced to pwn the latest iOS devices using the channel.

 

The phishing configuration file bait resembles a legitimate prompt that is a common sight for staff using handsets controlled by mobile device management systems. Attackers can even mark the phishing installation prompt to continually pop up until users click accept.

 

Asked what Apple can do to remediate the problem, Bobrov and Bashan say little short of an architectural overhaul will fix the attack vector; patching will not help, they say. Moreover, any significant fix could disrupt businesses running existing mobile device management deployments for Apple devices.

 

There is also little a typical system administrator can do to detect a handset compromised by the attack. Eagle-eyed staff could report a newly-installed application to IT, foiling the hack, but further attack research makes this scenario even more unlikely.

 

Separate research by MetaIntell architect Chilik Tamir also showcased at the Singapore hacking conference demonstrates how attackers can install a malicious application that not only looks like a legitimate app, but when tapped, calls and launches the original expected app after it pwns the handsets.

 

Combined, the two tactics spell trouble for enterprises and opportunity for ambitious attackers.

 

Bobrov and Bashan are already working on further iOS vulnerability and exploitation research. They also have Android in their sights.

 

"We love mobile," Bobrov says. "Android as well."

 

The Source

[steven36]

SideStepper Allows for MiTM Between iOS Devices, MDM Tools

Apple’s Developer Enterprise Program has been abused in the recent past to push malicious apps onto iOS devices, most notably with the WireLurker, XcodeGhost and YiSpecter attacks.

 

In all three cases, attackers legitimately obtained certificates under the program, which is available to enterprises wishing to develop and internally distribute mobile apps for their workforces without having to publish them on the App Store.

 

Since iOS 9, Apple has made it more difficult for rogue apps and adware to find their way onto devices. Users, for example, must go through and approve steps via a verification process before apps are allowed to execute.

 

Check Point Software Technologies researchers, however, found another soft spot in the process whereby attackers can use phishing or other social engineering attacks to trick users into installing a malicious configuration file that allows a hacker to sit in a man-in-the-middle position between the device and mobile device management tools. Hackers can abuse this situation, which Check Point is calling SideStepper, to install new settings and root CAs that allow them to redirect traffic to an attacker-controlled proxy. From there, malicious apps can be pushed to devices that expose the user to a host of security and privacy risks.

 

Check Point, which is scheduled to present its findings Friday at Black Hat Asia, notified Apple last October. Check Point published its findings in a report today. Apple’s response is that the behavior is “expected.” Since the attacks rely on phishing and social engineering, its unknown whether Apple will address this or continue to advise users not to click on untrusted links.

 

Apple would not comment on the record. Mobile device management tools, meanwhile, are core technologies for large organizations wishing to maintain some kind of handle on mobile devices accessing enterprise assets.

 

The tools are used to push configuration profiles, security policy and much more to devices; many allow for the use of personal devices on the network, and compartmentalize them so that only enterprise data can be wiped in the event a device is lost or the employee leaves a company.

 

“The certificate will configure a VPN tunnel that will enable the attacker to insert a communication path between the phone and the MDM server,” said Avi Rembaum, vice president of security solutions at at Check Point. “That then becomes their distribution vehicle for malicious apps. With the man-in-the-middle attack, the MDM system simplifies application distribution and allows the attacker to bypass iOS 9 protections, opens the phone to a breach and gives them access to data on the phone.

 

” Check Point also shared data from a study of 5,000 iOS devices belonging to a Fortune 100 company; the company built more than 300 enterprise apps and was issued 116 unique enterprise certs from Apple, but only 11 were on a list of whitelisted developers. The remaining certificates belonged to developers with either negative reputations or very little indication of previously having developed iOS apps.

 

“You do have a gray area of risk that’s created,” Rembaum said. “Within this area, apps distributed by the enterprise program allow for malicious activity and abuse of the public API space of the phone. An attacker can use this to access the microphone, camera, device location. There’s a lot of information that can be used to go after individuals or to build a social engineering campaign to go after an entire company.

 

Report From Check Point

 

The Source

[Stanners]

Hey steven36 thanks for this one.

 

Apple have over the years given the "impression" of being bullet proof when it comes to this sort of thing. The more this sort of information is advertised the better!

 

As an MDM admin for a major company I have seen problem after problem with IOS go under-reported and apples responses have been less than impressive.

 

More and more of us live on our mobile devices these days and companies who build these devices need to secure them correctly and as users we need to be aware that all devices are venerable.