Mark Dowd, the head of Australia based Azimuth security has stated that there is a vulnerability in AirDrop, the file sharing service of Apple which allows unauthorized access to the device that can be used for the installation of malware. A user with an AirDrop configuration allowing file sharing with anyone and not merely their contacts are susceptible to such attacks.
The attack can be executed even if the device is locked or the user does not allow their device to receive the file. According to Dowd, the attackers can use a combination of attack methods to enabling them install malware on iOS or OSX devices of their victims. AirDrop is currently supported by iOS7 or higher versions as well as Mac OS X Yosemite or higher.
The technique used by the attackers is known as “directory traversal attack” which involves an access to certain parts of the target operating system by the attackers in an unauthorized manner which otherwise should not be accessible to them. It was discovered that it is possible to change the configuration files of AirDrop which would lead to the operating system accepting any app with an Apple Enterprise Certificate. The exploit allows hackers to install any app with this certification on the target device with the requirement of the consent of the users.
(Image Source: securityafairs.com)
The certification is generally used by business enterprises for installing Apple compliant apps developed specifically for their organizational requirements. Since these are specific to the business enterprises developing them, they are not available on Apple App Store. Although these are legitimate apps which have Apple certification, there have been reported instances, especially from China that such certifications are used by the iPhone jailbreaking groups to circumvent the security protocols of Apple.
Dowd tested iOS 8.4.1 to check the vulnerability of AirDrop. For the purpose of demonstration, he locked his iPhone and enabled AirDrop which is very often not active in many devices; however several users keep it enabled. The attacker than transfers “Payload” to the target device and the malware remains dormant till the time is device is rebooted. A new enterprise signed app gets installed along with a provisioning profile. This allows the malware to circumvent the App Store and marking the application as trusted without any popup.
For the users of the device, everything seems normal without realizing that the security of their device has been compromised. Dowd in this test manipulated Springboard, the app used for the management of the home screen of iPhones. It resulted in the phone accepting the malware as a trusted enterprise signed app and then allowing its installation in the third party app directory. The manipulation of Springboard allowed Dowd to replace the “Phone” app which is used for making phone calls. The video of the demo can be viewed on the Forbes website.
According to Dowd, though the sandboxes used by Mac and iOS limit the function of apps to the specific containers where they are installed, it is still possible for such malware to gain an access to a large chunk of information. Advanced hackers can even gain an access to the kernel of the operating system causing severe damage to the infected devices.
At this point, states Dowd the best way to avoid such attacks is to upgrade to iOS 9 or Mac OS X El Captain. iOS 9 requires a six digit passcode instead of four digit passcode required in iOS 8.