iPhones, iPads ripe for the picking

USENIX Security Symposium: Georgia Tech researchers show how PC botnets could infect iOS devices to steal passwords.

Attackers could compromise iPads and iPhones on a large scale through the infected computers that make up botnets, researchers say.

Nearly a quarter of zombie computers that make up certain known botnets eventually connect with Apple iOS devices, making these phones and tablets vulnerable to infection from malicious applications, a team from Georgia Institute of Technology said last week at the 23rd USENIX Security Symposium.

+[Also on Network World: Office for iPad could have security implications both good and bad; Researchers demo how apps, chargers can circumvent Apple iPhone, iPad security]+

Attackers would install malicious applications on the iOS devices when they connect to infected PCs via USB cable or Wi-Fi, says the team led by Tielei Wang. The apps would steal passwords and other personal information.

Generally, iOS apps must come from the App Store and have been vetted, but in the past malicious apps have gotten under the radar until users discovered they were malicious, and then Apple dropped them from the store, the researchers say. Placing them in the store could be done again, and bot computers could download them before they were dropped.

Then when an iOS device attached to the bot computer, the bot would download the app onto the phone or tablet.

As a rule iOS devices will accept only those apps that are bound to their Apple ID. But the phones and tablets would accept the apps from the bot because iTunes running on the bot would be allowed to make the transfer. As the researchers put it, "Specifically, when an iOS device with Apple ID B is connected to iTunes with Apple ID A, iTunes can still sync apps purchased by Apple ID A to the iOS device, and authorize the device to run the apps."

This will work even after Apple has removed the malicious app from the App Store, they say. "Although Apple has absolute control of the App Store, attackers can leverage [Man in the Middle attacks] to build a covert distribution channel of iOS apps." The covert distribution channel would be the botnet.

The researchers show another mechanism to get malicious apps onto iOS devices by using permissions granted to developers for testing apps on devices or for enterprises to distribute in-house apps. With enough developer credentials, attackers could distribute malicious applications by getting around the protections put in place for Apps Store applications.

The researchers also discovered that while an iOS device is connected to a PC the host computer can connect to it via Apple File Connection (AFC) protocol. As a proof of concept, the researchers say they retrieved cookies from Facebook and Gmail apps on iOS devices, and transferred them to another computer where they were used to get into those Web accounts.

To estimate how many iOS devices might be vulnerable to such attacks the researchers used DNS traffic from two U.S. ISPs in 13 cities for five days last October. They searched the traffic for the domain names of known botnet command-and-control servers being tracked by security company Damballa to determine how many Windows machines on customer networks included bots. They eliminated Mac OS X machines from the count.

They came up with a conservative estimate that 23% of all the bot machines in the sample had both Windows iTunes installed and also had iOS devices connecting from the same IP address, meaning these iOS devices could be vulnerable to the researchers' attacks. Put another way, if the attacks were bundled into payloads directed at the iOS devices, "there would be 75,714 potential victims in 13 cities, within the networks we monitor."

The researchers say they've already told Apple about their discoveries. "We have made a full disclosure to Apple and notified Facebook and Google about the insecure storage of cookies in their apps," the researchers write in their paper. "Apple acknowledged that, based on our report, they have identified several areas of iOS and iTunes that can benefit from security hardening."

Join the CSO newsletter!

Error: Please check your email address.

Tags Appleconsumer electronicsiossecuritysmartphoneshardware systemsiPhonetabletsiPad

More about AppleFacebookGeorgia Institute of TechnologyGoogleTechnologyWang

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place