Apple was warned about WireLurker months ago, Georgia Tech researcher says

The WireLurker malware that may have infected hundreds of thousands of Mac OS and iOS devices is exactly similar to a proof-of-concept attack Apple was warned about at the beginning of this year, according to the researcher who first publicly described such attacks.

The WireLurker malware that may have infected hundreds of thousands of Mac OS and iOS devices is exactly similar to a proof-of-concept attack Apple was warned about at the beginning of this year, according to the researcher who first publicly described such attacks.

The malware can siphon off data from iOS devices when they sync up with computers or are charged by computers via USB cables, but the potential for this type of attack can be much broader, says Tielei Wang, a researcher at Georgia Institute of Technology who presented a paper about such attacks at USENIX Security Symposium in August.

+[Also on Network World: iPhones, iPads ripe for the picking; Apple mobile devices in China targeted by WireLurker malware]+

While WireLurker has targeted only Mac OS computers, similar attacks could come through computers running Windows and Linux operating systems, says Wang.

He says he submitted his work to USENIX at the start of 2014 and had already notified Apple about the findings then.

When asked whether Apple took any action based on Wang's warning, an Apple spokesman responded with this statement: "We are aware of malicious software available from a download site aimed at users in China, and we've blocked the identified apps to prevent them from launching. As always, we recommend that users download and install software from trusted sources."

Wang says that despite blocking the identified apps it's still possible that new and similarly malicious applications could be written and distributed by third parties. It's also possible that such apps could infiltrate the Apps Store inventory and be downloaded by customers for a period before they are discovered as malicious, he says.

Distributing any apps to iOS devices requires a signature generated by Apple. Alternatively, attackers could use an Apple enterprise developers' license to generate their own signatures that iOS devices would then accept, Wang says. The developers' licenses are meant to let businesses write their own iOS apps and then distribute them to their users without having to go through the Apps Store.

In his research paper Wang says botnets could be used as a distribution mechanism for this type of attack. Infected zombie machines would steal data or download malicious apps to iOS devices when they connected via USB cable. In this case bot-herders would distribute the malware to the bots rather than the malware hiding in applications downloaded from apps stores.

What's needed to stop WireLurker-type attacks is an Apple mechanism that allows computers connected to iOS devices by USB cables to download apps or gather data only if users explicitly allow it, Wang says. At the moment, Apple doesn't require such approval. "Apple over-trusts PCs," he says.

Wang says his research was intended to improve the security of Apple's products. "If it had seriously considered our report it probably could have prevented the attack," he says. "Sometimes security research is like a game. If you don't take action based on new knowledge, the other side could learn the new knowledge and be advanced."

Microsoft grants similar permissions for developers to sign their own Modern Apps, the name for apps designed to run specifically on Windows 8.1 machines. Wang says he hasn't studied it but thinks these Windows developers' permissions could be exploited to devise WireLurker-type attacks against Windows 8.1 devices.

Join the CSO newsletter!

Error: Please check your email address.

Tags AppleApple OS XGeorgia Institute of TechnologysecurityApple iOSWireLurker

More about AppleApple.Georgia Institute of TechnologyLinuxMicrosoftModernTechnologyWang

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place