Hackers can abuse the iOS mobile device management protocol to deliver malware

The attack bypasses the restrictions for enterprise app deployment introduced in iOS 9, Check Point researchers said

Starting with iOS 9, Apple has tried to make it harder for attackers to trick users into installing unauthorized apps on their devices by abusing stolen enterprise certificates. However, it left one door open that attackers can still exploit: the protocol used by mobile device management products.

In a presentation at the Black Hat Asia security conference on Friday, researchers from Check Point Software Technologies will demonstrate that the communication between MDM products and iOS devices is susceptible to man-in-the-middle attacks and can be hijacked to install malware on non-jailbroken devices with little user interaction.

Apple's tight control over the iOS App Store has made it hard, but not impossible, for attackers to infect iOS devices with malware.

The most common way for hackers to infect non-jailbroken iOS devices with malware is through stolen enterprise development certificates. These are code-signing certificates obtained through the Apple Developer Enterprise Program that allow companies to distribute internal apps to iOS devices without publishing them in the public app store.

In older versions of iOS, deploying an app signed with an enterprise certificate required the user to open a link where the app was hosted, agree to trust the developer and then agree to install the app. The process required user interaction, but it was easy enough to be abused in social engineering attacks that tricked users into performing the required steps.

According to Michael Shaulov, the head of mobility product management at Check Point, Apple decided to address this risk in iOS 9 by adding additional steps to the enterprise app deployment process. But, it left open a loophole: the way in which MDM products install apps on iOS devices remained unaffected.

Companies use MDM products to control, configure, secure and, if necessary, wipe their employees' mobile devices. These products also include private app stores that allow companies to easily deploy apps to their employees' devices.

The Check Point researchers found that the MDM protocol implemented in iOS is susceptible to man-in-the-middle attacks and can be used to install malware on non-jailbroken devices.

The attack would only work against devices that are registered to an MDM server, but many mobile devices used in enterprise environments are.

Then the attacker would need to trick the users of those devices to install a malicious configuration profile. This wouldn't be hard to do either, because most enterprise users are used to installing such profiles. They are typically used to deploy VPN, Wi-Fi, email, calendar and other settings.

The malicious configuration profile distributed by the attacker would install a rogue root certificate and would configure a proxy for the device's Internet connection. This would route the device's traffic through a server under the attacker's control and would enable the man-in-the-middle attack.

The hacker can then impersonate the MDM server and push a malicious app signed with a stolen enterprise certificate to the device. In a targeted attack, the app could be crafted to masquerade as an app that the user expects to receive.

The device would display a confirmation prompt asking the user if he agrees to install the app or not, but even if he declines, the attacker can keep sending the request again and again. This would essentially prevent the user from doing anything on the device until he agrees to install the app, Shaulov said.

Because this method bypasses iOS 9's new restrictions for enterprise app deployments, the Check Point researchers have named the vulnerability Sidestepper.

The misuse of enterprise certificates is not uncommon. According to Shaulov, a scan performed on around 5,000 iOS devices belonging to one of Check Point's customers -- a Fortune 100 global company -- found 300 sideloaded applications signed with over 150 enterprise certificates. Many of those certificates had been issued by Apple to entities in China and had been used to sign pirated versions of legitimate apps, but at least two apps were part of known malware families.

Join the CSO newsletter!

Error: Please check your email address.

More about AppleCheck PointCheck Point Software TechnologiesPoint Software TechnologiesSoftware Technologies

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place