During a presentation at the RSAC conference, researchers from Symantec delivered their findings on a new vulnerability tied to a function within Apple’s iTunes. The specific function here is iTunes’ “WiFi Sync,” and if this new vulnerability is exploited properly, attackers can gain control of a victim’s device. Calling this iOS sync vulnerability “trustjacking,” the Symantec researchers, namely Adi Sharabani (senior vice president of modern OS security at Symantec), state that the actions of the user are inextricably linked to whether or not the attack is successful. They explain the process of the iOS sync vulnerability as follows:
The user connects to a malicious computer one time — and chooses to trust the computer. That’s the only experience from the end user that you see in this attack. From now on that malicious computer can still communicate with the device via Wi-Fi — and there is no indication of this for the end user.
The actual access that an attacker gains as a result is quite extensive. Symantec notes that the hacker can keep tabs via screenshots on the device’s activity in “real time.” Additionally, the cybercriminal can access photos, SMS and iMessage chats history, app data, and also install malware to further hack the devices,
While the attack itself is easy to enable, it is also easy to (as one may deduce) prevent. You mustn’t sync your device when asked by a computer’s iTunes to do so. The problem here is, put simply, most iTunes users sync their devices at one point or another. As such this is still a huge problem and Apple, according to the Symantec presentation, was notified about the vulnerability.
Apple’s response to the vulnerability was to update iOS 11 with a requirement that the user input a unique password to prove their identity. Symantec, however, does not believe this truly solves the issue in a “holistic” way. The problem remains that, even with the password, if a computer is infected and accessed by a hacker there is nothing that the user can do.
For now, Symantec recommends going to “Settings > General > Reset > Reset Location & Privacy” and reauthorizing “all previously connected computers next time they are connecting the iOS device to each device.” This is only a temporary fix, however, and ultimately it will take some work on Apple’s part to fix this exploit in an intuitive fashion.
Photo credit: Shutterstock