‘iTunes Wi-Fi Sync’ Feature Could Let Attackers Hijack Your iPhone, iPad Remotely

手机数码 2018-04-19 阅读原文

Be careful while plugging your iPhone into a friend's laptop for a quick charge or sharing selected files.

Researchers at Symantec have issued a security warning for iPhone and iPad users about a new attack, which they named " TrustJacking ," that could allow someone you trust to remotely take persistent control of, and extract data from your Apple device.

Apple provides an iTunes Wi-Fi sync feature in iOS that allows users to sync their iPhones to a computer wirelessly. To enable this feature, users have to grant one-time permission to a trusted computer (with iTunes) over a USB cable.

Once enabled, the feature allows the computer owner to secretly spy on your iPhone over the Wi-Fi network without requiring any authentication, even when your phone is no longer physically connected to that computer.

"Reading the text, the user is led to believe that this is only relevant while the device is physically connected to the computer, so assumes that disconnecting it will prevent any access to his private data," Symantec said.

Since there is no noticeable indication on the victim's device, Symantec believes the feature could exploit the "relation of trust the victim has between his iOS device and a computer."

Researchers suggest following scenarios where TrustJacking attack can be successfully performed, especially when you trust a wrong computer:

  • Connecting your phone to a free charger at an airport, and mistakenly approving the pop-up permission message to trust the connected station.
  • A remote attacker, not in the same Wi-Fi network can also access iPhone data if the device owner's own "trusted" PC or Mac has been compromised by malware.

Moreover, iTunes Wi-Fi sync feature could also be used to remotely install malware apps on your iPhone, as well as to download a backup and steal all your photos, SMS / iMessage chats history, and application data.

"An attacker can also use this access to the device to install malicious apps, and even replace existing apps with a modified wrapped version that looks exactly like the original app, but is able to spy on the user while using the app and even leverage private APIs to spy on other activities all the time," Symantec said.

The TrustJacking attack could also allow trusted computers to watch your device's screen in real-time by repeatedly taking remote screenshots, observing and recording your every action.

Apple has now introduced another security layer in iOS 11, asking users to enter their iPhone's passcode while pairing their iPhone with a computer, after getting notified by the Symantec researchers.

However, Symantec says the loophole remains open, as the patch does not address the primary concern, i.e., the absence of noticeable indication or mandatory re-authentication between the user's device and the trusted computer after a given interval of time.

"While we appreciate the mitigation that Apple has taken, we’d like to highlight that it does not address Trustjacking in a holistic manner," Symantec's Roy Iarchy said. "Once the user has chosen to trust the compromised computer, the rest of the exploit continues to work as described above."

The best and simple way to protect yourself is to ensure that no unwanted computers are being trusted by your iOS device. For this, you can remove the trusted computers list by going to Settings → General → Reset → Reset Location & Privacy.

Also, most important, always deny the access when asked to trust the computer while charging your iOS device. Your device would still charge using the computer, without exposing your data.

The Hacker News

责编内容by:The Hacker News阅读原文】。感谢您的支持!


Foxconn’s U.S. Plant Helps Apple Fend Off iP... likes to say it supports 2 million U.S. jobs. Plans by the company’s main manufacturing partner for a $10 billion factory in Wisconsin will add at lea...
一起聊聊:你最想要的iPhone新特性是什么?... 到目前为止,我们已经听到了不少关于 2018 年 iPhone 的消息。 到目前为止,我们已经听到了不少关于即将在 9 月 13 日发布会上亮相的 iPhone XS 和 iPhone 9(命名未定)的消息。随着发布会的临近,《今日美国》对 1665 名美国成年人进行了一项调查,询问消费...
高通确认被苹果抛弃,新款iPhone将全部采用Intel网络基带... 距离苹果发布今年新一代iPhone的日子越来越近了,按现在的时间点,新机早已确定外观和硬件规格,进入量产阶段了,此前有分析师和爆料人士都透露过,苹果在新款iPhone上将会放弃与高通合作,由Intel独家提供网络基带,现在这个说法已得到高通的确认。 据 外媒CNET 最新报道,高通CFO...
iPhone新机功能汇总 到底有哪些黑科技将面世?... 北京时间9月13日凌晨零点15分,苹果会在美国加州Steve Jobs Theater召开秋季新品发布会,届时新浪科技将会全程直播,同时会配备同声传译、中文字幕等视频播送服务,用户们再也不用担心英文不好看不懂了。除此之外,科技达人、美女主播也会到场,畅聊新iPhone,欢迎大家关注。 新iP...
Kuo: If Face ID is ‘Well Received,’ It... KGI Securities analyst Ming-Chi Kuo this afternoon published a new research note for investors where he speculates about what Apple might do in future...