Check Point; a pure-play security vendor has released information to the Black Hat Asia 2016 conference on SideStepper a vulnerability that can be used to install malicious enterprise apps on iPhone and iPad iOS 9.x devices enrolled with a mobile device management (MDM) solution.
SideStepper (free whitepaper – registration required) allows enterprise apps to be installed using an MDM certificate that is exempt from iOS 9.x security enhancements. It allows a cybercriminal to imitate trusted MDM commands including the over-the-air installation of apps signed with enterprise developer certificates.
This exemption allows an attacker to side-step Apple’s solution meant to thwart installation of malicious enterprise apps.
How do iPhone and iPad devices become exposed?
The cybercriminal uses a phishing attack to convinces a user to install a malicious configuration profile. This simple and often effective attack method uses familiar messaging platforms like SMS, instant messaging, or email to trick users into following a malicious link.
Once installed, this malicious profile allows an attacker to stage a Man-in-the-Middle (MitM) attack on the communication between the device and an MDM solution. The attacker can then hijack and imitate MDM commands that iOS trusts, including the ability to install enterprise apps over-the-air.
What iOS devices are at risk?
The vulnerability potentially impacts millions – any - iPhone/iPad devices with an installed MDM solution.
How would I know if my iPhone/iPad is under attack?
Apple does not allow access to iOS by third party providers of advanced mobile threat detection and mitigation so there is little chance a user would suspect any malicious behaviour had taken place.
On a managed iOS device commands from an MDM are trusted, and because these commands appear to the user as coming from the MDM that already manages the device, the entire process seems authentic.
What is the risk if the vulnerability is exploited?
There are some MDM commands an attacker could use to exploit the vulnerability ranging from nuisances to data exfiltration. Attackers can install malicious apps that include a broad range of functionality.
Since iOS trust these apps, and because the installation process is familiar to the user, infection is seamless and immediate. This vulnerability puts the user, the security of sensitive information on the device, and voice conversations in proximity to the device at significant risk. Malicious apps can be designed to:
- Capture screenshots, including screenshots, captured inside secure containers
- Record keystrokes, exposing login credentials of personal and business apps and sites to theft
- Save and send sensitive information like documents and pictures to an attacker's remote server
- Control sensors like the camera and microphone remotely, allowing an attacker to view and capture sounds and images