Security Updates in iOS 7.1 – Reading Between the Lines

Earlier this week, Apple released iOS7.1. The update contained 46 vulnerabilities, 20 of which deemed to be critical issues.

While Apple’s efforts are laudable and should be encouraged, it is important to note that there are two problems that cannot be patched:

    1. In the iOS world, IT managers have no visibility into exploits of actual vulnerabilities.
    2. There are some inherent key vulnerabilities that do not provide the complete required solution. Although Apple addressed specific related vulnerabilities, these only touch the problem, but not the underlying design issues which cannot be fixed. What are they?

Malicious iOS Configuration Profiles

A profile is an extremely sensitive optional configuration file which allows to re-define different system functionality parameters such as mobile carrier settings, Mobile Device Management (MDM) settings and networking settings. Through social engineering techniques such as email phishing or a fake URL, an attacker can convince a user to install a malicious profile and compromise the device settings to silently route network traffic from the device to a remote proxy over SSL using a self-signed certificate.

The impact:
Once the attacker has re-routed all traffic from the mobile device to their own server, they can begin to install other malicious apps and decrypt SSL communications.

The vulnerability:
CVE-2014-1282. Malicious configuration profiles can be completely hidden from the user by assigning a longer than expected name to the profile

What to watch out for:
Apple has patched the hidden profile vulnerability. However, the fundamental attack vector still exists. Consequently, it is still possible to trick the user to install a malicious iOS configuration profile on iOS 7.1.

How can Lacoon MobileFortress help? MobileFortress detects generic malicious modification to the network settings of iOS devices, whether hidden or not. It then alerts the user and blocks further malicious communications.

Jailbreak Vulnerabilities

Overview:A jailbroken device means that all the built-in iOS security mechanisms have been removed. New iOS starts out being jailbreak free. It’s then a matter of time until attackers release a matching jailbreak.

The impact:
When targeting a Jailbroken device, attackers have multiple access platforms at their disposal. Consequently, it also enables attackers to easily install a malicious executable, such as a mobile Remote Access Trojan (mRAT). As its name implies, an mRAT takes full control of the sensors and the hardware of the mobile device without the owner’s knowledge.

The vulnerability:
CVE-2013-5133, CVE-2014-1272, CVE-2014-1273 and CVE-2014-1278. These vulnerabilities lead to a device jailbreak.

What to watch out for: Hacking groups like evad3rs are now capable of releasing updates to their jailbreak tools within days of an iOS release. There are a number of similar groups who aim to find as many holes in a new iOS version as possible. They are usually non-profit teams that want to ensure users can jailbreak their phones as fast as possible.

How can Lacoon MobileFortress help?
MobileFortress periodically tests the iOS device for Indicators of Compromise (IoC) related to jailbreaks. Accordingly, it alerts the device owner and IT administrator, while also mitigating any issues that might have arisen due to malicious apps installed on the jailbroken device.

Malicious Applications on Non-Jailbroken Devices

Overview: Malicious apps can range from mobile surveillance software with limited capabilities, to a full-scale mRAT that can collect many types of data from the device and receive commands from a remote server. A large percent of iOS malware only affects jailbroken devices, however advanced mRATs can now affect non-jailbroken devices. Essentially, it’s about crossing two hurdles – malware finding it’s way to the device then successfully attaching itself.

The impact:
Once malware has installed itself on the device, based on how advanced it is, it can do anything from stealing calendar events to eavesdropping on device microphone, grabbing GPS data and passwords.

The vulnerability :
CVE-2014-1276. Enables key-logging and click-logging on a non-jailbroken device.

What to watch out for:
This vulnerability does not only affect non-jailbroken devices, but also enables an attacker to compromise the integrity of secure containers and wrapping technologies.
This specific vulnerability may have been patched, but not only is it a sign of things to come regarding mRATs on non-jailbroken devices, it seems that Apple’s success in keeping the Appstore malware-free won’t be enough. It’s still possible to sideload malicious iOS Apps via stolen or fraudulent certificates (thus bypassing the App Store). In turn, these malicious apps can steal contact, calendar and email information and are able to control and record different sensors, including a device’s microphone and GPS.

How can Lacoon MobileFortress help?
MobileFortress detects sideloaded iOS apps that use stolen or fraudulent certificates and alerts the device owner and IT administrator.

For those interested in learning more about the threats to iOS devices, read our blog entry: “The Spy in Your Pocket, Part 2: Cyber Threats to iOS”

Or, watch the Top 5 Cyber Risks to iOS devices on YouTube:

Thanks goes to Shalom Bublil and Roman Blachman for assisting in writing this blog.