Are Malicious Configuration Profiles iOS’ Achilles Heel?

As part of our ongoing efforts to protect our clients from all types of mobile threats, Lacoon researches Malicious iOS Configuration Profiles. We have been able to gain many insights from this research and to share this, we recorded a podcast episode with one of the senior security researchers at Lacoon Mobile Security, Dan Koretsky.


You can hear the podcast here in our new Mobile Security Talk Podcast Channel.
For those that prefer the written word, we summed up our conversation with Dan:

What exactly is an iOS configuration profile?

Configuration profiles are settings “packages” created with Apple’s iPhone Configuration Utility. They’re intended for IT departments and cellular carriers. Essentially, they’re an easy way of distributing network settings to iOS devices.

For example, a configuration profile can contain Wi-Fi, VPN, email, calendar, and even password restriction settings. A configuration profile can be distributed to employees, allowing them to quickly configure their device to connect to the corporate network and other services. A cellular carrier could distribute a configuration profile file containing its access point name (APN) settings, allowing users to easily configure cellular data settings on their device without having to enter all the information manually.

How is a configuration profile deployed to a device?

There are several ways to deploy configuration profiles:

  • Using Apple Configurator
  • In an email message
  • On a webpage
  • Over the air using a Mobile Device Management Server

What threats can a configuration profile pose to enterprise security?

A user may be tricked to download a malicious configuration profile. Depending  on the malicious profile, the device can eventually be configured to re-route email traffic (enabling the attacker to read all incoming and outgoing corporate emails)  or perform other surveillance tasks such as record conversations, text messages and even room audio.

For example, an attacker could use social engineering and distribute a phishing email encouraging employees of a corporation to install a malicious configuration profile attached to the email. An attacker could also set up a phishing site that tries to download a configuration profile.

When the configuration profile is downloaded, iOS will display information about the contents of the profile and ask the user if they want to install it – the social engineering factor is critical, as the user has to be convinced the profile is legitimate.

Malicious Configuration Profiles in the Wild

As of now, no evidence has been found of a Configuration Profile attack in the wild. It’s worth noting that although not an attack, last year, Linkedin upset many customers by installing an aggressive configuration profile as part of a new iOS app – Linkedin Intro.

The configuration profile defined a unique email account on the LinkedIn servers for each email account you have. In turn, the LinkedIn email accounts link to your respective email accounts. LinkedIn did this via a configuration profile to basically circumvent mail apps security mechanisms. Mail apps do not allow extensions for the simple reason that emails are intended to be kept private and not altered. However, a configuration profile can bypass those security hurdles.

As mentioned, LinkedIn upset many customers with this addition – so much so that 3 months after introducing this feature, LinkedIn pulled it out from their offering.

Mitigating configuration-profile based attacks

To prevent data exfiltration, a solution needs to be in place that can not only detect rogue or altered profiles, but also block and remove them to eliminate the threat.

Configuration profiles can’t hide themselves. They can only direct the infected device towards malicious servers and install malicious certificates. Once the offending configuration profile is removed, the harmful changes will be erased.
In general, make sure configuration profiles are always from a trusted source and are verified. You should also only download and install profiles from ‘secure’ HTTPS links as well as ensuring that your profiles are always updated as expired profiles are potentially vulnerable to exploitation.

image credit: