A new security vulnerability has been identified on iPhone smartphones and iPad tablets, involving malicious iOS provisioning profiles. No live examples of an attack of this nature have been found, however a proof of concept has been developed.

Provisioning profiles (mobileconfig files) control iOS settings such as network configurations. They are used by iPhone and iPad software developers to install development iOS applications on a device. Software developers use software simulators when developing new iOS applications, however at some point in the software development cycle, the application should be testing on a real device before uploading onto the AppStore. This is where provisioning profiles are used – they enable the developer to test on a real iPhone or iPad. Apple permits each developer to provision up to 100 devices. It takes only one tap to install a provisioning profile on the iPhone/iPad.

A malicious provisioning profile could alter the network configuration of the device so that all subsequent traffic from the device is routed via a server controlled by the attacker. This would enable the attacker to read the data being transmitted, including sensitive data such as bank logins, usernames and passwords, etc.

iOS has been far more secure than other mobile operating systems such as Android. Two main features contribute to Apple’s high security: application verification and sandboxing. All iOS applications are carefully scrutinised before being permitted on the AppStore, successfully excluding most malicious functions. Sandboxing ensures that each application executing on iOS is isolated from other applications and external data. This isolation limits the application’s permissions and capabilities and secures data entered into the application from other applications on the device.

It is very possible for iPhone/iPad users to be tricked into installing a malicious provisioning profile through social engineering. The security company that highlighted this vulnerability have shown how users could be enticed into installing a malicious profile in order to supposedly set their device up to receive free access to popular movies or TV shows, or to receive improved battery performance. It is quite feasible that social engineering techniques such as these would be successful in tricking iPhone/iPad users. Provisioning profiles are also used by cellular carriers, mobile device management solutions, and other mobile applications.

iPhone and iPad users should be careful when installing provisioning profiles and to only do so from reliable sources.

As of yet, no malicious provisioning profiles have been found in the wild. However, this does not mean there have not been any attacks. How big a threat is this vulnerability?
• A restriction on the extent of this threat is the 100 devices per developer limit – this vulnerability could only be used for very focussed, limited attacks.
• However, for the initial point of access in an Advanced Persistent Threat (APT), this method could well be extremely dangerous. The first phase of an APT is for the attacker to gain high level access to the system. Malicious iOS provisioning profiles may offer this opportunity.

This proof of concept has shown that even relatively secure systems such as iOS, have weaknesses and possible attack vectors. More information is here.

Tagged: mobile