Giveaway: Bracketron Case If outdoor adventures are in your future this summer, enter to win a Bracketron Sport Case with Mount Strap from MacNN and keep that iPhone, iPod or other electronic device safe from the elements.      
toggle

AAPL Stock: 454.74 ( + 1.77 )

http://www.macnn.com/articles/13/03/13/vulnerability.comes.from.carrier.enterprise.configuration.profiles/

Report: carrier files in iOS could be misused for malware

updated 06:53 pm EDT, Wed March 13, 2013

 

Vulnerability comes from carrier, enterprise configuration profiles


An Israeli security firm has published a proof-of-concept pointing a weak link in Apple's otherwise very tight security for its mobile platform iOS -- mobileconfig files. The profiles, which are often installed by carriers or enterprise device management solutions, can be downloaded from unencrypted websites, reports Skycure Security. If users were tricked (through social engineering or redirected websites) into installing a malicious profile, it would configure system-level settings to allow attackers access to several key iOS services.

The system would effectively compromise Apple's built-in malware protections, though no actual incidents have thus far been reported. Apple's "walled garden" approach that requires approval for apps before making them available for download is not infallible, but is very effective in keeping truly malicious apps out of the eco-system, unlike the Android platform. Mobileconfig files, however, have inherent permission to set up or re-configure certain settings on iOS devices, including email, VPN, Wi-Fi and APN.

Installing a malicious profile would allow attackers to re-route all outgoing data through their own servers or install untrustworthy root certificates -- the latter of which could be used to intercept and decrypt SSL/TLS secure connections, notes AppleInsider. Downloading mobileconfig files from unsecured websites also leaves users vulnerable to "man in the middle" attacks if they are using public Wi-Fi networks, the firm notes. It also mentions that some AT&T outlets use exactly this vulnerable method (downloading profiles from unencrypted websites over public Wi-Fi networks) to set up pay-as-you-go customers.

Until the problem can be fixed through more secure installation procedures for mobileconfig files or changes in the mobileconfig standard, Skycure suggest that users only install profiles from trusted websites and applications, and use only secure channels, such as https:// websites. In addition users should be suspicious of any site that wants to install a configuration profile that can't be verified.


by MacNN Staff

Post tools:

TAGS :

 iPhone, security, hacks, Apple, iPad, iOS

Related Articles

Recent Articles

toggle

Comments

  1. Jeronimo2000

    Fresh-Faced Recruit

    Joined: 08-20-01

    03-13-13 07:29 pm

    Uhm, yeah

    This has been a known fact for a couple of years now, hasn't it?

Login Here

Not a member of the MacNN forums? Register now for free.

 
close
Photo
toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

HighPoint RocketU 1144CM USB 3.0 PCI-E card

Apple was one of the first -- if not the first -- major computer manufacturers to provide then-fledgling USB support at the expense of ...

Nikon WU-1b wireless adapter, PicturePro app

We’re talking George Jetson here. Nikon’s recent introduction of the D600 full-frameDSLR brought a raft of accessories, one of the mos ...

Digital Treasures Props Power Case for iPad

It's not often an iPad case comes with a manual, even a short one, but it seems like an increasing number of models include some form ...

toggle

Most Commented

 

Popular News