Hackers can abuse the iOS mobile device management protocol to deliver malware

The attack bypasses the restrictions for enterprise app deployment introduced in iOS 9, Check Point researchers said

Starting with iOS 9, Apple has tried to make it harder for attackers to trick users into installing unauthorized apps on their devices by abusing stolen enterprise certificates. However, it left one door open that attackers can still exploit: the protocol used by mobile device management products.

In a presentation at the Black Hat Asia security conference on Friday, researchers from Check Point Software Technologies will demonstrate that the communication between MDM products and iOS devices is susceptible to man-in-the-middle attacks and can be hijacked to install malware on non-jailbroken devices with little user interaction.

Apple's tight control over the iOS App Store has made it hard, but not impossible, for attackers to infect iOS devices with malware.

The most common way for hackers to infect non-jailbroken iOS devices with malware is through stolen enterprise development certificates. These are code-signing certificates obtained through the Apple Developer Enterprise Program that allow companies to distribute internal apps to iOS devices without publishing them in the public app store.

In older versions of iOS, deploying an app signed with an enterprise certificate required the user to open a link where the app was hosted, agree to trust the developer and then agree to install the app. The process required user interaction, but it was easy enough to be abused in social engineering attacks that tricked users into performing the required steps.

According to Michael Shaulov, the head of mobility product management at Check Point, Apple decided to address this risk in iOS 9 by adding additional steps to the enterprise app deployment process. But, it left open a loophole: the way in which MDM products install apps on iOS devices remained unaffected.

Companies use MDM products to control, configure, secure and, if necessary, wipe their employees' mobile devices. These products also include private app stores that allow companies to easily deploy apps to their employees' devices.

The Check Point researchers found that the MDM protocol implemented in iOS is susceptible to man-in-the-middle attacks and can be used to install malware on non-jailbroken devices.

The attack would only work against devices that are registered to an MDM server, but many mobile devices used in enterprise environments are.

Then the attacker would need to trick the users of those devices to install a malicious configuration profile. This wouldn't be hard to do either, because most enterprise users are used to installing such profiles. They are typically used to deploy VPN, Wi-Fi, email, calendar and other settings.

The malicious configuration profile distributed by the attacker would install a rogue root certificate and would configure a proxy for the device's Internet connection. This would route the device's traffic through a server under the attacker's control and would enable the man-in-the-middle attack.

The hacker can then impersonate the MDM server and push a malicious app signed with a stolen enterprise certificate to the device. In a targeted attack, the app could be crafted to masquerade as an app that the user expects to receive.

The device would display a confirmation prompt asking the user if he agrees to install the app or not, but even if he declines, the attacker can keep sending the request again and again. This would essentially prevent the user from doing anything on the device until he agrees to install the app, Shaulov said.

Because this method bypasses iOS 9's new restrictions for enterprise app deployments, the Check Point researchers have named the vulnerability Sidestepper.

The misuse of enterprise certificates is not uncommon. According to Shaulov, a scan performed on around 5,000 iOS devices belonging to one of Check Point's customers -- a Fortune 100 global company -- found 300 sideloaded applications signed with over 150 enterprise certificates. Many of those certificates had been issued by Apple to entities in China and had been used to sign pirated versions of legitimate apps, but at least two apps were part of known malware families.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?