New iOS exploit works only on managed devices

Researchers find they can insert a rogue profile in an enterprise-configured iOS device, but it requires phishing to work.


A new vector to infect iOS with malware seems unlikely to be easily exploitable except in very particular circumstances. Researchers from Checkpoint presented Thursday at the Black Hat Asia 2016 conference (summarized in a PDF) how iOS devices enrolled in a business-scale management system can be attacked via phishing without leaving much of a trace. A legitimate-seeming message can lead a user to click a link and install a certificate without additional alerts present in non-managed systems, and then be susceptible to a host of attacks.

But surely this would only affect people using iOS in enterprises. Attackers would need to obtain phone numbers or email addresses of potential targets to get any reasonable yield of victims. Administrators would be alert to the problem. Right?

This unfortunately overlooks a not-very-underground market for third-party app stores in China, which rely on enterprise certificates to bypass Apple’s protections. This has trained some number of users in the overlap between use of these stores and owning managed devices to accepting dodgy profiles and ignoring error messages.

Most people won’t be affected by this, and most who might be won’t accept unknown profiles. The economics are probably poor enough in most cases as to not be worthwhile for attackers to invest in pursuing. Still, it’s something Apple and enterprise risk-mitigation software companies should be keeping an eye on.

Beam me up

Apple restricts installing apps in iOS to those obtained via its App Store, with a couple of footnotes. Developers and others can use Xcode to create apps or load app projects, compile them, and install them on a limited number of devices, either under their control or via beta-test distribution systems. (F.lux used this method to distribute its color-temperature control app until Apple asked it to stop in early 2016.)

The other method is designed for enterprises via the Apple Developer Enterprise Program. Members of this program get a certificate that they can distribute to iOS users connected to a company, which allows software written in-house to be installed outside of the mainstream App Store.

That mechanism has been abused to create unauthorized app stores, especially in China, without requiring jailbroken phones. Instead, consumers install an enterprise profile, and can then use other methods to purchase and install apps. It’s extremely dangerous, of course, but Chinese consumers are used to not having direct access to the same online resources as folks outside that government’s filters and firewalls. This risk doesn’t necessarily seem as distinctly different from other online activities they regularly engage in.

Misuse of enterprise accounts has come up before as a way to confuse consumers into installing unwanted software. This includes firms like Hacking Team, which violated its Apple license to aid in device snooping for its government and other clients. (A wiki has compiled a complete narrative list.)

Alongside the misuses of enterprise certificates, however, is Apple’s ability to revoke them immediately. Other kinds of exploits that rely on broken parts of an operating system will continue to work until an update is pushed out and people install it. With this pathway, Apple can receive and look for reports, and immediately block the pathway, reducing the vector and extent of any potential use. (Gatekeeper in OS X lets Apple push malware signatures to a Mac without a download, along with revoking developer-associated certificates as ways to block malware or misuse.)

Managed devices face a phishing risk

Check Point’s paper describes an avenue for attack that affects a small subset of all iOS device owners. First, a device has to be enrolled in some form of mobile device management (MDM) system, which is common for enterprises. Second, an incoming profile has to be received via a phishing attack. A malicious party might use SMS or send email with a link suggesting a new certificate that needs to be installed.

What Check Point says happens is that the MDM-enrolled iOS device doesn’t give the profile as much scrutiny nor require as many hoops to be jumped through as one that uses enterprise certificates and isn’t centrally managed. An installed profile allows bypassing internal security, redirecting Internet requests to a malicious server, and installing root encryption certificates that allow address spoofing without warning a user.

You might think that users in an enterprise situation with MDM oversight would be less naive than an average consumer user. But the firm pairs this exploit in its report with a case study examining 5,000 iOS devices at an unidentified Fortune 100 company. It found 116 enterprise certificates installed (though it doesn’t say across how many devices), of which all but 11 “belonged to developers with little or no information about their reputation.”

However, installing profiles from untrusted third parties running app stores and for other unknown purposes—the unnamed company could work with many private partners that distribute software to vendors or clients—is quite different than receiving a phishing message from an unknown phone number or a spoofed sender and proceeding to install it. It’d be good to have any sense of that particular angle.

Many enterprises also have network monitoring system that might notice malicious traffic and other patterns of abuse going to and from iOS devices being used locally. Some MDM systems can also report on configuration changes. (Check Point acquired a firm in 2014 that researches malicious iOS configuration profiles, in fact.) Any reports that get to Apple let it revoke the certification and track down the party that had registered the developer account, too.

Check Point says it notified Apple of its research in October 2015, and was told by Apple in November 2015 that it wasn’t a product flaw. Apple hasn’t yet provided Macworld with a response, but gave this statement to Ars Technica:

This is a clear example of a phishing attack that attempts to trick the user installing a configuration profile and then installing an app. This is not an iOS vulnerability. We’ve built safeguards into iOS to help warn users of potentially harmful content like this. We also encourage our customers to download from only a trusted source like the App Store and to pay attention to the warnings that we’ve put in place before they choose to download and install untrusted content.

While I’m always concerned about new ways that unsophisticated users can be convinced to install malware, or exploits that require no action on the part of a user at all, this Check Point flaw seems extremely limited, easy to quash, and not very productive for criminal or spy-agency use.


Subscribe to the Best of Macworld Newsletter