Attackers could compromise iPads and iPhones on a large scale through the infected computers that make up botnets, researchers say.
Nearly a quarter of zombie computers that make up certain known botnets eventually connect with Apple iOS devices, making these phones and tablets vulnerable to infection from malicious applications, a team from Georgia Institute of Technology said last week at the 23rd USENIX Security Symposium.
Attackers would install malicious applications on the iOS devices when they connect to infected PCs via USB cable or Wi-Fi, says the team led by Tielei Wang. The apps would steal passwords and other personal information.
Generally, iOS apps must come from the App Store and have been vetted. But in the past, some malicious apps have gotten in under the radar until users discovered they were malicious, and then Apple dropped them from the store, the researchers say. Placing them in the store could be done again, and bot computers could download them before they were dropped.
Then, when an iOS device attached to the bot computer, the bot would download the app onto the phone or tablet.
As a rule iOS devices will accept only those apps that are bound to their Apple ID. But the phones and tablets would accept the apps from the bot because iTunes running on the bot would be allowed to make the transfer. As the researchers put it, “Specifically, when an iOS device with Apple ID B is connected to iTunes with Apple ID A, iTunes can still sync apps purchased by Apple ID A to the iOS device, and authorize the device to run the apps.”
This will work even after Apple has removed the malicious app from the App Store, they say. “Although Apple has absolute control of the App Store, attackers can leverage [man-in-the-middle attacks] to build a covert distribution channel of iOS apps.” The covert distribution channel would be the botnet.
The researchers show another mechanism to get malicious apps onto iOS devices by using permissions granted to developers for testing apps on devices or for enterprises to distribute in-house apps. With enough developer credentials, attackers could distribute malicious applications by getting around the protections put in place for Apps Store applications.
The researchers also discovered that while an iOS device is connected to a PC, the host computer can connect to it via Apple File Connection (AFC) protocol. As a proof of concept, the researchers say they retrieved cookies from Facebook and Gmail apps on iOS devices, and transferred them to another computer where they were used to get into those Web accounts.
To estimate how many iOS devices might be vulnerable to such attacks the researchers used DNS traffic from two U.S. ISPs in 13 cities for five days last October. They searched the traffic for the domain names of known botnet command-and-control servers being tracked by security company Damballa to determine how many Windows machines on customer networks included bots. They eliminated Mac OS X machines from the count.
They came up with a conservative estimate that 23% of all the bot machines in the sample had both Windows iTunes installed and also had iOS devices connecting from the same IP address, meaning these iOS devices could be vulnerable to the researchers’ attacks. Put another way, if the attacks were bundled into payloads directed at the iOS devices, “there would be 75,714 potential victims in 13 cities, within the networks we monitor.”
The researchers say they’ve already told Apple about their discoveries. “We have made a full disclosure to Apple and notified Facebook and Google about the insecure storage of cookies in their apps,” the researchers write in their paper. “Apple acknowledged that, based on our report, they have identified several areas of iOS and iTunes that can benefit from security hardening.”