There is a weakness in Apple’s mobile device management (MDM) interface for iOS 9 that allows attackers to perform a “man-in-the-middle” attack, claim security researchers at Check Point Software, speaking with Ars Technica. Apple, however, has downplayed the vulnerability.
Check Point presented the vulnerability at Black Hat Asia 2016, detailing their findings: A hacker can send a link to a victim’s device and take control of the MDM software on the handset and push malicious apps to the device, as well as perform other configuration changes as a remote administrator. It’s important to note that this vulnerability only affects devices enrolled in an MDM system, including those enrolled through the BYOD program.
To take control of a user’s device, hackers need to be registered with Apple’s enterprise developer program to get a software signing certificate. From that moment on, hackers are able to social engineer the victim into granting apps that expose nearly every aspect of their phone’s settings and data. They do this by abusing enterprise certificates.
Apple made a number of changes in iOS 9 to make this sort of attack more difficult by default, including a more complex verification process for installation. And by default, iOS doesn’t allow applications with untrusted certificates to run. However, iOS automatically trusts applications installed through MDM systems, assuming that they have been vetted by the company operating the MDM software. Michael Shaulov, Head of Mobility Product Management at Check Point, told Ars that the MDM interface to iOS 9 is vulnerable to “man-in-the-middle” attacks.
The weakness is in Apple’s control over enterprise app stores. The company has rigorous control over its own App Store but can’t exercise the same control over enterprise app stores.
When asked by Ars about this vulnerability, an Apple spokesperson said:
“This is a clear example of a phishing attack that attempts to trick the user installing a configuration profile and then installing an app,” the spokesperson told Ars. “This is not an iOS vulnerability. We’ve built safeguards into iOS to help warn users of potentially harmful content like this. We also encourage our customers to download from only a trusted source like the App Store and to pay attention to the warnings that we’ve put in place before they choose to download and install untrusted content.”