Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > News > Mac News > Report: carrier files in iOS could be misused for malware

Report: carrier files in iOS could be misused for malware
Thread Tools
MacNN Staff
Join Date: Jul 2012
Status: Offline
Reply With Quote
Mar 13, 2013, 07:06 PM
An Israeli security firm has published a proof-of-concept pointing a weak link in Apple's otherwise very tight security for its mobile platform iOS -- mobileconfig files. The profiles, which are often installed by carriers or enterprise device management solutions, can be downloaded from unencrypted websites, reports Skycure Security. If users were tricked (through social engineering or redirected websites) into installing a malicious profile, it would configure system-level settings to allow attackers access to several key iOS services.

The system would effectively compromise Apple's built-in malware protections, though no actual incidents have thus far been reported. Apple's "walled garden" approach that requires approval for apps before making them available for download is not infallible, but is very effective in keeping truly malicious apps out of the eco-system, unlike the Android platform. Mobileconfig files, however, have inherent permission to set up or re-configure certain settings on iOS devices, including email, VPN, Wi-Fi and APN. Installing a malicious profile would allow attackers to re-route all outgoing data through their own servers or install untrustworthy root certificates -- the latter of which could be used to intercept and decrypt SSL/TLS secure connections, notes AppleInsider. Downloading mobileconfig files from unsecured websites also leaves users vulnerable to "man in the middle" attacks if they are using public Wi-Fi networks, the firm notes. It also mentions that some AT&T outlets use exactly this vulnerable method (downloading profiles from unencrypted websites over public Wi-Fi networks) to set up pay-as-you-go customers. Until the problem can be fixed through more secure installation procedures for mobileconfig files or changes in the mobileconfig standard, Skycure suggest that users only install profiles from trusted websites and applications, and use only secure channels, such as https:// websites. In addition users should be suspicious of any site that wants to install a configuration profile that can't be verified.
Dedicated MacNNer
Join Date: Aug 2001
Status: Offline
Reply With Quote
Mar 13, 2013, 07:29 PM
This has been a known fact for a couple of years now, hasn't it?
Thread Tools
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On
Privacy Policy
All times are GMT -4. The time now is 02:42 AM.
All contents of these forums © 1995-2015 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2015, Jelsoft Enterprises Ltd., Content Relevant URLs by vBSEO 3.3.2