Apple has worked hard to make it difficult to allow users to unwittingly install unauthorized and malicious apps onto their devices. Despite this, there is still one way in that attackers are still able to exploit: the mobile device management protocol. Researchers from Check Point Software Technologies will be demonstrating the hack as part of a presentation at the Black Hat Asia security conference on Friday.
The technique to inject malware onto iOS devices involves taking advantage of the communication between MDM products and iOS devices being vulnerable to man-in-the-middle attacks and can be performed with minimal user interaction. MDM products are used by companies to configure, control and secure the devices of employees remotely, as well as providing access to private app stores for easy internal app deployment. Of course, this attack relies on the target device being registered to an MDM server in order for there to be a connection to hijack.
Initially, a user would have to be tricked into installing a malicious configuration profile on their device, which could be easy to slip in with a number of the profiles that corporate users are used to installing such as VPN, Wi-Fi, email and other important settings. The malicious profile would then install a root certificate to route the device’s internet connection through a proxy. This can be used to route all traffic through a server under the attacker’s control and engage the man-in-the-middle attack. From there, the attacker is free to push malicious apps to the device using a stolen enterprise certificate or a malware app could be disguised as an app the user expects. A user must still accept the choice to install the app, but even if it is refused, the attacker is free to push the request repeatedly, essentially locking the device up until the install is accepted.
Check Point have named this vulnerability Sidestepper, due to the fact that it effectively side-steps the new restrictions for enterprise app deployments in iOS9. Misuse of enterprise certificates is nothing new either, with Check Point finding that in one Fortune 100 company, over 300 sideloaded apps signed with over 150 enterprise certificates existed. So while MDM technologies may be great for businesses, users must be just as much on their guard against attacks targeting those deployments as any other app or profile they may install.