Researchers highlight potential security risk to iOS users

Though Apple's mobile OS is often thought of as impervious to malware, hackers could potentially control a device using a malicious iOS profile, says Skycure Security.

Apple

Android usually gets smacked around for playing host to mobile malware, but iOS isn't totally immune, according to researchers at Skycure Security.

iOS profiles, aka mobileconfig files, are used by mobile carriers to configure key settings for e-mail, Wi-Fi, and other features. But these files could be abused by attackers to sneak past Apple's normally tight security and and hijack a mobile device, the security firm revealed in a blog post today.

The process would be similar to that of a typical malware infection.

An attacker might tempt users to visit a malicious Web site by promising something for free. To get the free item, the victims are asked to install a mobileconfig file that will set up their devices. That malicious profile then gives the attacker full access to the device.

Like most phishing attacks, the success rate depending on how many people fall for the scam.

But a survey carried out by Skycure found that a number of mobile carriers do ask their users to install mobileconfig files in order to receive access to data plans. That process doesn't always employ tight security, according to Skycure.

The security firm uncovered one such process at several AT&T stores:

As pay-as-you-go clients who own an iPhone, we were directed to download and install profiles on our own devices. According to AT&T's instructions, users are advised to download a profile from http://unlockit.co.nz via an unencrypted channel. The installation of this mobile configuration, which configures APN settings on the device, is mandatory for granting access to AT&T's data network. In one of the stores, an AT&T salesperson actually took our phone and performed the aforementioned process via a public wi-fi network, which is an easy target for man-in-the-middle attacks.

Those man-in-the-middle attacks can change the mobileconfig file to a malicious version, allowing the device to be compromised. Skycure said it alerted AT&T to the issue and believes the carrier will tighten its process for installing mobileconfig files at its stores.

Skycure also offered three pieces of advice for iOS users downloading mobileconfig files:

1) You should only install profiles from trusted websites or applications.

2) Make sure you download profiles via a secure channel (e.g., use profile links that start with https and not http).

3) Beware of non-verified mobileconfigs. While a verified profile isn't necessarily a safe one, a non-verified should certainly raise your suspicion.

CNET contacted Apple for comment and will update the story if the company responds.

(Via The Next Web)

Read the full CNET Review

Apple iPhone 5

The Bottom Line: The iPhone 5 completely rebuilds the iPhone on a framework of new features and design, addressing its major previous shortcomings. It's absolutely the best iPhone to date, and it easily secures its place in the top tier of the smartphone universe. / Read full review

About the author

Journalist, software trainer, and Web developer Lance Whitney writes columns and reviews for CNET, Computer Shopper, Microsoft TechNet, and other technology sites. His first book, "Windows 8 Five Minutes at a Time," was published by Wiley & Sons in November 2012.

 

ARTICLE DISCUSSION

Conversation powered by Livefyre

Don't Miss
Hot Products
Trending on CNET

Hot on CNET

CNET's giving away a 3D printer

Enter for a chance to win* the MakerBot Replicator 3D Printer and all the supplies you need to get started.