Apple attack sidesteps safeguards to threaten iPhones

The SideStepper attack requires you to participate in your own hacking. That could happen.

Laura Hautala
Laura Hautala
Laura Hautala
Laura Hautala Senior Writer

Laura writes about e-commerce and Amazon, and she occasionally covers cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Wash. and was into sourdough before the pandemic.

Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials 2022 Eddie award for a single article in consumer technology
2 min read
Enlarge Image

Don't walk into a trap that attacks your iPhone, no matter how stylish your hat.

Ben Pipe Photography/Corbis

A new attack on iPhones requires theft, deception and the planning of a chess grandmaster.

Check Point, a cybersecurity firm, says it's found an attack that could trick iPhone users into downloading a malicious app. The attack, which they're calling SideStepper, takes advantage of specialized corporate software known as enterprise apps.

It also needs thievery, a setup and poor decision-making by the iPhone user, said Check Point researcher Avi Rembaum. "What we've seen, however, is that the enterprise program has nevertheless become a target for attacks."

That said, there's no indication this exact attack has been carried out by hackers.

SideStepper, which Check Point will present at the Black Hat cybersecurity conference in Singapore on Friday, relies on attackers getting hold of a stolen enterprise certificate. Those certificates are bits of software on enterprise apps -- you know, your company's annoying corporate benefits or sales apps -- that prove they're legitimate.

To get a malicious enterprise app on your phone, an attacker would sign a malicious app with a stolen or otherwise illegitimate enterprise certificate. The attacker would text or email you a link and try to convince you to click on it and go to a website to create an account from your phone.

You might think only someone clueless would do that. But imagine if the hacker spoofed your boss's email account and told you to set up the new account. You might do it without thinking if you're blasting through your email on the train before your morning coffee.

Once you've created the account, the attacker can install the malicious app on your phone.

Apple says the attack doesn't count as a flaw in iOS, the software that runs iPhones.

"We've built safeguards into iOS to help warn users of potentially harmful content like this," an Apple spokesman said in a statement. Apple also encourages iPhone users to only download from a trusted source, like the App Store.

Check Point's Rembaum says Apple's system has a lot of safeguards, but it's still vulnerable.