back to article Unpatched stealthy iOS MDM hack spells ruin for Apple tech enterprises

Enterprises the world over are at risk from a seamless new attack that allows the latest Apple devices to be quietly compromised in what researchers say requires a total overhaul of Cupertino's enterprise provisioning architecture for mobile device management. The unpatched hack – dubbed SideStepper and crafted by Israel-based …

  1. Anonymous Coward
    Anonymous Coward

    What sort of 'acceptance' is required by the end user?

    Do you text them a link, give them instructions, does it direct hit an API that allows it to pop up a dialog they hit OK on, or what?

    Sounds like user education can mitigate the impact, but like malware in email some people will always click on something sent to them even if they don't recognize the source.

    1. Anonymous Coward
      Anonymous Coward

      Re: What sort of 'acceptance' is required by the end user?

      Sounds like user education can mitigate the impact, but like malware in email some people will always click on something sent to them even if they don't recognize the source.

      Since Microsoft Vista "the mouse moved, OK Y/n?", people have been trained to pretty much OK anything that asks for permission. That's not even a platform specific problem, there is a generic trend in software to install "for all users" on a device instead of only one user space. That is OK-ish for home use, but for enterprise use that ability should be locked down to admin only so that any user-installed code can indeed only affect that layer and not burrow into the system so you have to nuke the whole machine to get rid of it.

      Because all software wants this, any install needs to get rights and that is like an open door for malware. Add to that the lunacy of active content (I just received a spam with a macro-infested Word document that only 10 scanners at Virus Total recognised) and it is certainly going to keep security people busy.

      Can we make people more alert? Yes, but you need to repeat that because it tapers off over time. I'd say you best start to plan for failure first, that way you have at least dealt with worst case.

      1. Anonymous Coward
        Anonymous Coward

        Re: What sort of 'acceptance' is required by the end user?

        Since Vista? Seriously?This has gone on since computers where invented. It's human nature. I remember well 30 years ago directors of companies getting shirty because someone had run month end/year end and answered Y to all the questions and somehow it was our (the software houses) fault. Such that the software had to be 'improved' to ask more questions before staff could actually run month end or year end. Similarly an invoice print run would be done and the person doing it would answer yes to the fact they had printed ok without checking... it's nothing new believe me. The consequences are possibly a little more serious but human nature has not changed.

        1. Stuart Castle Silver badge

          Re: What sort of 'acceptance' is required by the end user?

          Since Vista? Seriously?This has gone on since computers where invented. It's human nature. I remember well 30 years ago directors of companies getting shirty because someone had run month end/year end and answered Y to all the questions and somehow it was our (the software houses) fault.

          I think the problem is that users do tend to click "Y" without really reading the prompt. This is also a good way of spreading viruses.. Many is the time I've had to clean multiple infections from machines where the user has gone to a dodgy site to watch the latest Star Wars (or whatever), and been told that their media player needs upgrading. Usually they get a lecture, from me, about not installing software offered to them from a dodgy site, but that's usually ignored, and the machine ends up infected again.

          Mind you, software isn't always blameless.. I used to work for a freight forwarding company and they used an IBM AT to store details of their shipments, and enter those details into HMRCs computer system. As such, they had to use the software mandated by HMRC.

          To minimise storage requirements, the software offered a facility to delete old records, and to do this, you entered a range of record numbers,and had to click Y to multiple questions. We were required keep record for 5 years, so we used to delete the computer records and archive the paper ones.

          One afternoon, my boss entered the start record number and end record number but entered them the wrong way round. He didn't really check his work, and answered "Y" to all the prompts, and the computer started deleting records. I happened to glance at the screen later, and noticed it was deleting a record number outside the range it was supposed to be working on. I asked my boss, he said that wasn't what he'd entered and, somehow, I managed to stop it.

          Unfortunately, it had deleted the records of half the shipments we had dealt with in the last five years, and they had no backups. There were tens of thousands of records, and guess who got the enter them all into the system.. It took months.

          We reported that bug to the software manufacturer, but I've no idea if it was fixed as we lost a lot of business at that time (quite possibly as a result of the disruption caused by that accident), and I was made redundant a couple of months later.

    2. Bob Vistakin
      Facepalm

      Clearly, the users are stupid and have to be told

      You're accepting it wrong

  2. David Lawton

    Only up to iOS 9.2 ? I'm guessing the majority are on 9.3 now .

    1. MrDamage Silver badge

      Seeing as a lot of devices were bricked by 9.3, and we're forced to roll back to 9.2, as well as those belonging to people/companies who heard about the bricking nd have held off updating, targetting 9.2 can be seen as a canny move.

      1. Halfmad

        Bricked - hence secure. Job done, great job guys.

      2. dmarkh

        Targeting iOs 9.2?

        Wasn't one of the Purposes of 9.3 to address this? And given 9.3.1, and the instructions Apple posted on its website for those having problems with 9.3, by all means, let them skate to where the puck Used To Be.

  3. Anonymous Coward
    Anonymous Coward

    Good timing.

    I'm due to meet key people of one of the MDM setups in the world - nice bit of roasting to see how they react. You can tell a lot from how companies deal with a problem.

    1. Oh Matron!

      Re: Good timing.

      FFS!

      This is NOT a bug. This is how you enroll a device into MDM. If your users exhibit behaviour akin to people with frontal lobotomies, then it's your users at fault, not the technology

      If you were to continue with this line of "this is a bug" thinking, then you may as well throw android and windows in here as well.

      So, how do you remediate against this? Well, just ensure that your devices are under management already, or use DEP to ensure that they are auto enrolled at the time of setup

      1. Flame Boar

        Re: Good timing.

        The point is that when one sees the request for confirmation frequently, particularly with what looks to be a legitimate MDM request why should one not expect a programmed "Yes" from users?

        Your average corporate user certainly knows how to use programs and apps, but no one should infer from this that the average user is cognoscente of what goes on in the background.

  4. Privatelyjeff

    One option would a master root certificate signed by the organization, that would sign all other certificates and apps and would also prevent any other signing certificates from being used.

  5. Fitz_

    Most surely the hack of the century.

    Here is the actual paper as it seems to be missing from the article (wonder why...). And here is the pertinent paragraph:

    1. Install a malicious iOS configuration profile. This is a native way to distribute a set of configuration settings like networking, security settings, root CAs, and more. A threat actor can craft a configuration profile that will install a root CA and route traffic through a VPN or a proxy to a malicious server, and then initiate a MitM attack. This configuration could be deployed using phishing attack.

    So basically, they are using MDM maliciously. i.e. you trick a user into installing a malicious MDM Profile.

    To do this on iOS, the user must tap install, then enter their passcode (cannot Touch ID). They then see a warning:

    "Installing this profile will allow the administrator at (MDM server address) to remotely manage your iPhone. The administrator may collect personal data add/remove accounts and restrictions; list, install and manage apps; and remotely erase data on your phone."

    ...after which the user must again tap 'Install'. After tapping install, the user must agree to another dialog:

    "Remote Management

    Do you trust this profile's source to enrol your iPhone into remote management?"

    Presumably their 'attack' then involves distributing a CA cert to the device, then using that trust to install self-signed apps, along with possibly MITM the device using the CA cert and routing traffic through a proxy.

    Um...

  6. sroughley

    That's what I am thinking. Also, iOS devices can only hold a single MDM profile at a time and so this will be even more complex to pull off for devices that are already enrolled in enterprise MDM, requiring the user to remove any existing profile already which is likely not even possible for most where DEP is being used.

    1. Anonymous Coward
      Anonymous Coward

      Given the warnings posted above for enrolling, and the fact you can't re-enroll, rather than a real bug it sounds like the researchers in this article are squawking about nothing trying to get attention for themselves. Unfortunately something that's becoming more and more common in the security world, as everyone is trying to sell their services by hyping non-existent threats to make them sound like the end of the world.

      And of course if it is an Apple issue, the Reg will happily parrot the researchers "findings" without doing any checking on their own of the details to determine whether it is an actual threat or not, because they know the article will get a lot of clicks even if it is a false alarm.

  7. Flame Boar

    After Tim Cook's chest pounding response to the FBI.......

    The iOS seems to have a few security holes. When Tim Cook recorded his TV response to the FBI's request to hack a terrorists' phone, one was left with the impression that Apple's security was really bullet-proof. Tim Cook may have believed that, but reality has made his display of chest pounding, at best, extremely embarrassing. This MDM vulnerability only increases the embarrassment.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like