Malicious profiles – one of the most serious threats to mobile devices

Configuration profiles are used by cellular carriers, Mobile Device Management (MDM) solutions and mobile applications to configure system-level settings on Apple devices. Some common uses for configuration profiles include setting:

• Wi-Fi network connections
• Secure parameters for VPN services
• Business email service access
• Access Point Name (APN) for cellular connectivity
• Hardening configurations for endpoint security
• Compliance management and enforcement

The above represents just a minor sampling of reasons why IT administrators rely on config profiles when managing endpoints. However, as with any tool that offers benefits through legitimate use, when used for the wrong reasons by threat actors, they can be leveraged to circumvent Apple’s security model and compromise a victim’s device by using profiles maliciously.

Common threats, like discovered vulnerabilities in the OS and apps, often allow attackers to bypass intended access restrictions, further extending into persistence by installing incorrect configuration profiles. We’ll discuss the implications of this industry-recognized, growing mobile threat a little later, as well as provide examples of attacks seen in the wild. First, let’s look deeper at the anatomy and impact that a maliciously installed profile attack can have on mobile threat defense.

How can profiles be maliciously installed on devices?

Configuration profiles can be installed in a number of ways. One example is crafting an iOS-based configuration file containing a certificate authority (CA) and a VPN tunnel configuration.

The distribution of configuration profiles is not tightly controlled so it’s trivial for attackers to create a link to the malicious payload and encourage their victims — via a phishing attack, for example — to click it in order to kickstart the installation. Often these attacks are paired with social engineering to lure the victim to accept the installation prompt by tricking them into correcting a security issue affecting their device or by promising them access to something valuable.

Another example involving the malicious distribution of profiles is carried out via another attack vector — a Man-in-the-Middle (MitM) attack. MitM attacks take place over a Wi-Fi connection where the attacker inserts themselves between the victim’s device and the internet, funneling network traffic through a spoofed hotspot. Once access is gained, the attacker is able to:

• Track user activity on the internet
• Sniff data transmitted and received
• Manipulate navigation to compromised hosts
• Capture credentials to be used in later attacks

Other profile attacks use a proxy server or change APN settings to carry out attacks while masking malicious traffic by operating at a much lower level than known networking-based attacks tend to operate (see the figure below).

What are the implications of malicious profiles on your devices?

Well, it effectively means that a maliciously installed profile cannot be fully removed from a victim’s device; an impacted device would allow the configuration profile settings to persist, just like on company-owned devices that have been configured to prevent manual removal of profiles as a means of enforcing compliance with organizational requirements.

As mentioned previously, configuration profiles can contain Wi-Fi, VPN, email, calendar and passcode restriction settings to name a few. Malicious profiles allow an attacker to change the existing settings on a device, compromising many security measures, like hardening settings or endpoint security app efficacy. Not only does this weaken the device’s security posture, but it may contribute to violating user privacy and compromising business data by exposing all transported data. It essentially gives the attacker vast control over any aspect of an affected device. For example, a profile could configure the device to use a malicious VPN, effectively providing the attacker access to all network traffic to and from the device, including redirecting requests from legitimate services to malicious pages.

In another example, a malicious third-party root CA is installed and trusted on the victim’s device. This allows the attacker to not only inspect traffic but also pose as a secure website. They can also craft a certificate to any resource and the end user will not be prompted for any mismatch error between the domain accessed and the certificate used to verify security settings.

If the above weren’t concerning enough, one of the most serious implications is something we touched upon earlier when speaking of MitM attacks. See, by tampering with certificates and profiles, threat actors can achieve persistence by making the device implicitly trust the attacker. Doing so keeps the door open for future attacks to occur (i.e., persistence) without ever prompting the user again after the device is initially compromised.

How to protect your devices from malicious profiles

Apple bakes security and privacy protections into its hardware and software so intrinsically to make these types of attacks more difficult to execute successfully. Despite minimizing the risk that these attacks pose, they still happen.

Users tend to hurry through any setting dialogs in the way when trying to get access to free internet they often end up missing the warning signs in an effort to mitigate any network service interruptions. Because of this, we recommend the following steps to compressively protect your corporate mobile fleet:

• Deploy a best-of-breed mobile threat defense solution to alert and protect them from threats, like malicious profiles, suspicious apps or risky user behaviors.
• Ensure your security solution actively monitors endpoints. Having visibility into real-time device health telemetry allows IT to see any out-of-date operating systems or known vulnerabilities.
• Implement network-based security protections to identify and filter web-based content to prevent access to zero-day phishing URLs. With this protection in place, even if users click on malicious links, payloads are blocked and users are redirected to informational pages explaining the threat.
• Integrate endpoint security with your MDM solution to gain control over the delivery of critical system patches and app updates to keep endpoints compliant.
• Automate device provisioning and enable supervision through Apple Business Manager (or Apple School Manager) workflows. These allow IT to deploy configurations securely without relying on user prompts for approval. Anything else could be a potential attack and should be reported immediately.
• If it’s necessary to install out-of-band profiles or deploy them outside the MDM framework, admins should digitally sign and encrypt configuration profiles to both validate their origin and protect data integrity.
• As this specific attack relies on social engineering against users, ongoing user training has been shown to minimize risk by educating users about social engineering threats.
• Perform regular audits of endpoint inventory, paying close attention to configuration profiles or installed apps that do not align with organizational compliance requirements.

Industry collaboration

Responsible disclosure is important to us at Jamf.

Responsible security researchers announce vulnerabilities to the media or conduct presentations to disclose their findings after informing the developers of an affected OS or app. Often, this means working with developers, including providing them with any lead time necessary to fix the issue.

This is done to minimize any window of time bad actors might have to start exploiting these vulnerabilities before a fix is available. After all, it takes developers a lot more time to fix a vulnerability than it takes threat actors to exploit it.

When it comes to detecting vulnerabilities, various factors motivate organizations and individuals to find them and fix them. Often, they do this for money or to participate in bug bounties. Some companies offer a bug bounty to encourage researchers to find bugs and reward them with a generous payment and credit substantiated findings to these individuals. Despite having so many researchers and developers working on their platform to uncover and fix bugs, Apple too has a security bounty program that incentivizes third parties and good internet citizens to share vulnerabilities found on their platforms for the greater good of the larger Apple community.

Whether there is a bounty on offer or not, industry collaboration is a crucial way to find and subsequently patch vulnerabilities quickly, especially on such widely deployed platforms as macOS, iOS/iPadOS, native apps and cloud-based services powered by Apple.